----- Original Message -----
> On Thu, 2011-10-13 at 15:44 +0200, Sigbjorn Lie wrote:
> > Hi,
> > What is your recommendations for avoiding incompatability with
> > future upgrades of IPA if extending
> > the dirsrv schema and adding custom objects to the LDAP server is
> > required? What considerations
> > and precautions should be taken?
> > Such as adding RBAC support for Solaris clients...
> Additional schema is unlikely to cause issues if it does not conflict
> with standard schema. We also tend to prefix all the
> attributes/objectlasses we create for FreeIPA so name clashes are
> If it is custom schema I suggest you to prefix names appropriately
> so you have your own 'namespace'.
> As for placement I suggest you put this data in a separate container
> from standard FreeIPA stuff for new objects.
> In the base DN create a container named something like your company
> or ticker: cn=ACME,<suffix> and put all your customized entries
> Attaching additional data to users is not a big deal for custom
> If it is not custom schema but standard schema not currently used by
> FreeIPA I would be a little bit more careful as a following version
> FreeIPA might conceivably start using those attributes, and there is
> generally enough space to use them in a sort of 'incompatible' way.
> But don't let that stop you if you really need it.
Please note that when adding additional objectclasses to users and/or group etc
... if there are required attributes in the new objectclasses, you will no
longer be able to add these objects from Web UI and you will not be able to
define values for the new attributes introduced from the Web UI
withoutcustomization. You will have to use the CLI and the --setattr option
with the command.
> Simo Sorce * Red Hat, Inc * New York
> Freeipa-users mailing list
Freeipa-users mailing list