[Freeipa-devel] Ubuntu interests in FreeIPA

Nathan Kinder nkinder at redhat.com
Tue Jul 28 05:51:01 UTC 2009 

On 07/22/2009 11:11 AM, Mathias Gug wrote:
> Hi,
>
> Sorry for not following up earlier on this, but this topic has been
> recently brought on the Ubuntu freeipa team mailing list [1]
>
> [1]: https://lists.launchpad.net/freeipa/msg00009.html
>
> Here are my comments mainly related to supporting openldap instead of
> 389DS in FreeIPA:
>
> On Tue, Jun 30, 2009 at 9:30 AM, Simo Sorce<ssorce at redhat.com>  wrote:
>    
>> On Mon, 2009-06-29 at 19:20 -0400, Mathias Gug wrote:
>>      
>>>   * replace 389 Directory Server with openldap.
>>>
>>>   The main reason being that the 389 Directory server is not available in
>>>   the Ubuntu archive yet (there is a work in progress to get it included
>>>   in Debian/Ubuntu) while openldap is already in the archive and the
>>>   currently recommended directory solution in Ubuntu.
>>>
>>>   My question is how tight are FreeIPA and 389 Directory Server coupled?
>>>        
>> Very, we use many features of 389DS and a good amount of plugins not
>> available for openldap. It would require a quite substantial amount of
>> work and testing just to port the slapi plugins.
>>
>>      
>
<snip>
>   * ipa-memberof: IPA memberof plugin
>
> There is a similar overlay in openldap:
>
>        The memberof overlay to slapd(8) allows automatic reverse group member‐
>        ship maintenance.  Any time a group entry is modified, its members  are
>        modified  as  appropriate  in  order to keep a DN-valued "is member of"
>        attribute updated with the DN of the group.
>
My understanding is that the memberOf overlay does not deal with nested 
membership.
It is strictly a 1:1 relationship (forward pointer, reverse pointer).  
The 389
memberOf plug-in maintains reverse pointers for inherited membership, 
which IPA
takes advantage of.

Take this with a grain of salt as I haven't confirmed this by looking at the
overlay code personally.

<snip>
> --
> Mathias Gug
> Ubuntu Developer  http://www.ubuntu.com
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
>

More information about the Freeipa-devel mailing list