On 12/16/2011 03:41 PM, Dmitri Pal wrote:
On 12/16/2011 02:37 PM, Alan Evans wrote:

This is great news.  The feedback I have after a quick read through (I
will try to put a bit more time on it later) would be to make the
'tennant' separation more flexible and why not use existing ldap

Instead of forcing the user into cn={TENANT},cn=tenants,$suffix why
not create a 'tennant' aux class that would allow the end user to
design a DIT however they would like.

We for example use o=<company|organization>,$suffix.  Then any schema
maintenance instead of being:
For each tennant in (cn=tenants,$suffix)
It would be:
For each tennant in (ldapsearch (objectclass=tennant))

Then the end provider could design a DIT that fit their needs with
replication in mind.  Consider the flexibility of:

o=<Tennant3>,OU=North America,$suffix

That's my 2ยข at the moment.  I'd be glad to banter back and forth
about this with you. :)

This is very flexible but I am not sure IPA would be able to be that
One of the design goals from the beginning was: static schema and flat
DIT. The whole project is built around it. Such approach would really
come as a "system shock". I am not against it, just saying it would be
harder as it goes even further than Adam's proposal in changing the
fundamental principals.

Also, it is not just the user table that we need to segregate but the entire DIT. Roles, Groups, SUDO, HBAC, and so forth all need to be segregated into a separate subtree, not just the user lists. So putting users in a aux class doesn't really support sufficient segregation. The assumption for us is that the IPA base scheme would be for administrative machines, and then each of the tenant subtrees would be for a subset of the machines in the system.

But that is really only one view of it, and I think I can see where you are coming from: you want to be able to manage,say customers, but use the same rules for them as you do for employees?

On Fri, Dec 16, 2011 at 5:35 AM, Adam Young<ayo...@redhat.com>  wrote:
I opened a ticket for multitenancy


Here is a detailed write up of the issues.


Please provide any feedback that you have and I will update.
Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to