[Freeipa-users] compat plug-in and replication

[JR Aquino]

On Mar 16, 2012, at 1:06 PM, Stephen Ingram wrote:

> On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
>> On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote:
>> 
>> I've seen mention about the compat plug-in causing issues with
>> replication. In my 2.1.4 installation I notice that the plug-in is
>> turned on by default. Is compat only required for those supporting NIS
>> or does it serve another purpose. As I don't use NIS, I'm just
>> wondering if it's safe to turn off.
>> 
>> To compliment what Rob mentioned...
>> 
>> Compat is also generally necessary for any user who wishes to utilize Sudo with FreeIPA.
>> 
>> Sudo does not natively understand what a 'hostgroup' is, so it can only utilize NIS netgroups for this.  Care was taken when designing the FreeIPA hostgroup and nis compatibility system such that any hostgroup that is created has a mirrored (and semi hidden) NIS netgroup created.
>> 
>> This way when you build Sudo rules and reference 'hostgroups', transparently, it is really referencing NIS netgroups stored inside of ldap and provided by the compat / nis plugins.
>> 
>> Hope this helps clear some stuff up about why one would want compat and nis turned on in FreeIPA.
> 
> Glad you mentioned this. I would have turned it off just to save
> space, but I do need sudo. This makes more sense as to why its enabled
> by default. Very clever design too to hide the complexity from the
> user.

Glad to know the info helps!

We did such a good job at keeping that stuff in the background that it sometimes gets overlooked :)

To be completely fair... The SSSD team is actively working toward the goal of eventually supporting FreeIPA natively via the Sudo plugin system.

In the future it will not be necessary to use compat or nis for Sudo.

-JR