Wishlist - Fedora Directory Server

This page contains features we'd like to see in the project. Can you help?

Core Server Features

Option to disable anonymous binds
Option to control resource limits specifically for the anonymous bind identity
Option to disable simple bind, or only over SSL
Option to disable non SSL or require startTLS
SMD5 (salted MD5) password storage hash
Fedora DS 1.1 - support for ldapi (i.e. have the server listen on unix sockets as well as TCP/IP sockets)
- Have server listen _only_ to ldapi
Password Policy
- Password checking
  The following could be implemented as an extension to the proposed LDAP Password Policy standard that is implemented by Fedora DS.
  - Quality - specify a list of regexp that the password must match in order to be valid
    We could have a multi-valued attribute called passwordRegexp whose values are regular expressions to match against the password
  - Dictionary - specify a list of text files to use for dictionary lookups
    We could have a multi-valued attribute called passwordDictionary whose values are the pathnames of files to use as dictionaries (e.g. /usr/share/dict/words)
  - Extra credit - use the server itself as the dictionary (need schema for dictionary)

Simplified replication setup
Option to change the frequency of windows sync User and Group entries
Option to monitor stats about busy time, time (min/max/avg) of supplier push connexion and number of updates for each replicas of replication process
Option for Windows Sync service to bind a secondary (and rotate to more DS) Directory Server if the first is out of service (in multi-master replication architecture)

Fine grained locking - lock per entry or per attribute rather than entire database
Do not store DN or DN values with entry data - have lookup table to map from entry GUID to DN
- Will help with entry move/subtree rename (MOD DN operations)
- Will help with referential integrity

Support several different kinds of password encryption/hashing:

Simple paged results - be able to page through large search result sets of
- entries - like VLV but not ranged or sorted like that
- attribute values - e.g. for large static groups - MS supports attrname;M-N where M and N are numbers expressing the range
Entry USN - sort of like a per entry CSN - create a virtual one using the modifyTimestamp CSN - aggregate in root DSE
Schema - MS supports aggregate (RFC 2252) and exploded schema entries - the exploded entries have more attributes than the standard - use X-XXXX to support non-standard schema elements in aggregate schema - perhaps virtual exploded schema?
Operational attribute that lists which attributes are writable - sort of like our GetEffectiveRights operation
Need ability to specify and ordering for attribute values or the ability to retrieve attributes values in a certain order - control? attr subtype?
Need ability to retrieve the MS extended DN with the GUID and SUID in the DN

Slapi plugins extension to be able to mark some modification as "not to be checked against the ACIs", this will allow to add modifications to an entry in a pre-op plugin that the identity performing the original operation would not normally be able to touch and that the plyugin have authority to generate.

In addition to support for core server features mentioned above:

Option to automatically create posixAccount and/or shadowAccount users
Add host based access control to posixAccount attributes (e.g. a list of hostnames to which the user is allowed login access)
Although Fedora DS 1.1 and later can auto-increment uidNumber and gidNumber, the console should allow the admin to override this and assign specific numbers
Support for netgroups
- Allow netgroups management from the console
- allow the admin to specify netgroups to add a new user to
Support for autofs maps
allow in the Fedora IDM Console to switch to other instance to search entries