On 03/16/2012 04:06 PM, Stephen Ingram wrote:
> On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
>> On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote:
>>
>> I've seen mention about the compat plug-in causing issues with
>> replication. In my 2.1.4 installation I notice that the plug-in is
>> turned on by default. Is compat only required for those supporting NIS
>> or does it serve another purpose. As I don't use NIS, I'm just
>> wondering if it's safe to turn off.
>>
>> To compliment what Rob mentioned...
>>
>> Compat is also generally necessary for any user who wishes to utilize Sudo 
>> with FreeIPA.
>>
>> Sudo does not natively understand what a 'hostgroup' is, so it can only 
>> utilize NIS netgroups for this.  Care was taken when designing the FreeIPA 
>> hostgroup and nis compatibility system such that any hostgroup that is 
>> created has a mirrored (and semi hidden) NIS netgroup created.
>>
>> This way when you build Sudo rules and reference 'hostgroups', 
>> transparently, it is really referencing NIS netgroups stored inside of ldap 
>> and provided by the compat / nis plugins.
>>
>> Hope this helps clear some stuff up about why one would want compat and nis 
>> turned on in FreeIPA.
> Glad you mentioned this. I would have turned it off just to save
> space, but I do need sudo. This makes more sense as to why its enabled
> by default. Very clever design too to hide the complexity from the
> user.

In future we will support native IPA SUDO schema in SSSD.
https://fedorahosted.org/sssd/ticket/1108

> Steve
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to