[Freeipa-devel] [PATCH] ldif and acis for config

Simo Sorce ssorce at redhat.com
Tue Oct 23 15:13:39 UTC 2007 

On Mon, 2007-10-22 at 16:23 -0700, Kevin McCarthy wrote:
> Simo Sorce wrote:

> > > +dn: cn=global,cn=config,cn=etc,$SUFFIX
> > > +changetype: add
> > > +objectClass: top
> > > +objectClass: nsContainer
> > > +objectClass: extensibleObject
> > ----------------^^^^^^^^^^^^^^^
> > 
> > /me raise eyebrow, are you *sure* ? :)
> 
> 
> Nope, definitely not sure.  It would be better if there was some
> objectClass I could use to store:
> -name
> -value
> -comment
> 
> so each configuration could have their own entry with a comment.  Do you
> have any suggestions about how to do that?

Unfortunately this is a very hard thing with LDAP, and I guess on
purpose.
An object class like that could be done, but it would make sense for a
single conf option, as in LDAP multivalued attributes are not guaranteed
to keep contents in a specific order.

objectClass: nameValuePairs
name: string
name: number
name: bool
value: 1
value: hey
value: 42
comment: my favourite
comment: the answer
comment: default

You see? 

LDAP is schema, schema is LDAP ...

> > > +cn: global
> > > +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
> > > +searchTimeLimit: 2
> > > +maxUidLength: 8
> > > +passwordExpireNotifyDays: 7
> > 
> > should we keep security policies and GUI configuration in different
> > entries ?
> 
> Sure.  Are you thinking
> cn=policy,cn=config,cn=etc...
>   and
> cn=gui,cn=config,cn=etc
> 
> For me the passwordExpireNotifyDays was a parameter I was going to use
> in the GUI - for when to show a message at the top of the page.

This may be policy or both, the problem is defining a decent structure
for cn=etc, so different components knows what to look at and there is
no ambiguity.

Should we also make clear that this tree is for IPA components only ?
Or should we allow (as a guideline) third party apps to store configs
there?
In such case, we should define a clear way to create entries, so that we
do not have name space conflicts or other ambiguities.

> > > +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
> > > acl "Enable anonymous access to config"; allow (read, search, compare)
> > > userdn="ldap:///anyone";)
> > 
> > Is this not readable right now already?
> > /me can't remember if we are denying anonymous access right now.
> 
> Don't know.  I haven't written the code to try to read it just yet.

ldapsearch -x -h localhost -b cn=etc,<basedn>

Simo.

More information about the Freeipa-devel mailing list