[Freeipa-devel] First cut of schema doc

Simo Sorce ssorce at redhat.com
Thu Jul 12 14:29:13 UTC 2007


On Thu, 2007-07-12 at 23:24 +1000, Andrew Bartlett wrote:
> On Thu, 2007-07-12 at 09:18 -0400, Simo Sorce wrote:
> > On Thu, 2007-07-12 at 22:54 +1000, Andrew Bartlett wrote:
> > > On Thu, 2007-07-12 at 08:45 -0400, Simo Sorce wrote:
> > > > On Wed, 2007-07-11 at 15:23 -0700, Pete Rowley wrote:
> > > > > Simo Sorce wrote:
> > > > > > On Wed, 2007-07-11 at 14:53 -0700, Pete Rowley wrote:
> > > > > >   
> > > > > >> Getting something up to argue over :)
> > > > > >>
> > > > > >> http://freeipa.com/page/SchemaV1
> > > > > >>     
> > > > > >
> > > > > > Questions and remarks:
> > > > > > - what is/why dc=com ?
> > > > > >   
> > > > > could be dc=org or whatever that component of the realm name is. The 
> > > > > important thing is the splitting off of the most significant portion of 
> > > > > the realm name from the suffix to be part of DIT (replacing cn=default 
> > > > > which we didn't like)
> > > > 
> > > > Ooooh now I see the point, but I honestly don't like it :)
> > > 
> > > I'm still unclear:  If my realm was abartlet.net, are things under
> > > dc=abartlet,dc=net, with that DN having an extra objectClass of
> > > ipaRealm?
> > 
> > Pete proposal was:
> > dc=net (objectclass=pilotObject / info=IPA v1.0)
> > |- cn=system
> > |  |-cn=kerberos
> > |  \-cn=ipa
> > |-dc=abartlet (objectclass=ipaRealm)
> >    |-ou=people
> >    |-ou=groups
> > 
> > I say now:
> > 
> > dc=abartlet,dc=net (objectclass=pilotObject / info=IPA v1.0)
> > |- cn=system
> > |  |-cn=kerberos
> > |  \-cn=ipa
> > |- cn=realm
> >    |-ou=people
> >    |-ou=groups
> > 
> > Make sense?
> 
> I would love to get rid of the cn=realm level, if possible.  (keep
> cn=system as proposed, or possibly renamed to avoid a conflict with the
> AD use of cn=system). 

I proposed the use of a middle layer to avoid lazy people to make DS
search the complete tree every time when looking for users or groups as
it would happen with people using "dc=abartlet,dc=net" as the basedn for
their searches.
I guess indexes will not make this a big deal, but yet I feel that
adding a component like this will be helpful later to make sure searches
can't find wrong entries.
For example if we decide at some point to support multiple realms we
will be able to simply add other nodes under the basedn without having
clients see all user accounts from all realms.

I proposed the name cn=system, pete proposed cn=global services, what do
you propose? :-)

However I am really keen into exploring if using views or some slapi
plugin can help us keep a "view" that is more easy to handle for samba4.

> > I know, I wa even thinking of forcibly merging personal groups into
> > users and have a monotonic merged uid/gid counter so that we basically
> > mege the user and group spaces. but I need a lot of time to explain why
> > this make sense in general and specifically for interoperate with
> > Windows.
> 
> It depends how seriously we want to take that, I suppose. 

That is a big problem. And I know there is a lot of resistance in this
area.

> > Is this interesting for v1? Or should we delay discussions for post v1?
> 
> Do we break the ability to go beyond v1 if we don't address it?  

I think we will have to change _many_ things for v2 or v3, if we are
going to constrain ourselves to the v1 way of doing things, I think we
will not go too far.

I really prefer to be forced to create a complex migration program than
to feel constrained by v1 legacy.

Simo.




More information about the Freeipa-devel mailing list