On Thu, 2011-10-13 at 15:44 +0200, Sigbjorn Lie wrote:
> What is your recommendations for avoiding incompatability with future
> upgrades of IPA if extending
> the dirsrv schema and adding custom objects to the LDAP server is required?
> What considerations
> and precautions should be taken?
> Such as adding RBAC support for Solaris clients...
Additional schema is unlikely to cause issues if it does not conflict
with standard schema. We also tend to prefix all the
attributes/objectlasses we create for FreeIPA so name clashes are
If it is custom schema I suggest you to prefix names appropriately too,
so you have your own 'namespace'.
As for placement I suggest you put this data in a separate container
from standard FreeIPA stuff for new objects.
In the base DN create a container named something like your company name
or ticker: cn=ACME,<suffix> and put all your customized entries there.
Attaching additional data to users is not a big deal for custom schema.
If it is not custom schema but standard schema not currently used by
FreeIPA I would be a little bit more careful as a following version of
FreeIPA might conceivably start using those attributes, and there is
generally enough space to use them in a sort of 'incompatible' way.
But don't let that stop you if you really need it.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list