On 09/26/2013 05:32 AM, Martin Kosek wrote:
In my research, I found that some of the 389 DS plug-ins that are used
by FreeIPA still operate across multiple backend suffixes. For example,
referential integrity always applies to all backends. This means that
there is plug-in work to do in 389 DS regardless of using separate
backends, or the alternate tree in the same backend. There is less
plug-in work if we use a separate backend, but I still feel that the
other cons with using a separate backend make the use of a single
backend more attractive.
I prepared a first draft of User Life-Cycle Management feature, which should
appear in later FreeIPA release.
There are still open questions, the main one from my perspective is if the
staged users should be stored in our main LDAP database/suffix or the alternate
one. Both have pros and cons, I tried to list them in the design page.
Keeping it in a separated suffix may allow less difficult maintenance of old
and new FreeIPA servers as old FreeIPA servers and plugins (like ipa-kdb) will
not see the staged users. But there are higher replication agreement and other
costs connected with this approach.
Comments, feedback is very welcome.
Freeipa-devel mailing list