[Freeipa-devel] [PATCH] ldif and acis for config
Simo Sorce
ssorce at redhat.com
Tue Oct 23 15:13:39 UTC 2007
On Mon, 2007-10-22 at 16:23 -0700, Kevin McCarthy wrote:
> Simo Sorce wrote:
> > > +dn: cn=global,cn=config,cn=etc,$SUFFIX
> > > +changetype: add
> > > +objectClass: top
> > > +objectClass: nsContainer
> > > +objectClass: extensibleObject
> > ----------------^^^^^^^^^^^^^^^
> >
> > /me raise eyebrow, are you *sure* ? :)
>
>
> Nope, definitely not sure. It would be better if there was some
> objectClass I could use to store:
> -name
> -value
> -comment
>
> so each configuration could have their own entry with a comment. Do you
> have any suggestions about how to do that?
Unfortunately this is a very hard thing with LDAP, and I guess on
purpose.
An object class like that could be done, but it would make sense for a
single conf option, as in LDAP multivalued attributes are not guaranteed
to keep contents in a specific order.
objectClass: nameValuePairs
name: string
name: number
name: bool
value: 1
value: hey
value: 42
comment: my favourite
comment: the answer
comment: default
You see?
LDAP is schema, schema is LDAP ...
> > > +cn: global
> > > +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
> > > +searchTimeLimit: 2
> > > +maxUidLength: 8
> > > +passwordExpireNotifyDays: 7
> >
> > should we keep security policies and GUI configuration in different
> > entries ?
>
> Sure. Are you thinking
> cn=policy,cn=config,cn=etc...
> and
> cn=gui,cn=config,cn=etc
>
> For me the passwordExpireNotifyDays was a parameter I was going to use
> in the GUI - for when to show a message at the top of the page.
This may be policy or both, the problem is defining a decent structure
for cn=etc, so different components knows what to look at and there is
no ambiguity.
Should we also make clear that this tree is for IPA components only ?
Or should we allow (as a guideline) third party apps to store configs
there?
In such case, we should define a clear way to create entries, so that we
do not have name space conflicts or other ambiguities.
> > > +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
> > > acl "Enable anonymous access to config"; allow (read, search, compare)
> > > userdn="ldap:///anyone";)
> >
> > Is this not readable right now already?
> > /me can't remember if we are denying anonymous access right now.
>
> Don't know. I haven't written the code to try to read it just yet.
ldapsearch -x -h localhost -b cn=etc,<basedn>
Simo.
More information about the Freeipa-devel
mailing list