freeipa team mailing list archive

Thread
Date

Re: Please review and advocate 389-directory-server (a successor of LDAP) related packages in REVU so that 389 can make it into Karmic

To: Mathias Gug <mathiaz@xxxxxxxxxx>
From: Stephen Gallagher <sgallagh@xxxxxxxxxx>
Date: Wed, 22 Jul 2009 13:39:47 -0400
Cc: freeipa@xxxxxxxxxxxxxxxxxxx
In-reply-to: <cb69cb8f0907221035tb142de8sf3f6463564d7f818@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Lightning/1.0pre Thunderbird/3.0b2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/22/2009 01:35 PM, Mathias Gug wrote:
> Hi Stephen,
> 
> On Wed, Jul 22, 2009 at 11:20 AM, Stephen Gallagher<sgallagh@xxxxxxxxxx> wrote:
>> On 07/22/2009 11:03 AM, Mathias Gug wrote:
>>
>> There's a great deal more to FreeIPA's integration with 389 than just
>> the DIT. In order for FreeIPA to function properly, there are several
>> 389 plugins that had to be written, most notably for support of changing
>> kerberos passwords and for doing dynamic numeric assignment of UID/GIDs.
> 
> Looking at freeipa-1.2.1/ipa-server/ipa-slapi-plugins/, there are 4 plugins:
> 
>   * dna: Distributed Numeric Assignment plug-in
> 
> I don't know of a openldap plugin providing the same functionality.
> 
> However one solution could be to use the uniq overlay to make sure the
> uids are unique:
> 
>        The  Attribute  Uniqueness  overlay can be used with a backend database
>        such  as  slapd-bdb(5)  to  enforce  the  uniqueness  of  some  or  all
>        attributes  within a scope. This subtree defaults to all objects within
>        the subtree of the database for which the Uniqueness overlay is config‐
>        ured.
> 
>        For example, if uniqueness were enforced
>        for the uid attribute, the subtree would  be  searched  for  any  other
>        records  which  also have a uid attribute containing the same value. If
>        any are found, the request is rejected.
> 
> That would also require some modification in the administration tools
> by pushing the logic to generate a new user id from the slapd server
> to the administration tools. The code responsible for creating a new
> user should take into account the possibility that the ldap add
> operation might fail because of an existing uid and update the uid
> accordingly before retrying.
> 
>   * ipa-memberof: IPA memberof plugin
> 
> There is a similar overlay in openldap:
> 
>        The memberof overlay to slapd(8) allows automatic reverse group member‐
>        ship maintenance.  Any time a group entry is modified, its members  are
>        modified  as  appropriate  in  order to keep a DN-valued "is member of"
>        attribute updated with the DN of the group.
> 
>   * ipa-pwd-extop: Password Modify - LDAP Extended Operation
> 
> There is a similar overlay in openldap/contrib:
> 
>       The smbk5pwd that extends the PasswordModify Extended Operation to
>       update Kerberos keys and Samba password hashes for an LDAP user.
> 
> However the code is currently written for Heimdal kerberos and should
> thus be ported to MIT Kerberos.
> 
>   * ipa-winsync: Windows Synchronization Plug-in for IPA
> 
> I don't know of an openldap overlay that provides all the
> functionality of ipa-winsync. However the translucent overlay may be
> leverage to provide part of the functionality. What are the exact
> functionality provided by this plugin?
> 
> It should also be noted that openldap support slapi plugins, which
> means that some FreeIPA plugins could be supported in openldap (to be
> tested though).
> 
> Are there any other plugins that I've missed?
> 
>> We've previously discussed this with the Debian/Ubuntu developers and
>> explained that the effort needed to port FreeIPA to openldap FAR exceeds
>> the effort of including 389 in Debian/Ubuntu.
>>
> 
> Correct. I've sent an email to the freeipa-devel mailing list but
> haven't had time (yet) to follow up on the thread. My comments above
> would have been my reply to the thread - should this conversation be
> moved to the freeipa-devel mailing list instead?
> 
> --
> Mathias Gug
> Ubuntu Developer  http://www.ubuntu.com

I think it would be prudent to move it there, as very few of the FreeIPA
developers are subscribed to this list right now.

- -- 
Stephen Gallagher
RHCE 804006346421761

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkpnTtkACgkQeiVVYja6o6P/bQCgoGjVLjcseyBn2m28jeVFv7Q4
HPYAn0hJWhwG/SIsZZu/Bxq7D9GvTeBy
=fV/W
-----END PGP SIGNATURE-----

References

Re: Please review and advocate 389-directory-server (a successor of LDAP) related packages in REVU so that 389 can make it into Karmic
From: Kai-Cheung Leung, 2009-07-22
Re: Please review and advocate 389-directory-server (a successor of LDAP) related packages in REVU so that 389 can make it into Karmic
From: Mathias Gug, 2009-07-22
Re: Please review and advocate 389-directory-server (a successor of LDAP) related packages in REVU so that 389 can make it into Karmic
From: Stephen Gallagher, 2009-07-22
Re: Please review and advocate 389-directory-server (a successor of LDAP) related packages in REVU so that 389 can make it into Karmic
From: Mathias Gug, 2009-07-22