Re: [Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups
On ti, 25 loka 2016, Frank Munsche wrote: Hi guys, we are currently evaluating free-ipa. We've used the sun one ds, sun / oracle dsee and 389 so far. All of those are easy to customize respective the schema, class of service, dynamic groups,... Unfortunately most applications like jenkins, jira, confluence, gitblit, bitbucket, nexus and others don't have a native interface to authenticate against free-ipa. But most of them can do ldap(s) / tls and can connect to any ldap server with a proxy user configured. This way and by using class of service and dynamic groups, we were able to tie them to the directory and use it for authentication and sometimes aothorization as well. Have you checked http://www.freeipa.org/page/HowTos ? As I've seen so far, the 389 as part of free-ipa is tightly coupled to the rest of the components and it's schema and dit are structured to fit the needs of ipa. Some questions that come into my mind: Would it be possible to extend the schema and configure the 389 ds for my own needs? Everything is possible but you'll be responsible for whatever would be done. Could the dit be restructured to match the logic of our environments? Most likely no. The flat DIT assumptions and naming of subtrees are encoded in FreeIPA framework. I remember the sun idm server which was a pretty complex product but gave the user lots of possible customizations of the web ui and included workflows. Is that possible with ipa also? Read existing documentation. http://www.freeipa.org/page/HowTo/Add_a_new_attribute http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf and overall links under http://www.freeipa.org/page/Documentation -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups
On Tue, 2016-10-25 at 15:49 +0200, Frank Munsche wrote: > Hi guys, > > we are currently evaluating free-ipa. We've used the sun one ds, sun / > oracle dsee and 389 so far. All of those are easy to customize > respective the schema, class of service, dynamic groups,... > Unfortunately most applications like jenkins, jira, confluence, gitblit, > bitbucket, nexus and others don't have a native interface to > authenticate against free-ipa. But most of them can do ldap(s) / tls > and can connect to any ldap server with a proxy user configured. This > way and by using class of service and dynamic groups, we were able to > tie them to the directory and use it for authentication and sometimes > aothorization as well. > As I've seen so far, the 389 as part of free-ipa is tightly coupled to > the rest of the components and it's schema and dit are structured to > fit the needs of ipa. > Some questions that come into my mind: > > Would it be possible to extend the schema and configure the 389 ds for > my own needs? Yes, the schema can be extended. > Could the dit be restructured to match the logic of our > environments? No, but we have a compat tree that can be used with clients that insist on using other "views" of the directory. The compat tree carries performance penalties and is not easy to change dramatically, but it is a possible way to go. > I remember the sun idm server which was a pretty complex product but > gave the user lots of possible customizations of the web ui and > included workflows. Is that possible with ipa also? With the latest FreeIPA versions it is possible to write plugins to extend the Web UI, we are working on making it more straightforward, but it has been done already. > thank you very much, HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] free-ipa 389 own schema, cos, static and dynamic groups
Hi guys, we are currently evaluating free-ipa. We've used the sun one ds, sun / oracle dsee and 389 so far. All of those are easy to customize respective the schema, class of service, dynamic groups,... Unfortunately most applications like jenkins, jira, confluence, gitblit, bitbucket, nexus and others don't have a native interface to authenticate against free-ipa. But most of them can do ldap(s) / tls and can connect to any ldap server with a proxy user configured. This way and by using class of service and dynamic groups, we were able to tie them to the directory and use it for authentication and sometimes aothorization as well. As I've seen so far, the 389 as part of free-ipa is tightly coupled to the rest of the components and it's schema and dit are structured to fit the needs of ipa. Some questions that come into my mind: Would it be possible to extend the schema and configure the 389 ds for my own needs? Could the dit be restructured to match the logic of our environments? I remember the sun idm server which was a pretty complex product but gave the user lots of possible customizations of the web ui and included workflows. Is that possible with ipa also? thank you very much, cheers, Frank -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project