[Freeipa-users] Multi-tennancy and Freeipa
Alan Evans
alanwevans at gmail.com
Fri Dec 16 19:37:29 UTC 2011
Adam,
This is great news. The feedback I have after a quick read through (I
will try to put a bit more time on it later) would be to make the
'tennant' separation more flexible and why not use existing ldap
schema?
Instead of forcing the user into cn={TENANT},cn=tenants,$suffix why
not create a 'tennant' aux class that would allow the end user to
design a DIT however they would like.
We for example use o=<company|organization>,$suffix. Then any schema
maintenance instead of being:
For each tennant in (cn=tenants,$suffix)
It would be:
For each tennant in (ldapsearch (objectclass=tennant))
Then the end provider could design a DIT that fit their needs with
replication in mind. Consider the flexibility of:
o=<Tennant1>,C=US,$suffix
o=<Tennant2>,C=UK,$suffix
o=<Tennant3>,OU=North America,$suffix
o=<Tennant4>,OU=Europe,$suffix
That's my 2¢ at the moment. I'd be glad to banter back and forth
about this with you. :)
Regards,
-Alan
On Fri, Dec 16, 2011 at 5:35 AM, Adam Young <ayoung at redhat.com> wrote:
>
> I opened a ticket for multitenancy
>
> https://fedorahosted.org/freeipa/ticket/2201
>
> Here is a detailed write up of the issues.
>
> http://freeipa.org/page/Multitenancy
>
> Please provide any feedback that you have and I will update.
More information about the Freeipa-users
mailing list