On 09/26/2013 05:32 AM, Martin Kosek wrote:
Hello developers!

I prepared a first draft of User Life-Cycle Management feature, which should
appear in later FreeIPA release.

http://www.freeipa.org/page/V3/User_Life-Cycle_Management

There are still open questions, the main one from my perspective is if the
staged users should be stored in our main LDAP database/suffix or the alternate
one. Both have pros and cons, I tried to list them in the design page.
In my research, I found that some of the 389 DS plug-ins that are used by FreeIPA still operate across multiple backend suffixes. For example, referential integrity always applies to all backends. This means that there is plug-in work to do in 389 DS regardless of using separate backends, or the alternate tree in the same backend. There is less plug-in work if we use a separate backend, but I still feel that the other cons with using a separate backend make the use of a single backend more attractive.

Thanks,
-NGK

Keeping it in a separated suffix may allow less difficult maintenance of old
and new FreeIPA servers as old FreeIPA servers and plugins (like ipa-kdb) will
not see the staged users. But there are higher replication agreement and other
costs connected with this approach.

Comments, feedback is very welcome.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to