[Freeipa-devel] Plans for configurable LDAP DIT structure do FreeIPA?

Simo Sorce ssorce at redhat.com
Fri Jul 4 18:24:08 UTC 2008


On Fri, 2008-07-04 at 17:45 +0200, Aleksander Adamowski wrote:
> Hi!
> 
> According to documentation 
> (http://freeipa.org/wiki/index.php?title=UsingRhdsWithIpa), FreeIPA has 
> some strict assumptions related to LDAP directory tree structure.
> 
> There's no way to use FreeIPA with an arbitrary base DN; one can place 
> users only in the BASE_DN,cn=accounts,cn=users subtree, etc.

DNs are written the other way around:
Cn=users,cn=accounts,BASE_DN

> On the market, there are at least 2 widespread established LDAP DIT 
> structuring styles:
> 
> 1)
> dc=domain,dc=tld
>  \- cn=accounts (or something similar)

Honestly I never saw this in the wild.

> 2)
> o=OrganizationName
>  \- ou=People

This is popular yes.

> FreeIPA follows the first one with some modifications (more levels - 
> cn=accounts for example).
> 
> Some proprietary, commercial software packages often make their own 
> assumptions about some aspect of DIT structure.

If they are just LDAP clients and they make assumptions on the DIT, they
are buggy.

> If there are too many such assumptions, the packages may become 
> completely impossible to integrate with each other.
> And FreeIPA makes extremely numerous assumptions, thus making it very 
> hard to integrate with other products.

FreeIPA is the master of the DIT, it provides a management interface,
therefore needs to make assumptions.

> IMHO there are too many products that assume too much with respect to 
> DIT structure.

True, clients should never do it, they should rely on configuration as
much as possible. They may require a specific subtree structure if they
have some custom schema, but at the very least their base DN should be
configurable.

> Such products become mutually exclusive because of such assumptions - 
> you can't use two products together on the same LDAP directory if they 
> expect different base DN's, different acount containers etc.

Base DNs should always be configurable, they must, as every LDAP
instance have a different one. If they assume specific account
containers they are simply buggy, unless they are very specific User
Management interfaces built with a specific DIT in mind, but it is
unlikely you need to use 2 different user management interfaces for the
same tree, it is usually unhealthy anyway.

> The spirit of LDAP data model is to make its operations quite 
> independent of directory structure - this is why you have the "subtree" 
> scope for the search operation, and most of the time you launch the 
> search without even thinking about how many levels are there below the 
> search base and how they are structured.
> 
> The point of the LDAP directory is also to centralize authentication, 
> authorization and other data, organization-wide.

In abstract, yes, then you have to deploy stuff, and you have to make
choices.

> So I can see a significant discrepancy here.
> 
> On one hand, FreeIPA is meant as a product to enable centralization and 
> unification of identity management.

Right.

> On the other hand, its design makes it hard to unify and centralize 
> because it's hard to integrate with other LDAP-based systems because of 
> its strict requirements pertaining to directory structure.

In IPA We control and define the DIT. Most software I know of, can cope
with it, some is buggy,and some we are incompatible with (we use of
rfc2307bis and groupOfNames for example, which not all software still
understand).

> Did you consider making some aspects of DIT structure configurable in 
> FreeIPA?

Some of it is configurable, in some cases the mgmt UI cannot cope, but
everything else can. We had to simplify the management UI to be able to
deliver anything. We plan to make it more flexible going forward.
But we cannot just have a completely free form DIT.

> The more configurable, the better. Not only WRT naming of relevant 
> subtrees, but also WRT their toplevel elements' objectclasses - so e.g. 
> one can have ou=People instead of cn=users. The most important thing 
> being the configurability of the base DN...

You should be able to create a ou=People in the tree, but current webui
and tools would not cope with it at this moment.
The core components (KDC, plugins, etc...) would have no problem with
that, and the XML-RPC interface use DNs so you can build your custom
tools if you want.


But if you want free hand with DIT, and even objectclasses and tools,
then you do not want an integrated product like freeipa, you just want a
bare LDAP tree to manage they way you want. In this case you can use
Directory Server or OpenLDAP, and spend the weeks or months it will take
to make your own custom integrated product.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list