[Freeipa-devel] Unifying the PKI and IPA Directory Server instances
Richard Megginson
rmeggins at redhat.com
Tue Nov 1 16:40:22 UTC 2011
----- Original Message -----
>
>
>
> We had a brief discussion on unifying the PKI and IPA Directory
> Server instances. Here are my notes from it. Please fill out the
> details and correct me if I've mis-stated anything below.
>
>
> Issues:
>
>
>
Do IPA and PKI use different suffixes?
>
> 1.
>
> Both make changes to Config. One identified conflict is he
> configuration of the Uniqueness plugin
It may be easy to enhance this plugin and other plugins to allow different configuration per subtree.
> 2.
>
> PKI uses Directory Manager. This is insecure. Can it use a differen,
> limited admin?
Or use ldapi? I don't think ldapjdk can use ldapi.
> 3.
>
> Index strategies are different
Use a union? e.g. if ipa needs attribute "a" indexed for equality only, but PKI needs it indexed for presence and substring only, then we can just index it for eq, sub, and pres.
> 4.
>
> make sure we have a union of the required sets of plugins
> 5.
>
> PKI needs to set D.S. Default Name context
What is this?
> 6.
>
> If PKI uses the IPA datastore for users, it needs to creat the user
> with all the right prerequisites (object class, defaults)
If both PKI and IPA use structural objectclasses, we may have to create corresponding auxiliary objectclasses so that you can mix-in both sets of objectclasses while having only one structural objectclass per entry.
> 7.
>
> PKI puts users in groups using “member of” so that should still work
> for the IPA tree
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list