[Freeipa-devel] Plans for configurable LDAP DIT structure do FreeIPA?
Aleksander Adamowski
aleksander.adamowski.freeipa at altkom.pl
Fri Jul 4 15:45:30 UTC 2008
Hi!
According to documentation
(http://freeipa.org/wiki/index.php?title=UsingRhdsWithIpa), FreeIPA has
some strict assumptions related to LDAP directory tree structure.
There's no way to use FreeIPA with an arbitrary base DN; one can place
users only in the BASE_DN,cn=accounts,cn=users subtree, etc.
On the market, there are at least 2 widespread established LDAP DIT
structuring styles:
1)
dc=domain,dc=tld
\- cn=accounts (or something similar)
2)
o=OrganizationName
\- ou=People
FreeIPA follows the first one with some modifications (more levels -
cn=accounts for example).
Some proprietary, commercial software packages often make their own
assumptions about some aspect of DIT structure.
If there are too many such assumptions, the packages may become
completely impossible to integrate with each other.
And FreeIPA makes extremely numerous assumptions, thus making it very
hard to integrate with other products.
IMHO there are too many products that assume too much with respect to
DIT structure.
Such products become mutually exclusive because of such assumptions -
you can't use two products together on the same LDAP directory if they
expect different base DN's, different acount containers etc.
The spirit of LDAP data model is to make its operations quite
independent of directory structure - this is why you have the "subtree"
scope for the search operation, and most of the time you launch the
search without even thinking about how many levels are there below the
search base and how they are structured.
The point of the LDAP directory is also to centralize authentication,
authorization and other data, organization-wide.
So I can see a significant discrepancy here.
On one hand, FreeIPA is meant as a product to enable centralization and
unification of identity management.
On the other hand, its design makes it hard to unify and centralize
because it's hard to integrate with other LDAP-based systems because of
its strict requirements pertaining to directory structure.
Did you consider making some aspects of DIT structure configurable in
FreeIPA?
The more configurable, the better. Not only WRT naming of relevant
subtrees, but also WRT their toplevel elements' objectclasses - so e.g.
one can have ou=People instead of cn=users. The most important thing
being the configurability of the base DN...
Best Regards,
--
Best Regards,
Aleksander Adamowski
GG#: 274614
ICQ UIN: 19780575
http://olo.org.pl
More information about the Freeipa-devel
mailing list