[Freeipa-devel] [PATCH] ldif and acis for config

Pete Rowley prowley at redhat.com
Tue Oct 23 14:38:02 UTC 2007


Kevin McCarthy wrote:
> Simo Sorce wrote:
>   
>> On Mon, 2007-10-22 at 14:08 -0700, Kevin McCarthy wrote:
>>     
>>> This is a proposal for config entries.  I've created a global and
>>> local entry.  The idea (which will be coded next) is to read the
>>> global entry first, then overwrite with values in local (if any).
>>> So each ipa "node" could tweek independently.
>>>       
>> but cn=etc is replicated globally in all its contents now ...  maybe
>> you can have a container with the server own name to do non-global
>> conf, but just using "local" on all nodes is not going to help you :)
>>
>>     
>>> Also, I've currently created anonymous access to the config entries.
>>> I'd ideally like to cache the config at startup, or maybe first hit.
>>>       
>> Is there a reason why? Who is going to be the consumer ?
>>     
>
> Pete mentioned it as an idea, but didn't really "bake" how it should be.
> That's why I threw this out though, to get some ideas/feedback.
>
>   
cn=local should be an unreplicated backend.
> For now, perhaps we can just have a "shared" config and worry about
> local configs later.
>
>   
>>> plain text
>>> document
>>> attachment
>>> (freeipa-372-ldap_config_ldif.patch)
>>>
>>> # HG changeset patch
>>> # User Kevin McCarthy <kmccarth at redhat.com>
>>> # Date 1193088002 25200
>>> # Node ID 6b6364a5a2922309c1682bafa34d129d5230baa6
>>> # Parent  934aee640cf9a53c403d0b335ee8f7dbb06d8bf2
>>> Add entries to store the config in LDAP.
>>> Add anonymous ACI's  so we can cache on startup.
>>>
>>> diff -r 934aee640cf9 -r 6b6364a5a292
>>> ipa-server/ipa-install/share/bootstrap-template.ldif
>>> --- a/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
>>> Oct 22 08:57:29 2007 -0700
>>> +++ b/ipa-server/ipa-install/share/bootstrap-template.ldif      Mon
>>> Oct 22 14:20:02 2007 -0700
>>> @@ -32,6 +32,30 @@ objectClass: nsContainer
>>>  objectClass: nsContainer
>>>  objectClass: top
>>>  cn: etc
>>> +
>>> +dn: cn=config,cn=etc,$SUFFIX
>>> +changetype: add
>>> +objectClass: nsContainer
>>> +objectClass: top
>>> +cn: config
>>> +
>>> +dn: cn=global,cn=config,cn=etc,$SUFFIX
>>> +changetype: add
>>> +objectClass: top
>>> +objectClass: nsContainer
>>> +objectClass: extensibleObject
>>>       
>> ----------------^^^^^^^^^^^^^^^
>>
>> /me raise eyebrow, are you *sure* ? :)
>>     
>
>
> Nope, definitely not sure.  It would be better if there was some
> objectClass I could use to store:
> -name
> -value
> -comment
>
> so each configuration could have their own entry with a comment.  Do you
> have any suggestions about how to do that?
>
>   
>>> +cn: global
>>> +userSearchFields: uid,givenName,sn,telephoneNumber,ou,title
>>> +searchTimeLimit: 2
>>> +maxUidLength: 8
>>> +passwordExpireNotifyDays: 7
>>>       
>> should we keep security policies and GUI configuration in different
>> entries ?
>>     
>
> Sure.  Are you thinking
> cn=policy,cn=config,cn=etc...
>   and
> cn=gui,cn=config,cn=etc
>
> For me the passwordExpireNotifyDays was a parameter I was going to use
> in the GUI - for when to show a message at the top of the page.
>
>   
>>> +aci: (target="ldap:///cn=*,cn=config,cn=etc,$SUFFIX")(version 3.0;
>>> acl "Enable anonymous access to config"; allow (read, search, compare)
>>> userdn="ldap:///anyone";)
>>>       
>> Is this not readable right now already?
>> /me can't remember if we are denying anonymous access right now.
>>     
>
> Don't know.  I haven't written the code to try to read it just yet.
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Pete

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071023/35f3b7e3/attachment.bin>


More information about the Freeipa-devel mailing list