Hash: SHA1

On 07/22/2009 01:35 PM, Mathias Gug wrote:
> Hi Stephen,
> On Wed, Jul 22, 2009 at 11:20 AM, Stephen Gallagher<sgall...@redhat.com> 
> wrote:
>> On 07/22/2009 11:03 AM, Mathias Gug wrote:
>> There's a great deal more to FreeIPA's integration with 389 than just
>> the DIT. In order for FreeIPA to function properly, there are several
>> 389 plugins that had to be written, most notably for support of changing
>> kerberos passwords and for doing dynamic numeric assignment of UID/GIDs.
> Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
>   * dna: Distributed Numeric Assignment plug-in
> I don't know of a openldap plugin providing the same functionality.
> However one solution could be to use the uniq overlay to make sure the
> uids are unique:
>        The  Attribute  Uniqueness  overlay can be used with a backend database
>        such  as  slapd-bdb(5)  to  enforce  the  uniqueness  of  some  or  all
>        attributes  within a scope. This subtree defaults to all objects within
>        the subtree of the database for which the Uniqueness overlay is config‐
>        ured.
>        For example, if uniqueness were enforced
>        for the uid attribute, the subtree would  be  searched  for  any  other
>        records  which  also have a uid attribute containing the same value. If
>        any are found, the request is rejected.
> That would also require some modification in the administration tools
> by pushing the logic to generate a new user id from the slapd server
> to the administration tools. The code responsible for creating a new
> user should take into account the possibility that the ldap add
> operation might fail because of an existing uid and update the uid
> accordingly before retrying.
>   * ipa-memberof: IPA memberof plugin
> There is a similar overlay in openldap:
>        The memberof overlay to slapd(8) allows automatic reverse group member‐
>        ship maintenance.  Any time a group entry is modified, its members  are
>        modified  as  appropriate  in  order to keep a DN-valued "is member of"
>        attribute updated with the DN of the group.
>   * ipa-pwd-extop: Password Modify - LDAP Extended Operation
> There is a similar overlay in openldap/contrib:
>       The smbk5pwd that extends the PasswordModify Extended Operation to
>       update Kerberos keys and Samba password hashes for an LDAP user.
> However the code is currently written for Heimdal kerberos and should
> thus be ported to MIT Kerberos.
>   * ipa-winsync: Windows Synchronization Plug-in for IPA
> I don't know of an openldap overlay that provides all the
> functionality of ipa-winsync. However the translucent overlay may be
> leverage to provide part of the functionality. What are the exact
> functionality provided by this plugin?
> It should also be noted that openldap support slapi plugins, which
> means that some FreeIPA plugins could be supported in openldap (to be
> tested though).
> Are there any other plugins that I've missed?
>> We've previously discussed this with the Debian/Ubuntu developers and
>> explained that the effort needed to port FreeIPA to openldap FAR exceeds
>> the effort of including 389 in Debian/Ubuntu.
> Correct. I've sent an email to the freeipa-devel mailing list but
> haven't had time (yet) to follow up on the thread. My comments above
> would have been my reply to the thread - should this conversation be
> moved to the freeipa-devel mailing list instead?
> --
> Mathias Gug
> Ubuntu Developer  http://www.ubuntu.com

I think it would be prudent to move it there, as very few of the FreeIPA
developers are subscribed to this list right now.

- -- 
Stephen Gallagher
RHCE 804006346421761

Looking to carve out IT costs?
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/


Mailing list: https://launchpad.net/~freeipa
Post to     : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

Reply via email to