On Wed, Jul 22, 2009 at 11:20 AM, Stephen Gallagher<sgall...@redhat.com> wrote:
> On 07/22/2009 11:03 AM, Mathias Gug wrote:
> There's a great deal more to FreeIPA's integration with 389 than just
> the DIT. In order for FreeIPA to function properly, there are several
> 389 plugins that had to be written, most notably for support of changing
> kerberos passwords and for doing dynamic numeric assignment of UID/GIDs.
Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
* dna: Distributed Numeric Assignment plug-in
I don't know of a openldap plugin providing the same functionality.
However one solution could be to use the uniq overlay to make sure the
uids are unique:
The Attribute Uniqueness overlay can be used with a backend database
such as slapd-bdb(5) to enforce the uniqueness of some or all
attributes within a scope. This subtree defaults to all objects within
the subtree of the database for which the Uniqueness overlay is config‐
For example, if uniqueness were enforced
for the uid attribute, the subtree would be searched for any other
records which also have a uid attribute containing the same value. If
any are found, the request is rejected.
That would also require some modification in the administration tools
by pushing the logic to generate a new user id from the slapd server
to the administration tools. The code responsible for creating a new
user should take into account the possibility that the ldap add
operation might fail because of an existing uid and update the uid
accordingly before retrying.
* ipa-memberof: IPA memberof plugin
There is a similar overlay in openldap:
The memberof overlay to slapd(8) allows automatic reverse group member‐
ship maintenance. Any time a group entry is modified, its members are
modified as appropriate in order to keep a DN-valued "is member of"
attribute updated with the DN of the group.
* ipa-pwd-extop: Password Modify - LDAP Extended Operation
There is a similar overlay in openldap/contrib:
The smbk5pwd that extends the PasswordModify Extended Operation to
update Kerberos keys and Samba password hashes for an LDAP user.
However the code is currently written for Heimdal kerberos and should
thus be ported to MIT Kerberos.
* ipa-winsync: Windows Synchronization Plug-in for IPA
I don't know of an openldap overlay that provides all the
functionality of ipa-winsync. However the translucent overlay may be
leverage to provide part of the functionality. What are the exact
functionality provided by this plugin?
It should also be noted that openldap support slapi plugins, which
means that some FreeIPA plugins could be supported in openldap (to be
Are there any other plugins that I've missed?
> We've previously discussed this with the Debian/Ubuntu developers and
> explained that the effort needed to port FreeIPA to openldap FAR exceeds
> the effort of including 389 in Debian/Ubuntu.
Correct. I've sent an email to the freeipa-devel mailing list but
haven't had time (yet) to follow up on the thread. My comments above
would have been my reply to the thread - should this conversation be
moved to the freeipa-devel mailing list instead?
Ubuntu Developer http://www.ubuntu.com
Mailing list: https://launchpad.net/~freeipa
Post to : firstname.lastname@example.org
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp