Re: [Freeipa-users] compat plug-in and replication
Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn off. The compat plugin wasn't causing problems with replication but we did see increasing memory and CPU usage during migration. We now recommend that compat be disabled when migrating entries (who needs the overhead anyway). Yes, safe to turn it off depending on what your needs are. There are two capabilities provided by the slapi-nis plugin: 1. Compatibility for older clients such as Solaris which doesn't fully grok 2307bis and netgroup triples (ipa-compat-manage enable/disable) 2. An NIS listener (ipa-nis-manage enable/disable) which requires compat to be enabled. But like I said, shouldn't impact replication at all. It just reformats data. I'm also wondering about replication support in Redhat versions vs Fedora. Earlier I saw mention that the replication feature in the Redhat version was going to be made available through a separate channel. Then later conversation led me to believe that this had been changed. Is this still the case? Replication is included with 389-ds-base on both platforms. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] compat plug-in and replication
On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn off. To compliment what Rob mentioned... Compat is also generally necessary for any user who wishes to utilize Sudo with FreeIPA. Sudo does not natively understand what a 'hostgroup' is, so it can only utilize NIS netgroups for this. Care was taken when designing the FreeIPA hostgroup and nis compatibility system such that any hostgroup that is created has a mirrored (and semi hidden) NIS netgroup created. This way when you build Sudo rules and reference 'hostgroups', transparently, it is really referencing NIS netgroups stored inside of ldap and provided by the compat / nis plugins. Hope this helps clear some stuff up about why one would want compat and nis turned on in FreeIPA. ~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors://0/0 T: +1 805.690.3478tel:+1%C2%A0805.690.3478 C: +1 805.717.0365tel:+1%20805.717.0365 jr.aqu...@citrixonline.commailto:jr.aqu...@citrixonline.com http://www.citrixonline.comhttp://www.citrixonline.com/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] compat plug-in and replication
On Fri, Mar 16, 2012 at 03:12:03PM -0400, Rob Crittenden wrote: 2. An NIS listener (ipa-nis-manage enable/disable) which requires compat to be enabled. The NIS server plugin shouldn't depend on the compat plugin being enabled. The NIS server depends on being notified of changes to its source data by the server, and because the compat plugin isn't a full-fleged backend database, it doesn't trigger those notifications for the compat entries. HTH, Nalin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] compat plug-in and replication
On Fri, Mar 16, 2012 at 12:12 PM, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn off. The compat plugin wasn't causing problems with replication but we did see increasing memory and CPU usage during migration. We now recommend that compat be disabled when migrating entries (who needs the overhead anyway). What do you mean exactly by migrating entries or migration in general? I'm getting the impression that this is something different than replication? If you disable compat, then those entries would not appear in the replica, no? Yes, safe to turn it off depending on what your needs are. There are two capabilities provided by the slapi-nis plugin: 1. Compatibility for older clients such as Solaris which doesn't fully grok 2307bis and netgroup triples (ipa-compat-manage enable/disable) 2. An NIS listener (ipa-nis-manage enable/disable) which requires compat to be enabled. But like I said, shouldn't impact replication at all. It just reformats data. Could you please explain what you mean by reformatting the data? Are you talking about changing something in the directory? Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] compat plug-in and replication
On 03/16/2012 03:55 PM, Stephen Ingram wrote: On Fri, Mar 16, 2012 at 12:12 PM, Rob Crittenden rcrit...@redhat.com wrote: Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn off. The compat plugin wasn't causing problems with replication but we did see increasing memory and CPU usage during migration. We now recommend that compat be disabled when migrating entries (who needs the overhead anyway). What do you mean exactly by migrating entries or migration in general? I'm getting the impression that this is something different than replication? If you disable compat, then those entries would not appear in the replica, no? When you migrate from a DS you have to IPA you load data into IPA using ipa migrate-ds command. Some time it takes a while to process the whole DS data you might have. During this time we recommend turning compat and NIS plugins off and then when the migration is complete turning them on if you need them. Yes, safe to turn it off depending on what your needs are. There are two capabilities provided by the slapi-nis plugin: 1. Compatibility for older clients such as Solaris which doesn't fully grok 2307bis and netgroup triples (ipa-compat-manage enable/disable) 2. An NIS listener (ipa-nis-manage enable/disable) which requires compat to be enabled. But like I said, shouldn't impact replication at all. It just reformats data. Could you please explain what you mean by reformatting the data? Are you talking about changing something in the directory? NIS plugin is a flavor of compat plugin. Compat plugin looks at the actual data in the LDAP and creates a view of this data in another format in memory. Via this capability you can create 2307 objects out of 2307bis object or expected SUDO entries from the entries in the internal representation. HTH Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] compat plug-in and replication
