Brian LaMere wrote:
> On Tue, Aug 24, 2010 at 6:16 PM, Rob Crittenden <rcrit...@redhat.com
> <mailto:rcrit...@redhat.com>> wrote:
> Brian LaMere wrote:
> Yes, if not easier. It is just 389-ds under the hood, we have
> some simple management tools that create the agreements for
> you. Since we use our own CA SSL is easy as well.
> if I already have certs for the servers that would be running the IPA,
> would it be easy enough to use those? I ask because my gold images
> come out of the box already trusting my ldap servers, which means
> using someone else's CA can potentially be a concern. That's not a
> show-stopper, because I can work around that anyway.
I think you can use the certs that you already have.
If you need more details you need to wait a bit for Rob to get back from
> Depending on your configuration the data migration should be
> relatively straightforward but know that the IPA DIT is completely
> flat. All users are in one container, groups in another, etc.
> I have to admit that while I'm very good at some things, I was only
> "ok" with ldap way back long long ago when I did anything with it. I
> just created a custom schema with a couple hundred attributeTypes and
> a couple dozen objectclasses so that I can manage a lot of different
> things within ldap (single point of pluggable info to allow an
> object-oriented framework, independent of what tools are used). So
> when I read your "the IPA DIT is completely flat" statement I got a
> bit worried. Much of what I am doing will be far more difficult if I
> can't give texture to things, and my understanding is that a
> "completely flat DIT" is very difficult to create good aci's against.
> I know that the obvious answer is to just install it, and look and see
> if it does what I want anyway ;) But without spending time to do
> that...if I leave the users/groups in their current flat places, could
> I add texture to the DIT elsewhere (aci's are almost vital for what
> I'm doing; I want to expose methods, which means I can't just "trust"
> tools or hosts) without causing problems for FreeIPA?
> It's a lazy bred not out of laziness of not wanting to just experiment
> and test myself, but out of having a high workload; I'd like to use
> FreeIPA, and am just wondering if the above question has an obvious
> answer that doesn't even need to be tested.
The ACIs are defined inside the underlaying Directory Server. See
details and syntax are here
The ACIs as you see can be group based. One does not need a hierarchical
"ou" user structure in the DS for ACIs - just groups. So all the users
live in one container without any hierarchy. All the hierarchy can be
accomplished by creating a combination of nested groups. Groups live in
another container but on the same level. This is what we mean by "flat
> Brian LaMere
> Freeipa-users mailing list
Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list