Re: [Freeipa-users] Extending schema
- Original Message - On Thu, 2011-10-13 at 15:44 +0200, Sigbjorn Lie wrote: Hi, What is your recommendations for avoiding incompatability with future upgrades of IPA if extending the dirsrv schema and adding custom objects to the LDAP server is required? What considerations and precautions should be taken? Such as adding RBAC support for Solaris clients... Additional schema is unlikely to cause issues if it does not conflict with standard schema. We also tend to prefix all the attributes/objectlasses we create for FreeIPA so name clashes are unlikely. If it is custom schema I suggest you to prefix names appropriately too, so you have your own 'namespace'. As for placement I suggest you put this data in a separate container from standard FreeIPA stuff for new objects. In the base DN create a container named something like your company name or ticker: cn=ACME,suffix and put all your customized entries there. Attaching additional data to users is not a big deal for custom schema. If it is not custom schema but standard schema not currently used by FreeIPA I would be a little bit more careful as a following version of FreeIPA might conceivably start using those attributes, and there is generally enough space to use them in a sort of 'incompatible' way. But don't let that stop you if you really need it. Please note that when adding additional objectclasses to users and/or group etc ... if there are required attributes in the new objectclasses, you will no longer be able to add these objects from Web UI and you will not be able to define values for the new attributes introduced from the Web UI withoutcustomization. You will have to use the CLI and the --setattr option with the command. ~ Jenny Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] [Fwd: RHN Errata Alert: ipa-client bug fix update]
- Original Message - - Original Message - Sigbjorn Lie wrote: I have received this errata for RHEL5, but not RHEL6. Has the issue been fixed in RHEL 6 as well? It is going through testing now, I can't provide an ETA. It has finished testing and has been pushed live. It should be available soon! Sorry was mistaken it is still being tested but we are hoping to push the fix today. So stay tuned. Thanks Jenny rob Rgds, Siggi -Original Message- From: Red Hat Network Alert [mailto:dev-n...@rhn.redhat.com] Sent: 15. september 2011 09:58 To: Sigbjørn Lie Subject: RHN Errata Alert: ipa-client bug fix update Red Hat Network has determined that the following advisory is applicable to one or more of the systems you have registered: Complete information about this errata can be found at the following location: https://rhn.redhat.com/rhn/errata/details/Details.do?eid=12202 Bug Fix Advisory - RHBA-2011:1290-1 -- Summary: ipa-client bug fix update An updated ipa-client package that fixes one bug is now available for Red Hat Enterprise Linux 5. Description: IPA (Identity, Policy, Audit) is an integrated solution to provide centrally managed identity, that is, machine, user, virtual machines, groups, and authentication credentials. The ipa-client package provides a tool to enroll a machine to an IPA version 2 server. This update fixes the following bug: * Prior to this update, GSSAPI credential delegation was disabled in the curl utility due to a security issue. As a result, applications that rely on delegation did not work properly. This update utilizes a new constructor argument in the xmlrpc-c client API to set the new CURLOPT_GSSAPI_DELEGATION curl option. This option enables the credential delegation, thus fixing this bug. (BZ#736658) Users of ipa-client are advised to upgrade to this updated package, which fixes this bug. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau jgali...@redhat.com Principal Software QA Engineer Red Hat, Inc. Security Engineering ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ Jenny Galipeau jgali...@redhat.com Principal Software QA Engineer Red Hat, Inc. Security Engineering ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
Thank you Natxo. We are working hard to get it there and when we do .. it will awesome! Jenny Natxo Asenjo wrote: On Wed, Feb 2, 2011 at 10:02 PM, Ian Stokes-Rees ijsto...@hkl.hms.harvard.edu wrote: How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions? Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. If you read the release notes (http://freeipa.org/page/IPAv2_beta), in the paragraph 'migration' it is quite clearly stated that migration from v1 to v2 of freeipa is not possible. You are right that it is not clearly stated that migrations between 1.9.whatever and 2 are not possible but ... ... as a sysadmin, whenever I read 'alpha|beta', all alarms go off :-). I do follow the project, but I would never run any kind of production on it just yet. I think that blaming redhat for your using a beta version of software in production is a bit harsh. I understand you are under stress and upset, but this was not supposed to be running in a production environment. Do not blame redhat for something that clearly is not their fault. This project is going to be awesome for unix networks. All the pieces of the puzzle were out there, but these guys are putting them together in a nice package. Having dealt with a share of ldap+kerberos environments, I can tell you this is it. It is not there yet, but it is getting there. It is your choice to not use it. -- groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau jgali...@redhat.com Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users