On 04/21/2013 09:14 PM, Dmitri Pal wrote:
> Hello,
> Please review the design page for the following ticket:
> https://fedorahosted.org/freeipa/ticket/3583
> http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems

Hello Dmitri,

The design looks fine, I would just like to discuss the schema enhancements.

I'd propose to not create our own artificial attributes, but rather use a
standard existing userClass attributeType defined in RFC 4524 which is already
present in 389-ds schemas and which semantics seems to match what we want:

2.25.  userClass

   The 'userClass' attribute specifies categories of computer or
   application user.  The semantics placed on this attribute are for
   local interpretation.  Examples of current usage of this attribute in
   academia are "student", "staff", and "faculty".  Note that the
   'organizationalStatus' attribute type is now often preferred, as it
   makes no distinction between persons as opposed to users.

      ( 0.9.2342.19200300.100.1.8 NAME 'userClass'
        EQUALITY caseIgnoreMatch
        SUBSTR caseIgnoreSubstringsMatch
        SYNTAX{256} )

   The DirectoryString ( syntax and the
   'caseIgnoreMatch' and 'caseIgnoreSubstringsMatch' rules are described
   in [RFC4517].

What about simply adding this attributeType as a MAY attribute for ipaHost

As for user objects, what about adding new auxiliary objectClass called ipaUser
storing miscellaneous attributes like this one?

Or is there a benefit of having a specialized objectClass holding just this one
MAY attribute?


Freeipa-devel mailing list

Reply via email to