Hi Stephen, On Wed, Jul 22, 2009 at 11:20 AM, Stephen Gallagher<sgall...@redhat.com> wrote: > On 07/22/2009 11:03 AM, Mathias Gug wrote: > > There's a great deal more to FreeIPA's integration with 389 than just > the DIT. In order for FreeIPA to function properly, there are several > 389 plugins that had to be written, most notably for support of changing > kerberos passwords and for doing dynamic numeric assignment of UID/GIDs.
Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins: * dna: Distributed Numeric Assignment plug-in I don't know of a openldap plugin providing the same functionality. However one solution could be to use the uniq overlay to make sure the uids are unique: The Attribute Uniqueness overlay can be used with a backend database such as slapd-bdb(5) to enforce the uniqueness of some or all attributes within a scope. This subtree defaults to all objects within the subtree of the database for which the Uniqueness overlay is config‐ ured. For example, if uniqueness were enforced for the uid attribute, the subtree would be searched for any other records which also have a uid attribute containing the same value. If any are found, the request is rejected. That would also require some modification in the administration tools by pushing the logic to generate a new user id from the slapd server to the administration tools. The code responsible for creating a new user should take into account the possibility that the ldap add operation might fail because of an existing uid and update the uid accordingly before retrying. * ipa-memberof: IPA memberof plugin There is a similar overlay in openldap: The memberof overlay to slapd(8) allows automatic reverse group member‐ ship maintenance. Any time a group entry is modified, its members are modified as appropriate in order to keep a DN-valued "is member of" attribute updated with the DN of the group. * ipa-pwd-extop: Password Modify - LDAP Extended Operation There is a similar overlay in openldap/contrib: The smbk5pwd that extends the PasswordModify Extended Operation to update Kerberos keys and Samba password hashes for an LDAP user. However the code is currently written for Heimdal kerberos and should thus be ported to MIT Kerberos. * ipa-winsync: Windows Synchronization Plug-in for IPA I don't know of an openldap overlay that provides all the functionality of ipa-winsync. However the translucent overlay may be leverage to provide part of the functionality. What are the exact functionality provided by this plugin? It should also be noted that openldap support slapi plugins, which means that some FreeIPA plugins could be supported in openldap (to be tested though). Are there any other plugins that I've missed? > > We've previously discussed this with the Debian/Ubuntu developers and > explained that the effort needed to port FreeIPA to openldap FAR exceeds > the effort of including 389 in Debian/Ubuntu. > Correct. I've sent an email to the freeipa-devel mailing list but haven't had time (yet) to follow up on the thread. My comments above would have been my reply to the thread - should this conversation be moved to the freeipa-devel mailing list instead? -- Mathias Gug Ubuntu Developer http://www.ubuntu.com _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp