-----BEGIN PGP SIGNED MESSAGE-----
On 07/22/2009 01:35 PM, Mathias Gug wrote:
> Hi Stephen,
> On Wed, Jul 22, 2009 at 11:20 AM, Stephen Gallagher<sgall...@redhat.com>
>> On 07/22/2009 11:03 AM, Mathias Gug wrote:
>> There's a great deal more to FreeIPA's integration with 389 than just
>> the DIT. In order for FreeIPA to function properly, there are several
>> 389 plugins that had to be written, most notably for support of changing
>> kerberos passwords and for doing dynamic numeric assignment of UID/GIDs.
> Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
> * dna: Distributed Numeric Assignment plug-in
> I don't know of a openldap plugin providing the same functionality.
> However one solution could be to use the uniq overlay to make sure the
> uids are unique:
> The Attribute Uniqueness overlay can be used with a backend database
> such as slapd-bdb(5) to enforce the uniqueness of some or all
> attributes within a scope. This subtree defaults to all objects within
> the subtree of the database for which the Uniqueness overlay is config‐
> For example, if uniqueness were enforced
> for the uid attribute, the subtree would be searched for any other
> records which also have a uid attribute containing the same value. If
> any are found, the request is rejected.
> That would also require some modification in the administration tools
> by pushing the logic to generate a new user id from the slapd server
> to the administration tools. The code responsible for creating a new
> user should take into account the possibility that the ldap add
> operation might fail because of an existing uid and update the uid
> accordingly before retrying.
> * ipa-memberof: IPA memberof plugin
> There is a similar overlay in openldap:
> The memberof overlay to slapd(8) allows automatic reverse group member‐
> ship maintenance. Any time a group entry is modified, its members are
> modified as appropriate in order to keep a DN-valued "is member of"
> attribute updated with the DN of the group.
> * ipa-pwd-extop: Password Modify - LDAP Extended Operation
> There is a similar overlay in openldap/contrib:
> The smbk5pwd that extends the PasswordModify Extended Operation to
> update Kerberos keys and Samba password hashes for an LDAP user.
> However the code is currently written for Heimdal kerberos and should
> thus be ported to MIT Kerberos.
> * ipa-winsync: Windows Synchronization Plug-in for IPA
> I don't know of an openldap overlay that provides all the
> functionality of ipa-winsync. However the translucent overlay may be
> leverage to provide part of the functionality. What are the exact
> functionality provided by this plugin?
> It should also be noted that openldap support slapi plugins, which
> means that some FreeIPA plugins could be supported in openldap (to be
> tested though).
> Are there any other plugins that I've missed?
>> We've previously discussed this with the Debian/Ubuntu developers and
>> explained that the effort needed to port FreeIPA to openldap FAR exceeds
>> the effort of including 389 in Debian/Ubuntu.
> Correct. I've sent an email to the freeipa-devel mailing list but
> haven't had time (yet) to follow up on the thread. My comments above
> would have been my reply to the thread - should this conversation be
> moved to the freeipa-devel mailing list instead?
> Mathias Gug
> Ubuntu Developer http://www.ubuntu.com
I think it would be prudent to move it there, as very few of the FreeIPA
developers are subscribed to this list right now.
Looking to carve out IT costs?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Mailing list: https://launchpad.net/~freeipa
Post to : email@example.com
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp