[Freeipa-devel] First cut of schema doc

Andrew Bartlett abartlet at samba.org
Thu Jul 12 12:54:40 UTC 2007 

On Thu, 2007-07-12 at 08:45 -0400, Simo Sorce wrote:
> On Wed, 2007-07-11 at 15:23 -0700, Pete Rowley wrote:
> > Simo Sorce wrote:
> > > On Wed, 2007-07-11 at 14:53 -0700, Pete Rowley wrote:
> > >   
> > >> Getting something up to argue over :)
> > >>
> > >> http://freeipa.com/page/SchemaV1
> > >>     
> > >
> > > Questions and remarks:
> > > - what is/why dc=com ?
> > >   
> > could be dc=org or whatever that component of the realm name is. The 
> > important thing is the splitting off of the most significant portion of 
> > the realm name from the suffix to be part of DIT (replacing cn=default 
> > which we didn't like)
> 
> Ooooh now I see the point, but I honestly don't like it :)

I'm still unclear:  If my realm was abartlet.net, are things under
dc=abartlet,dc=net, with that DN having an extra objectClass of
ipaRealm?

> > > - I removed uniqueidentifier: IPA for now, as it is redundant (info: IPa
> > > v1.0 is enough)
> > >   
> > I don't think clients should have to parse the string in any fashion 
> > other than compare in order to be sure this is an IPA server.
> 
> What's wrong with this search filter:
> (&(objectClass=pilotObject)(info=IPA*)) ?
> 
> > > - more info on objcetcalss: ipaRealm ? Why do we need it ? The
> > > exp-lanation on the page is not really clear to me.
> > >
> > >   
> > OK I'll re-word it - it's discovery, since we have this partitioned off 
> > into a separate space so that clients can search through only the things 
> > they are interested in I thought it would be a good idea to be able to 
> > discover where that place is.
> 
> I see, it make sense for our discovery utility indeed,but this is not
> something we can "backport" to older clients or other OSs clients
> unfortunately.
> Also I am strating wondering if we really need to separate Users and
> Groups in different OUs ... yes we do cause bloody Unix has 2 different
> name spaces for users and groups :(

Having them in the same spot would make mapping to the AD style
easier...

Why can't they be under cn=group and uid=user?  Or better still, as we
need the names to be unique for samba (even v3), just make that a
restriction?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070712/f3884049/attachment.sig>

More information about the Freeipa-devel mailing list