[Freeipa-devel] Plans for configurable LDAP DIT structure do FreeIPA?

Aleksander Adamowski aleksander.adamowski.freeipa at altkom.pl
Fri Jul 4 15:45:30 UTC 2008 

Hi!

According to documentation 
(http://freeipa.org/wiki/index.php?title=UsingRhdsWithIpa), FreeIPA has 
some strict assumptions related to LDAP directory tree structure.

There's no way to use FreeIPA with an arbitrary base DN; one can place 
users only in the BASE_DN,cn=accounts,cn=users subtree, etc.

On the market, there are at least 2 widespread established LDAP DIT 
structuring styles:

1)
dc=domain,dc=tld
 \- cn=accounts (or something similar)

2)
o=OrganizationName
 \- ou=People

FreeIPA follows the first one with some modifications (more levels - 
cn=accounts for example).

Some proprietary, commercial software packages often make their own 
assumptions about some aspect of DIT structure.
If there are too many such assumptions, the packages may become 
completely impossible to integrate with each other.
And FreeIPA makes extremely numerous assumptions, thus making it very 
hard to integrate with other products.

IMHO there are too many products that assume too much with respect to 
DIT structure.
Such products become mutually exclusive because of such assumptions - 
you can't use two products together on the same LDAP directory if they 
expect different base DN's, different acount containers etc.

The spirit of LDAP data model is to make its operations quite 
independent of directory structure - this is why you have the "subtree" 
scope for the search operation, and most of the time you launch the 
search without even thinking about how many levels are there below the 
search base and how they are structured.

The point of the LDAP directory is also to centralize authentication, 
authorization and other data, organization-wide.

So I can see a significant discrepancy here.

On one hand, FreeIPA is meant as a product to enable centralization and 
unification of identity management.
On the other hand, its design makes it hard to unify and centralize 
because it's hard to integrate with other LDAP-based systems because of 
its strict requirements pertaining to directory structure.

Did you consider making some aspects of DIT structure configurable in 
FreeIPA?
The more configurable, the better. Not only WRT naming of relevant 
subtrees, but also WRT their toplevel elements' objectclasses - so e.g. 
one can have ou=People instead of cn=users. The most important thing 
being the configurability of the base DN...


Best Regards,

-- 
Best Regards,
    Aleksander Adamowski
        GG#: 274614
        ICQ UIN: 19780575 
	http://olo.org.pl

More information about the Freeipa-devel mailing list