----- Original Message ----- > > > > We had a brief discussion on unifying the PKI and IPA Directory > Server instances. Here are my notes from it. Please fill out the > details and correct me if I've mis-stated anything below. > > > Issues: > > >
Do IPA and PKI use different suffixes? > > 1. > > Both make changes to Config. One identified conflict is he > configuration of the Uniqueness plugin It may be easy to enhance this plugin and other plugins to allow different configuration per subtree. > 2. > > PKI uses Directory Manager. This is insecure. Can it use a differen, > limited admin? Or use ldapi? I don't think ldapjdk can use ldapi. > 3. > > Index strategies are different Use a union? e.g. if ipa needs attribute "a" indexed for equality only, but PKI needs it indexed for presence and substring only, then we can just index it for eq, sub, and pres. > 4. > > make sure we have a union of the required sets of plugins > 5. > > PKI needs to set D.S. Default Name context What is this? > 6. > > If PKI uses the IPA datastore for users, it needs to creat the user > with all the right prerequisites (object class, defaults) If both PKI and IPA use structural objectclasses, we may have to create corresponding auxiliary objectclasses so that you can mix-in both sets of objectclasses while having only one structural objectclass per entry. > 7. > > PKI puts users in groups using “member of” so that should still work > for the IPA tree > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel