On 12/16/2011 03:41 PM, Dmitri Pal wrote:
On 12/16/2011 02:37 PM, Alan Evans wrote:
Adam,
This is great news. The feedback I have after a quick read through (I
will try to put a bit more time on it later) would be to make the
'tennant' separation more flexible and why not use existing ldap
schema?
Instead of forcing the user into cn={TENANT},cn=tenants,$suffix why
not create a 'tennant' aux class that would allow the end user to
design a DIT however they would like.
We for example use o=<company|organization>,$suffix. Then any schema
maintenance instead of being:
For each tennant in (cn=tenants,$suffix)
It would be:
For each tennant in (ldapsearch (objectclass=tennant))
Then the end provider could design a DIT that fit their needs with
replication in mind. Consider the flexibility of:
o=<Tennant1>,C=US,$suffix
o=<Tennant2>,C=UK,$suffix
o=<Tennant3>,OU=North America,$suffix
o=<Tennant4>,OU=Europe,$suffix
That's my 2ยข at the moment. I'd be glad to banter back and forth
about this with you. :)
Regards,
-Alan
This is very flexible but I am not sure IPA would be able to be that
flexible.
One of the design goals from the beginning was: static schema and flat
DIT. The whole project is built around it. Such approach would really
come as a "system shock". I am not against it, just saying it would be
harder as it goes even further than Adam's proposal in changing the
fundamental principals.
Also, it is not just the user table that we need to segregate but the
entire DIT. Roles, Groups, SUDO, HBAC, and so forth all need to be
segregated into a separate subtree, not just the user lists. So putting
users in a aux class doesn't really support sufficient segregation. The
assumption for us is that the IPA base scheme would be for
administrative machines, and then each of the tenant subtrees would be
for a subset of the machines in the system.
But that is really only one view of it, and I think I can see where you
are coming from: you want to be able to manage,say customers, but use
the same rules for them as you do for employees?
On Fri, Dec 16, 2011 at 5:35 AM, Adam Young<ayo...@redhat.com> wrote:
I opened a ticket for multitenancy
https://fedorahosted.org/freeipa/ticket/2201
Here is a detailed write up of the issues.
http://freeipa.org/page/Multitenancy
Please provide any feedback that you have and I will update.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users