On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
> On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote:
> I've seen mention about the compat plug-in causing issues with
> replication. In my 2.1.4 installation I notice that the plug-in is
> turned on by default. Is compat only required for those supporting NIS
> or does it serve another purpose. As I don't use NIS, I'm just
> wondering if it's safe to turn off.
> To compliment what Rob mentioned...
> Compat is also generally necessary for any user who wishes to utilize Sudo 
> with FreeIPA.
> Sudo does not natively understand what a 'hostgroup' is, so it can only 
> utilize NIS netgroups for this.  Care was taken when designing the FreeIPA 
> hostgroup and nis compatibility system such that any hostgroup that is 
> created has a mirrored (and semi hidden) NIS netgroup created.
> This way when you build Sudo rules and reference 'hostgroups', transparently, 
> it is really referencing NIS netgroups stored inside of ldap and provided by 
> the compat / nis plugins.
> Hope this helps clear some stuff up about why one would want compat and nis 
> turned on in FreeIPA.

Glad you mentioned this. I would have turned it off just to save
space, but I do need sudo. This makes more sense as to why its enabled
by default. Very clever design too to hide the complexity from the


Freeipa-users mailing list

Reply via email to