[Freeipa-devel] Unifying the PKI and IPA Directory Server instances

Tue Nov 1 16:49:49 UTC 2011

On Tue, 2011-11-01 at 12:40 -0400, Richard Megginson wrote:
> ----- Original Message -----
> > 
> > 
> > 
> > We had a brief discussion on unifying the PKI and IPA Directory
> > Server instances. Here are my notes from it. Please fill out the
> > details and correct me if I've mis-stated anything below.
> > 
> > 
> > Issues:
> > 
> > 
> > 
> 
> Do IPA and PKI use different suffixes?

Currently not as we use completely separate instances, but we will be
able to use different suffixes for some stuff.

> > 
> >     1.
> > 
> > Both make changes to Config. One identified conflict is he
> > configuration of the Uniqueness plugin
> 
> It may be easy to enhance this plugin and other plugins to allow different configuration per subtree.

If we confirm this conflict this will become a requirement before we can
proceed.

> >     2.
> > 
> > PKI uses Directory Manager. This is insecure. Can it use a differen,
> > limited admin?
> 
> Or use ldapi?  I don't think ldapjdk can use ldapi.

It's a matter of trust for me. I do not want to trust PKI to have free
reign on all data. I want it to be confined to only what it needs.

So we can use ldapi and user mapping, but we wouldn't map the user to DM
anyway.

> >     3.
> > 
> > Index strategies are different
> 
> Use a union?  e.g. if ipa needs attribute "a" indexed for equality only, but PKI needs it indexed for presence and substring only, then we can just index it for eq, sub, and pres.

The problem here is finding out and how to make sure pki vs ds/ipa
install and upgrade scripts do not stomp on each other.

> >     4.
> > 
> > make sure we have a union of the required sets of plugins
> >     5.
> > 
> > PKI needs to set D.S. Default Name context
> 
> What is this?

See my other mail, we need DS to support setting defaultNamingContext in
rootdse.

> >     6.
> > 
> > If PKI uses the IPA datastore for users, it needs to creat the user
> > with all the right prerequisites (object class, defaults)
> 
> If both PKI and IPA use structural objectclasses, we may have to create corresponding auxiliary objectclasses so that you can mix-in both sets of objectclasses while having only one structural objectclass per entry.

The problem here is much bigger, PKI simply do not have enough
information to create a proper IPA user, so it should not be allowed to.
This is an example of why I want to tightly control through ACIs what
PKI can do and prevent it from causing "issues".

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York