[Freeipa-devel] Ubuntu interests in FreeIPA

Miguel P.C. mpcolino at gmail.com
Tue Jun 30 08:49:26 UTC 2009 

> Hi,

Hi Mathias!

> I'm part of the Ubuntu Server Team. I've been looking at the FreeIPA
> project for some time  now and how it could be integrated in Ubuntu for
> the next release (Karmic scheduled October 2009). I'd like to get your
> input on my proposal.

Tha sounds wonderful. I was working also in the same direction for my
Master's Final Project which I'm finishing now (luckily it'll be over
during this week).

I'll try to add the info I can share from the (really little)
experience I have. :-)

> Interesting components of FreeIPA that I'd like to get integrated in Ubuntu:
>
>  * sssd (there is already a work in progress to get debian packages in
>   the next release (karmic)).

SSSD had a problem[1] with "lbd" dependency due to the package
prepared for Debian and used in Ubuntu,
This must be solved by now but (you helped on it a lot), but as I
haven't tested lately, I can't assure it.

[1] https://bugs.launchpad.net/debian/+source/samba4/+bug/372405

>  * the management tools: web UI + cli + XML-RPC backend.

If I'm not wrong, most of the web UI belongs to the 389 Directory
Server (389DS).
The CLI tools seem to me that they are mostly independent and
programmed in Pyhton.
I can't program in python (yet), I took a look and almost understood
how they work so, they must be really clearly and well programmed.

Take this with a little grain of salt as I'm not the most experienced
person around here. Simo and Stephen can provide a much better and
deeper view on this.

>  * MIT kerberos.
>
> Components that I'm looking into replacing:
>
>  * replace 389 Directory Server with openldap.

OK. This could be one of the points with a bigger strategic effect on
mid and long term.
Please consider this step carefully.

>  The main reason being that the 389 Directory server is not available in
>  the Ubuntu archive yet (there is a work in progress to get it included
>  in Debian/Ubuntu) while openldap is already in the archive and the
>  currently recommended directory solution in Ubuntu.

Please take into account that 389 has features worth considering when
compared to OpenLDAP. I'll name just three:
* Multimaster replication
* Nice and well tested tools (including WebUI)
* Really stable and tested codebase

To me it'll be a dream come true having it packaged for Ubuntu/Debian
but I still have _a lot_ to learn to be able to do it myself.

Pros on OpenLDAP:
* It'll make FreeIPA mor "standard"
* It'll help adding better support on other LDAP implementations
* Shoter TTM for having "FreeIPA Server" in Ubuntu

Cons on OpenLDAP:
* It'll lower the need for 389DS
* Some features available in 389DS will be missing (and when available
they won't be so stable)
* Adaptation to DIT can be a bit painful (but really healthy!)

>  My question is how tight are FreeIPA and 389 Directory Server coupled?

I can't help on this one. Sorry.

>  * different Directory Information Tree (DIT): replace with openldap-dit [1].
>
> [1]: https://launchpad.net/openldap-dit
>
>  My question is how tight are the management tools and the DIT coupled?

Somebody else with deeper knowledge should answer this one. However,
to me they looked like really coupled specially when it comes to the
"Directives" part of FreeIPA. I'd love to see a standarized DIT that
any LDAP server could use to act as the LDAP component of a FreeIPA
infrastructure ... hmmm ...

>  * deployment scripts: replace with puppet recipes/manifests.
>
> Here is my current proposal for karmic (schedule for October 2009):
>  * package SSSD.

Already working on it, but not much progress made. [2]

[2] https://launchpad.net/~freeipa

>  * package FreeIPA 1.2.1 management tools.

Consider it as two parts: client management tools and server management tools.
They should be easy to package but they seem to depend on SSSD and 389DS.

> I've got several other questions:
>  * When will the refactoring of the management tools will be completed?
>  * Is there an updated roadmap and timeline?

Normally I find that info in the usual websites, but from what I read
you probably looked for it before. Anyway here they are:

[3] https://fedorahosted.org/sssd/
[4] http://freeipa.org
[5] http://freeipa.org/page/Roadmap

> Thanks for your input,

My 0.05 Euro ... (not even two cents)

Hope it helps.

M*

> --
> Mathias Gug
> Ubuntu Developer  http://www.ubuntu.com
>

More information about the Freeipa-devel mailing list