On 03/16/2012 04:06 PM, Stephen Ingram wrote: > On Fri, Mar 16, 2012 at 12:33 PM, JR Aquino <[email protected]> wrote: >> On Mar 16, 2012, at 11:54 AM, Stephen Ingram wrote: >> >> I've seen mention about the compat plug-in causing issues with >> replication. In my 2.1.4 installation I notice that the plug-in is >> turned on by default. Is compat only required for those supporting NIS >> or does it serve another purpose. As I don't use NIS, I'm just >> wondering if it's safe to turn off. >> >> To compliment what Rob mentioned... >> >> Compat is also generally necessary for any user who wishes to utilize Sudo >> with FreeIPA. >> >> Sudo does not natively understand what a 'hostgroup' is, so it can only >> utilize NIS netgroups for this. Care was taken when designing the FreeIPA >> hostgroup and nis compatibility system such that any hostgroup that is >> created has a mirrored (and semi hidden) NIS netgroup created. >> >> This way when you build Sudo rules and reference 'hostgroups', >> transparently, it is really referencing NIS netgroups stored inside of ldap >> and provided by the compat / nis plugins. >> >> Hope this helps clear some stuff up about why one would want compat and nis >> turned on in FreeIPA. > Glad you mentioned this. I would have turned it off just to save > space, but I do need sudo. This makes more sense as to why its enabled > by default. Very clever design too to hide the complexity from the > user.
In future we will support native IPA SUDO schema in SSSD. https://fedorahosted.org/sssd/ticket/1108 > Steve > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
