Adam,

This is great news.  The feedback I have after a quick read through (I
will try to put a bit more time on it later) would be to make the
'tennant' separation more flexible and why not use existing ldap
schema?

Instead of forcing the user into cn={TENANT},cn=tenants,$suffix why
not create a 'tennant' aux class that would allow the end user to
design a DIT however they would like.

We for example use o=<company|organization>,$suffix.  Then any schema
maintenance instead of being:
For each tennant in (cn=tenants,$suffix)
It would be:
For each tennant in (ldapsearch (objectclass=tennant))

Then the end provider could design a DIT that fit their needs with
replication in mind.  Consider the flexibility of:

o=<Tennant1>,C=US,$suffix
o=<Tennant2>,C=UK,$suffix
o=<Tennant3>,OU=North America,$suffix
o=<Tennant4>,OU=Europe,$suffix

That's my 2ยข at the moment.  I'd be glad to banter back and forth
about this with you. :)

Regards,
-Alan

On Fri, Dec 16, 2011 at 5:35 AM, Adam Young <ayo...@redhat.com> wrote:
>
> I opened a ticket for multitenancy
>
> https://fedorahosted.org/freeipa/ticket/2201
>
> Here is a detailed write up of the issues.
>
> http://freeipa.org/page/Multitenancy
>
> Please provide any feedback that you have and I will update.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to