On 03/16/2012 04:06 PM, Stephen Ingram wrote: On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino jr.aqu...@citrix.com wrote: On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn off. To compliment what Rob mentioned... Compat is also generally necessary for any user who wishes to utilize Sudo with FreeIPA. Sudo does not natively understand what a 'hostgroup' is, so it can only utilize NIS netgroups for this. Care was taken when designing the FreeIPA hostgroup and nis compatibility system such that any hostgroup that is created has a mirrored (and semi hidden) NIS netgroup created. This way when you build Sudo rules and reference 'hostgroups', transparently, it is really referencing NIS netgroups stored inside of ldap and provided by the compat / nis plugins. Hope this helps clear some stuff up about why one would want compat and nis turned on in FreeIPA. Glad you mentioned this. I would have turned it off just to save space, but I do need sudo. This makes more sense as to why its enabled by default. Very clever design too to hide the complexity from the user. In future we will support native IPA SUDO schema in SSSD. https://fedorahosted.org/sssd/ticket/1108 Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] compat plug-in and replication
On Mar 16, 2012, at 1:06 PM, Stephen Ingram wrote: On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino jr.aqu...@citrix.com wrote: On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn off. To compliment what Rob mentioned... Compat is also generally necessary for any user who wishes to utilize Sudo with FreeIPA. Sudo does not natively understand what a 'hostgroup' is, so it can only utilize NIS netgroups for this. Care was taken when designing the FreeIPA hostgroup and nis compatibility system such that any hostgroup that is created has a mirrored (and semi hidden) NIS netgroup created. This way when you build Sudo rules and reference 'hostgroups', transparently, it is really referencing NIS netgroups stored inside of ldap and provided by the compat / nis plugins. Hope this helps clear some stuff up about why one would want compat and nis turned on in FreeIPA. Glad you mentioned this. I would have turned it off just to save space, but I do need sudo. This makes more sense as to why its enabled by default. Very clever design too to hide the complexity from the user. Glad to know the info helps! We did such a good job at keeping that stuff in the background that it sometimes gets overlooked :) To be completely fair... The SSSD team is actively working toward the goal of eventually supporting FreeIPA natively via the Sudo plugin system. In the future it will not be necessary to use compat or nis for Sudo. -JR ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] compat plug-in and replication
On Fri, Mar 16, 2012 at 1:11 PM, JR Aquino jr.aqu...@citrix.com wrote: On Mar 16, 2012, at 1:06 PM, Stephen Ingram wrote: On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino jr.aqu...@citrix.com wrote: On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote: I've seen mention about the compat plug-in causing issues with replication. In my 2.1.4 installation I notice that the plug-in is turned on by default. Is compat only required for those supporting NIS or does it serve another purpose. As I don't use NIS, I'm just wondering if it's safe to turn off. To compliment what Rob mentioned... Compat is also generally necessary for any user who wishes to utilize Sudo with FreeIPA. Sudo does not natively understand what a 'hostgroup' is, so it can only utilize NIS netgroups for this. Care was taken when designing the FreeIPA hostgroup and nis compatibility system such that any hostgroup that is created has a mirrored (and semi hidden) NIS netgroup created. This way when you build Sudo rules and reference 'hostgroups', transparently, it is really referencing NIS netgroups stored inside of ldap and provided by the compat / nis plugins. Hope this helps clear some stuff up about why one would want compat and nis turned on in FreeIPA. Glad you mentioned this. I would have turned it off just to save space, but I do need sudo. This makes more sense as to why its enabled by default. Very clever design too to hide the complexity from the user. Glad to know the info helps! We did such a good job at keeping that stuff in the background that it sometimes gets overlooked :) To be completely fair... The SSSD team is actively working toward the goal of eventually supporting FreeIPA natively via the Sudo plugin system. In the future it will not be necessary to use compat or nis for Sudo. That was going to be my next question. It is great that as this project moves forward many of these tools that have been around for a long time are being reworked for the better. I continue to be amazed at the *reach* of FreeIPA and the amount I learn from just watching this list. Steve ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users