> for non user/group/host objects you fully own and control you can use
> whatever directory structure you want as long as you do not put them
> under the cn=accounts subtree and keep them generally away from any IPA
> controlled subtree.
ah - well if that's the case, then I asked my initial question very poorly,
as that's ultimately what I was trying to find out. If I can do things
outside of that area then I it will do what I need; I was just concerned
that the "completely flat DIT" might object to a tree next to it in the same
389-DS. Having kerberized systems would improve more workflow issues around
here than I can even comprehend, and there are other features of the IPA I
am very interested in as well that will help solve other issues...once I get
around to having enough time to get to those tasks.
Apologies, as mentioned I'm quite ldap-rusty.
Freeipa-users mailing list