enterprise-ubuntu team mailing list archive

[Bolesław Tokarski <boleslaw.tokarski@xxxxxxxxx>]

Hello,

Thank you for the information. I was not following the SSSD-users
mailing list that closely and the topic is very interesting.

I was already considering FreeIPA as the best-maintained full-blown AD
alternative. Now that they want to deliver that to Debian-based systems,
that would be highly beneficial.

Cheers,
Ballock

On 02/09/13 09:32, Longina Przybyszewska wrote:
> Hi ,
> This is nice posting about FreeIPA status in Debian world.
> If we discuss Enterprise  it should come on the top of the Top 10 or Top 20...
>
> Best
> Longina
>
> -----Original Message-----
> From: sssd-users-bounces@xxxxxxxxxxxxxxxxxxxxxx [mailto:sssd-users-bounces@xxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Dmitri Pal
> Sent: 1. september 2013 02:52
> To: Michał Dwużnik
> Cc: freeipa-devel; End-user discussions about the System Security Services Daemon; Development of the System Security Services Daemon; freeipa-users@xxxxxxxxxx
> Subject: Re: [SSSD-users] [Freeipa-users] FreeIPA on Debian
>
> On 08/31/2013 03:50 PM, Michał Dwużnik wrote:
>> Hi guys,
>>
>>
>> I do not know whether it will reach ALL the lists Dmitri put in, but anyway:
>>
>> I do am interested heavily in getting a nice inter distro product (and
>> if sth works both on RH-like and Deb-like distros that's quite some
>> bases covered...) I'm afraid I'm not able to take the responsibility
>> of building the deb support myself (no skills, no time), but feel like
>> I do need it and I can spent some considerable time testing (I'm still
>> having a production NIS around and I would like to test the
>> interoperability when it stops being 'production'...) builds if they
>> appear...
>>
>> I feel like IPA is getting the well established components and builds
>> an added value ON them and not AGAINST them, making life easier (and
>> hiding the not so beatiful guts under a nice interface, too...):
>> Integrating KRB5 and LDAP is something people do every now and then,
>> but it comes with cnsiderable pain of reading contradictory guides not
>> updated for 10 years, dealing with examples using crypto mechanism
>> that should be long forgotten...
>> ('first, before configuring LDAP set up KRB5, having a test principal
>> get back to this LDAP guide'
>>  and some two links away:
>>  'first, get the your LDAP feet wet, when you're able to do ldapsearch
>> get back and construct those ldifs to build krb5 database in ldap'
>> followed by 'make a new realm, but don't use krb5_newrealm'...).
>>
>> Freeipa gives hope of NOT having to deal with cn=config manually,
>> (it's a really nice thing, but ldifs are sth that should be hidden
>> from view, and most guides for ldap/krb5 integration require creating
>> LOTS of those 'by hand', which makes quite a steep learning curve...).
>> The abundance of PAM modules for ldap/krb5 does not make it any easier
>> (shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the
>> multitude of different caching tools.
>> (to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).
>>
>> Having something solid to start with todays hordes of products
>> requiring some auth integration thingie would be really nice
>>
>> OTOH that would be nice to have some documentation without EXAMPLE.COM
>> inside :>
>>
>> I think getting freeipa working on Debian would be a great 'social'
>> move, sure to be valued among the Linux community (ok, at least the
>> part of community not centered on their own personal computers...),
>> but the transition to 'Freeipa is wideely adopted product for ...'
>> would surely need more people than a couple of guys in RH raising the
>> Debian cause and a few Debian users like me.
>>
>> Thanks to work by  Alexandre Ellert it's possible to get freeipa
>> working with wheezy with relatively no hassle, but I'm afraid the
>> world needs more than him :>
>>
>> Trying that I haven't seen any obvious 'fedorisms' inside...
>>
>> As for 'let's have a dream' part -> I would like to see sth similar to
>> nsscache included with the  freeipa suite for some really lightweight
>> clients, for more than one reason...
>>
>> Dmitri, thanks for raising the flag!
>>
>> Michał
>>
>> PS:Any idea for some advertisement on Debian side?
> I have no idea but where and how this effort can be advertised but any ideas are welcome!
> I think it would be great if someone passes it on to other lists that might be interested in joining the effort.
>
>> On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal <dpal@xxxxxxxxxx> wrote:
>>> Hello,
>>>
>>> Sorry for cross posting to 4 different lists but it seems that this
>>> is the best way to include most of people who might be interested in
>>> this discussion.
>>>
>>> The question of "When FreeIPA will be available on Debian?" has been
>>> coming up periodically on the list(s) without any resolution. However
>>> it is clear that it would be beneficial for the community and the project.
>>>
>>> May be it is time to try again?
>>> Let us see why it yet has not happened?
>>>
>>> 1) Some components need to be ported to Debian especially Dogtag and
>>> a slew of its new RESTEasy dependencies. This requires time and quite
>>> an effort from someone familiar with the domain.
>>> 2) The code needs to be changed in installer and potentially in other
>>> places as it might have had some Fedorizms blended in
>>> 3) Someone needs to own packages in Debian and maintain them, someone
>>> with good knowledge of the distro and time to take ownership of about
>>> 50 packages.
>>>
>>> Can we pull it off together this time?
>>> Say we plan for some Dogtag and IPA domain experts to work on the
>>> port during Nov 13 - Feb 14 and address 1) and 2). Would there be any
>>> interest to join forces with them? Would there be anyone to take on
>>> item
>>> 3) from the list above?
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager for IdM portfolio Red Hat Inc.
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users@xxxxxxxxxx
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>