On 04/21/2013 09:14 PM, Dmitri Pal wrote: > Hello, > > Please review the design page for the following ticket: > https://fedorahosted.org/freeipa/ticket/3583 > http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems >
Hello Dmitri, The design looks fine, I would just like to discuss the schema enhancements. I'd propose to not create our own artificial attributes, but rather use a standard existing userClass attributeType defined in RFC 4524 which is already present in 389-ds schemas and which semantics seems to match what we want: ... 2.25. userClass The 'userClass' attribute specifies categories of computer or application user. The semantics placed on this attribute are for local interpretation. Examples of current usage of this attribute in academia are "student", "staff", and "faculty". Note that the 'organizationalStatus' attribute type is now often preferred, as it makes no distinction between persons as opposed to users. ( 0.9.2342.19200300.100.1.8 NAME 'userClass' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) The DirectoryString (1.3.6.1.4.1.1466.115.121.1.15) syntax and the 'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described in [RFC4517]. ... What about simply adding this attributeType as a MAY attribute for ipaHost objectClass? As for user objects, what about adding new auxiliary objectClass called ipaUser storing miscellaneous attributes like this one? Or is there a benefit of having a specialized objectClass holding just this one MAY attribute? Thanks, Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel