-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/22/2009 01:35 PM, Mathias Gug wrote: > Hi Stephen, > > On Wed, Jul 22, 2009 at 11:20 AM, Stephen Gallagher<[email protected]> > wrote: >> On 07/22/2009 11:03 AM, Mathias Gug wrote: >> >> There's a great deal more to FreeIPA's integration with 389 than just >> the DIT. In order for FreeIPA to function properly, there are several >> 389 plugins that had to be written, most notably for support of changing >> kerberos passwords and for doing dynamic numeric assignment of UID/GIDs. > > Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins: > > * dna: Distributed Numeric Assignment plug-in > > I don't know of a openldap plugin providing the same functionality. > > However one solution could be to use the uniq overlay to make sure the > uids are unique: > > The Attribute Uniqueness overlay can be used with a backend database > such as slapd-bdb(5) to enforce the uniqueness of some or all > attributes within a scope. This subtree defaults to all objects within > the subtree of the database for which the Uniqueness overlay is config‐ > ured. > > For example, if uniqueness were enforced > for the uid attribute, the subtree would be searched for any other > records which also have a uid attribute containing the same value. If > any are found, the request is rejected. > > That would also require some modification in the administration tools > by pushing the logic to generate a new user id from the slapd server > to the administration tools. The code responsible for creating a new > user should take into account the possibility that the ldap add > operation might fail because of an existing uid and update the uid > accordingly before retrying. > > * ipa-memberof: IPA memberof plugin > > There is a similar overlay in openldap: > > The memberof overlay to slapd(8) allows automatic reverse group member‐ > ship maintenance. Any time a group entry is modified, its members are > modified as appropriate in order to keep a DN-valued "is member of" > attribute updated with the DN of the group. > > * ipa-pwd-extop: Password Modify - LDAP Extended Operation > > There is a similar overlay in openldap/contrib: > > The smbk5pwd that extends the PasswordModify Extended Operation to > update Kerberos keys and Samba password hashes for an LDAP user. > > However the code is currently written for Heimdal kerberos and should > thus be ported to MIT Kerberos. > > * ipa-winsync: Windows Synchronization Plug-in for IPA > > I don't know of an openldap overlay that provides all the > functionality of ipa-winsync. However the translucent overlay may be > leverage to provide part of the functionality. What are the exact > functionality provided by this plugin? > > It should also be noted that openldap support slapi plugins, which > means that some FreeIPA plugins could be supported in openldap (to be > tested though). > > Are there any other plugins that I've missed? > >> We've previously discussed this with the Debian/Ubuntu developers and >> explained that the effort needed to port FreeIPA to openldap FAR exceeds >> the effort of including 389 in Debian/Ubuntu. >> > > Correct. I've sent an email to the freeipa-devel mailing list but > haven't had time (yet) to follow up on the thread. My comments above > would have been my reply to the thread - should this conversation be > moved to the freeipa-devel mailing list instead? > > -- > Mathias Gug > Ubuntu Developer http://www.ubuntu.com
I think it would be prudent to move it there, as very few of the FreeIPA developers are subscribed to this list right now. - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkpnTtkACgkQeiVVYja6o6P/bQCgoGjVLjcseyBn2m28jeVFv7Q4 HPYAn0hJWhwG/SIsZZu/Bxq7D9GvTeBy =fV/W -----END PGP SIGNATURE----- _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : [email protected] Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
