On 03/16/2012 04:06 PM, Stephen Ingram wrote:
> On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino <jr.aqu...@citrix.com> wrote:
>> On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote:
>> I've seen mention about the compat plug-in causing issues with
>> replication. In my 2.1.4 installation I notice that the plug-in is
>> turned on by default. Is compat only required for those supporting NIS
>> or does it serve another purpose. As I don't use NIS, I'm just
>> wondering if it's safe to turn off.
>> To compliment what Rob mentioned...
>> Compat is also generally necessary for any user who wishes to utilize Sudo
>> with FreeIPA.
>> Sudo does not natively understand what a 'hostgroup' is, so it can only
>> utilize NIS netgroups for this. Care was taken when designing the FreeIPA
>> hostgroup and nis compatibility system such that any hostgroup that is
>> created has a mirrored (and semi hidden) NIS netgroup created.
>> This way when you build Sudo rules and reference 'hostgroups',
>> transparently, it is really referencing NIS netgroups stored inside of ldap
>> and provided by the compat / nis plugins.
>> Hope this helps clear some stuff up about why one would want compat and nis
>> turned on in FreeIPA.
> Glad you mentioned this. I would have turned it off just to save
> space, but I do need sudo. This makes more sense as to why its enabled
> by default. Very clever design too to hide the complexity from the
In future we will support native IPA SUDO schema in SSSD.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list