Brian LaMere wrote:
> On Tue, Aug 24, 2010 at 6:16 PM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
>
>     Brian LaMere wrote:
>
>         Yes, if not easier. It is just 389-ds under the hood, we have
>         some simple management tools that create the agreements for
>         you. Since we use our own CA SSL is easy as well.
>
>
> if I already have certs for the servers that would be running the IPA,
> would it be easy enough to use those?  I ask because my gold images
> come out of the box already trusting my ldap servers, which means
> using someone else's CA can potentially be a concern.  That's not a
> show-stopper, because I can work around that anyway.

I think you can use the certs that you already have.
http://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
http://www.freeipa.org/page/Administrators_Guide#Managing_Certificates_and_Certificate_Authorities

If you need more details you need to wait a bit for Rob to get back from
leave.

>  
>
>     Depending on your configuration the data migration should be
>     relatively straightforward but know that the IPA DIT is completely
>     flat. All users are in one container, groups in another, etc. 
>
>
> I have to admit that while I'm very good at some things, I was only
> "ok" with ldap way back long long ago when I did anything with it.  I
> just created a custom schema with a couple hundred attributeTypes and
> a couple dozen objectclasses so that I can manage a lot of different
> things within ldap (single point of pluggable info to allow an
> object-oriented framework, independent of what tools are used).  So
> when I read your "the IPA DIT is completely flat" statement I got a
> bit worried.  Much of what I am doing will be far more difficult if I
> can't give texture to things, and my understanding is that a
> "completely flat DIT" is very difficult to create good aci's against.
>
> I know that the obvious answer is to just install it, and look and see
> if it does what I want anyway ;)  But without spending time to do
> that...if I leave the users/groups in their current flat places, could
> I add texture to the DIT elsewhere (aci's are almost vital for what
> I'm doing; I want to expose methods, which means I can't just "trust"
> tools or hosts) without causing problems for FreeIPA?
>
> It's a lazy bred not out of laziness of not wanting to just experiment
> and test myself, but out of having a high workload; I'd like to use
> FreeIPA, and am just wondering if the above question has an obvious
> answer that doesn't even need to be tested.
>
The ACIs are defined inside the underlaying Directory Server. See
details and syntax are here
http://directory.fedoraproject.org/wiki/Howto:AccessControl
The ACIs as you see can be group based. One does not need a hierarchical
"ou" user structure in the DS for ACIs  - just groups. So all the users
live in one container without any hierarchy.  All the hierarchy can be
accomplished by creating a combination of nested groups. Groups live in
another container but on the same level. This is what we mean by "flat
tree".


> Thanks,
> Brian LaMere
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to