freeipa team mailing list archive

[Mathias Gug <mathiaz@xxxxxxxxxx>]

Hi Stephen,

On Wed, Jul 22, 2009 at 11:20 AM, Stephen Gallagher<sgallagh@xxxxxxxxxx> wrote:
> On 07/22/2009 11:03 AM, Mathias Gug wrote:
>
> There's a great deal more to FreeIPA's integration with 389 than just
> the DIT. In order for FreeIPA to function properly, there are several
> 389 plugins that had to be written, most notably for support of changing
> kerberos passwords and for doing dynamic numeric assignment of UID/GIDs.

Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:

  * dna: Distributed Numeric Assignment plug-in

I don't know of a openldap plugin providing the same functionality.

However one solution could be to use the uniq overlay to make sure the
uids are unique:

       The  Attribute  Uniqueness  overlay can be used with a backend database
       such  as  slapd-bdb(5)  to  enforce  the  uniqueness  of  some  or  all
       attributes  within a scope. This subtree defaults to all objects within
       the subtree of the database for which the Uniqueness overlay is config‐
       ured.

       For example, if uniqueness were enforced
       for the uid attribute, the subtree would  be  searched  for  any  other
       records  which  also have a uid attribute containing the same value. If
       any are found, the request is rejected.

That would also require some modification in the administration tools
by pushing the logic to generate a new user id from the slapd server
to the administration tools. The code responsible for creating a new
user should take into account the possibility that the ldap add
operation might fail because of an existing uid and update the uid
accordingly before retrying.

  * ipa-memberof: IPA memberof plugin

There is a similar overlay in openldap:

       The memberof overlay to slapd(8) allows automatic reverse group member‐
       ship maintenance.  Any time a group entry is modified, its members  are
       modified  as  appropriate  in  order to keep a DN-valued "is member of"
       attribute updated with the DN of the group.

  * ipa-pwd-extop: Password Modify - LDAP Extended Operation

There is a similar overlay in openldap/contrib:

      The smbk5pwd that extends the PasswordModify Extended Operation to
      update Kerberos keys and Samba password hashes for an LDAP user.

However the code is currently written for Heimdal kerberos and should
thus be ported to MIT Kerberos.

  * ipa-winsync: Windows Synchronization Plug-in for IPA

I don't know of an openldap overlay that provides all the
functionality of ipa-winsync. However the translucent overlay may be
leverage to provide part of the functionality. What are the exact
functionality provided by this plugin?

It should also be noted that openldap support slapi plugins, which
means that some FreeIPA plugins could be supported in openldap (to be
tested though).

Are there any other plugins that I've missed?

>
> We've previously discussed this with the Debian/Ubuntu developers and
> explained that the effort needed to port FreeIPA to openldap FAR exceeds
> the effort of including 389 in Debian/Ubuntu.
>

Correct. I've sent an email to the freeipa-devel mailing list but
haven't had time (yet) to follow up on the thread. My comments above
would have been my reply to the thread - should this conversation be
moved to the freeipa-devel mailing list instead?

--
Mathias Gug
Ubuntu Developer  http://www.ubuntu.com