Re: [Freeipa-users] 389-ds to free-ipa transition; transparent?

2010-09-02 Thread Brian LaMere
On Tue, Aug 24, 2010 at 6:16 PM, Rob Crittenden rcrit...@redhat.com wrote: Brian LaMere wrote: Yes, if not easier. It is just 389-ds under the hood, we have some simple management tools that create the agreements for you. Since we use our own CA SSL is easy as well. if I already have certs

Re: [Freeipa-users] 389-ds to free-ipa transition; transparent?

2010-09-02 Thread Brian LaMere
The ACIs are defined inside the underlaying Directory Server. See details and syntax are here http://directory.fedoraproject.org/wiki/Howto:AccessControl The ACIs as you see can be group based. One does not need a hierarchical ou user structure in the DS for ACIs - just groups. So all the

Re: [Freeipa-users] 389-ds to free-ipa transition; transparent?

2010-09-02 Thread Rich Megginson
Brian LaMere wrote: The ACIs are defined inside the underlaying Directory Server. See details and syntax are here http://directory.fedoraproject.org/wiki/Howto:AccessControl The ACIs as you see can be group based. One does not need a hierarchical ou user structure in the

Re: [Freeipa-users] 389-ds to free-ipa transition; transparent?

2010-09-02 Thread Brian LaMere
389 access control is pretty powerful and flexible. There's usually a way to do what you want to do without having to resort to using subtrees (as in AD). http://www.redhat.com/docs/manuals/dir-server/8.2/admin/html/Managing_Access_Control.html aye - I already have everything on that side

Re: [Freeipa-users] 389-ds to free-ipa transition; transparent?

2010-09-02 Thread Simo Sorce
On Thu, 2 Sep 2010 16:26:26 -0700 Brian LaMere br...@cukerinteractive.com wrote: 389 access control is pretty powerful and flexible. There's usually a way to do what you want to do without having to resort to using subtrees (as in AD).

Re: [Freeipa-users] 389-ds to free-ipa transition; transparent?

2010-09-02 Thread Brian LaMere
Brian, for non user/group/host objects you fully own and control you can use whatever directory structure you want as long as you do not put them under the cn=accounts subtree and keep them generally away from any IPA controlled subtree. ah - well if that's the case, then I asked my