enterprise-ubuntu team mailing list archive

[Longina Przybyszewska <longina@xxxxxx>]

Hi ,
This is nice posting about FreeIPA status in Debian world.
If we discuss Enterprise  it should come on the top of the Top 10 or Top 20...

Best 
Longina

-----Original Message-----
From: sssd-users-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:sssd-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Dmitri Pal
Sent: 1. september 2013 02:52
To: Michał Dwużnik
Cc: freeipa-devel; End-user discussions about the System Security Services Daemon; Development of the System Security Services Daemon; freeipa-users@xxxxxxxxxx
Subject: Re: [SSSD-users] [Freeipa-users] FreeIPA on Debian

On 08/31/2013 03:50 PM, Michał Dwużnik wrote:
> Hi guys,
>
>
> I do not know whether it will reach ALL the lists Dmitri put in, but anyway:
>
> I do am interested heavily in getting a nice inter distro product (and 
> if sth works both on RH-like and Deb-like distros that's quite some 
> bases covered...) I'm afraid I'm not able to take the responsibility 
> of building the deb support myself (no skills, no time), but feel like 
> I do need it and I can spent some considerable time testing (I'm still 
> having a production NIS around and I would like to test the 
> interoperability when it stops being 'production'...) builds if they 
> appear...
>
> I feel like IPA is getting the well established components and builds 
> an added value ON them and not AGAINST them, making life easier (and 
> hiding the not so beatiful guts under a nice interface, too...):
> Integrating KRB5 and LDAP is something people do every now and then, 
> but it comes with cnsiderable pain of reading contradictory guides not 
> updated for 10 years, dealing with examples using crypto mechanism 
> that should be long forgotten...
> ('first, before configuring LDAP set up KRB5, having a test principal 
> get back to this LDAP guide'
>  and some two links away:
>  'first, get the your LDAP feet wet, when you're able to do ldapsearch 
> get back and construct those ldifs to build krb5 database in ldap'
> followed by 'make a new realm, but don't use krb5_newrealm'...).
>
> Freeipa gives hope of NOT having to deal with cn=config manually, 
> (it's a really nice thing, but ldifs are sth that should be hidden 
> from view, and most guides for ldap/krb5 integration require creating 
> LOTS of those 'by hand', which makes quite a steep learning curve...).
> The abundance of PAM modules for ldap/krb5 does not make it any easier 
> (shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the 
> multitude of different caching tools.
> (to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).
>
> Having something solid to start with todays hordes of products 
> requiring some auth integration thingie would be really nice
>
> OTOH that would be nice to have some documentation without EXAMPLE.COM 
> inside :>
>
> I think getting freeipa working on Debian would be a great 'social'
> move, sure to be valued among the Linux community (ok, at least the 
> part of community not centered on their own personal computers...), 
> but the transition to 'Freeipa is wideely adopted product for ...'
> would surely need more people than a couple of guys in RH raising the 
> Debian cause and a few Debian users like me.
>
> Thanks to work by  Alexandre Ellert it's possible to get freeipa 
> working with wheezy with relatively no hassle, but I'm afraid the 
> world needs more than him :>
>
> Trying that I haven't seen any obvious 'fedorisms' inside...
>
> As for 'let's have a dream' part -> I would like to see sth similar to 
> nsscache included with the  freeipa suite for some really lightweight 
> clients, for more than one reason...
>
> Dmitri, thanks for raising the flag!
>
> Michał
>
> PS:Any idea for some advertisement on Debian side?

I have no idea but where and how this effort can be advertised but any ideas are welcome!
I think it would be great if someone passes it on to other lists that might be interested in joining the effort.

>
> On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal <dpal@xxxxxxxxxx> wrote:
>> Hello,
>>
>> Sorry for cross posting to 4 different lists but it seems that this 
>> is the best way to include most of people who might be interested in 
>> this discussion.
>>
>> The question of "When FreeIPA will be available on Debian?" has been 
>> coming up periodically on the list(s) without any resolution. However 
>> it is clear that it would be beneficial for the community and the project.
>>
>> May be it is time to try again?
>> Let us see why it yet has not happened?
>>
>> 1) Some components need to be ported to Debian especially Dogtag and 
>> a slew of its new RESTEasy dependencies. This requires time and quite 
>> an effort from someone familiar with the domain.
>> 2) The code needs to be changed in installer and potentially in other 
>> places as it might have had some Fedorizms blended in
>> 3) Someone needs to own packages in Debian and maintain them, someone 
>> with good knowledge of the distro and time to take ownership of about 
>> 50 packages.
>>
>> Can we pull it off together this time?
>> Say we plan for some Dogtag and IPA domain experts to work on the 
>> port during Nov 13 - Feb 14 and address 1) and 2). Would there be any 
>> interest to join forces with them? Would there be anyone to take on 
>> item
>> 3) from the list above?
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
sssd-users mailing list
sssd-users@xxxxxxxxxxxxxxxxxxxxxx
https://lists.fedorahosted.org/mailman/listinfo/sssd-users