On 10/14/2011 03:14 PM, Jenny Galipeau wrote:

----- Original Message -----
On Thu, 2011-10-13 at 15:44 +0200, Sigbjorn Lie wrote:

What is your recommendations for avoiding incompatability with
future upgrades of IPA if extending
the dirsrv schema and adding custom objects to the LDAP server is
required? What considerations
and precautions should be taken?

Such as adding RBAC support for Solaris clients...
Additional schema is unlikely to cause issues if it does not conflict
with standard schema. We also tend to prefix all the
attributes/objectlasses we create for FreeIPA so name clashes are
If it is custom schema I suggest you to prefix names appropriately
so you have your own 'namespace'.

As for placement I suggest you put this data in a separate container
from standard FreeIPA stuff for new objects.

In the base DN create a container named something like your company
or ticker: cn=ACME,<suffix>  and put all your customized entries

Attaching additional data to users is not a big deal for custom
If it is not custom schema but standard schema not currently used by
FreeIPA I would be a little bit more careful as a following version
FreeIPA might conceivably start using those attributes, and there is
generally enough space to use them in a sort of 'incompatible' way.

But don't let that stop you if you really need it.
Please note that when adding additional objectclasses to users and/or group etc 
... if there are required attributes in the new objectclasses, you will no 
longer be able to add these objects from Web UI and you will not be able to 
define values for the new attributes introduced from the Web UI 
withoutcustomization.  You will have to use the CLI and the --setattr option 
with the command.

Thank you both, I will keep that in mind.

Since Solaris RBAC is what I need at this point, is there any plans of including support for Solaris' RBAC at some point?


Freeipa-users mailing list

Reply via email to