[Freeipa-devel] Ubuntu interests in FreeIPA
Nathan Kinder
nkinder at redhat.com
Tue Jul 28 05:51:01 UTC 2009
On 07/22/2009 11:11 AM, Mathias Gug wrote:
> Hi,
>
> Sorry for not following up earlier on this, but this topic has been
> recently brought on the Ubuntu freeipa team mailing list [1]
>
> [1]: https://lists.launchpad.net/freeipa/msg00009.html
>
> Here are my comments mainly related to supporting openldap instead of
> 389DS in FreeIPA:
>
> On Tue, Jun 30, 2009 at 9:30 AM, Simo Sorce<ssorce at redhat.com> wrote:
>
>> On Mon, 2009-06-29 at 19:20 -0400, Mathias Gug wrote:
>>
>>> * replace 389 Directory Server with openldap.
>>>
>>> The main reason being that the 389 Directory server is not available in
>>> the Ubuntu archive yet (there is a work in progress to get it included
>>> in Debian/Ubuntu) while openldap is already in the archive and the
>>> currently recommended directory solution in Ubuntu.
>>>
>>> My question is how tight are FreeIPA and 389 Directory Server coupled?
>>>
>> Very, we use many features of 389DS and a good amount of plugins not
>> available for openldap. It would require a quite substantial amount of
>> work and testing just to port the slapi plugins.
>>
>>
>
<snip>
> * ipa-memberof: IPA memberof plugin
>
> There is a similar overlay in openldap:
>
> The memberof overlay to slapd(8) allows automatic reverse group member‐
> ship maintenance. Any time a group entry is modified, its members are
> modified as appropriate in order to keep a DN-valued "is member of"
> attribute updated with the DN of the group.
>
My understanding is that the memberOf overlay does not deal with nested
membership.
It is strictly a 1:1 relationship (forward pointer, reverse pointer).
The 389
memberOf plug-in maintains reverse pointers for inherited membership,
which IPA
takes advantage of.
Take this with a grain of salt as I haven't confirmed this by looking at the
overlay code personally.
<snip>
> --
> Mathias Gug
> Ubuntu Developer http://www.ubuntu.com
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>
More information about the Freeipa-devel
mailing list