On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino <jr.aqu...@citrix.com> wrote: > On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote: > > I've seen mention about the compat plug-in causing issues with > replication. In my 2.1.4 installation I notice that the plug-in is > turned on by default. Is compat only required for those supporting NIS > or does it serve another purpose. As I don't use NIS, I'm just > wondering if it's safe to turn off. > > To compliment what Rob mentioned... > > Compat is also generally necessary for any user who wishes to utilize Sudo > with FreeIPA. > > Sudo does not natively understand what a 'hostgroup' is, so it can only > utilize NIS netgroups for this. Care was taken when designing the FreeIPA > hostgroup and nis compatibility system such that any hostgroup that is > created has a mirrored (and semi hidden) NIS netgroup created. > > This way when you build Sudo rules and reference 'hostgroups', transparently, > it is really referencing NIS netgroups stored inside of ldap and provided by > the compat / nis plugins. > > Hope this helps clear some stuff up about why one would want compat and nis > turned on in FreeIPA.
Glad you mentioned this. I would have turned it off just to save space, but I do need sudo. This makes more sense as to why its enabled by default. Very clever design too to hide the complexity from the user. Steve _______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users