On 09/26/2013 05:32 AM, Martin Kosek wrote:
Hello developers!

I prepared a first draft of User Life-Cycle Management feature, which should
appear in later FreeIPA release.


There are still open questions, the main one from my perspective is if the
staged users should be stored in our main LDAP database/suffix or the alternate
one. Both have pros and cons, I tried to list them in the design page.
In my research, I found that some of the 389 DS plug-ins that are used by FreeIPA still operate across multiple backend suffixes. For example, referential integrity always applies to all backends. This means that there is plug-in work to do in 389 DS regardless of using separate backends, or the alternate tree in the same backend. There is less plug-in work if we use a separate backend, but I still feel that the other cons with using a separate backend make the use of a single backend more attractive.


Keeping it in a separated suffix may allow less difficult maintenance of old
and new FreeIPA servers as old FreeIPA servers and plugins (like ipa-kdb) will
not see the staged users. But there are higher replication agreement and other
costs connected with this approach.

Comments, feedback is very welcome.


Freeipa-devel mailing list

Reply via email to