[Freeipa-users] Using the Schema Compatibility Plugin with FreeIPA v1
Nalin Dahyabhai
nalin at redhat.com
Mon Feb 2 15:58:14 UTC 2009
On Sun, Feb 01, 2009 at 11:21:27PM -0500, Marc Richards wrote:
> I notice that you FAQ makes reference to Schema Compatibility Plugin
> that was developed as part of the NIS compatibility effort
> (https://fedorahosted.org/slapi-nis/). Can this plugin be used with
> FreeIPA v1 or is it strictly for v2?
It can be used with either, as the plugin doesn't have dependencies on
anything other than the directory server. The only thing you need to be
sure of is that the section of the tree that's served by the plugin
doesn't overlap "real" data, which the plugin isn't likely to handle in
any sane way.
If I'm remembering it right, in v2, we're using the "cn=compat,$SUFFIX"
area for this, so something else under $SUFFIX ("cn=compat-netgroups",
for one) should be fine. (You want to keep it under $SUFFIX so that the
default ACIs set on the real backend database will be applied and allow
you search the compat tree.)
> I was thinking about using it to create a crude mapping of groups ->
> netgroups as an interim solution for host based access control on
> Solaris...until FreeIPA v2 gets released. Basically, I want to create a
> mapping of the netgroup format defined here:
> http://directory.fedoraproject.org/wiki/Howto:Netgroups and then
> configure my Solaris client to restrict access based on netgroups:
> http://www.sun.com/bigadmin/features/articles/nis_ldap_part2.jsp#Solaris10
> (scroll down to section 6).
>
> I know it is crude, but it is just an interim hack until v2 comes around
> and at least I avoid duplicating information. Does it look like it will
> work?
Yes, that should work just fine.
Now that you mention it, it might be interesting it to always assign
POSIX group IDs to netgroup entries, and let the server-side logic
filter out hosts when presenting them as groups of users. It might be
unusual, and I haven't worked out what all would be required to make it
work without leaning on the compat plugin, but hey.
Cheers,
Nalin
More information about the Freeipa-users
mailing list