[Freeipa-devel] Ubuntu interests in FreeIPA

Rob Crittenden rcritten at redhat.com
Tue Jun 30 13:22:41 UTC 2009 

Mathias Gug wrote:
> Hi,
> 
> I'm part of the Ubuntu Server Team. I've been looking at the FreeIPA
> project for some time  now and how it could be integrated in Ubuntu for
> the next release (Karmic scheduled October 2009). I'd like to get your
> input on my proposal.
> 
> Interesting components of FreeIPA that I'd like to get integrated in Ubuntu:
> 
>  * sssd (there is already a work in progress to get debian packages in
>    the next release (karmic)).
>  * the management tools: web UI + cli + XML-RPC backend.
>  * MIT kerberos.
> 
> Components that I'm looking into replacing:
>  
>  * replace 389 Directory Server with openldap. 
>  
>  The main reason being that the 389 Directory server is not available in
>  the Ubuntu archive yet (there is a work in progress to get it included
>  in Debian/Ubuntu) while openldap is already in the archive and the
>  currently recommended directory solution in Ubuntu.
> 
>  My question is how tight are FreeIPA and 389 Directory Server coupled?

Very tightly coupled. We rely on a number of features that I believe are 
only available in 389, and have added some of our own that are 
389-specific.

* Distributed Numeric Assignment (DNA) is used to automatically assign 
the next uidNumber/gidNumber
* Multi-master replication to distribute users and schema. OpenLDAP has 
some MMR capabilities but as I understand it uses a simpler conflict 
resolution process.
* We wrote a password changing plugin that would need to be 
refactored/re-written from scratch
* Not sure if password policies are handled in the same way
* Access control is completely different

So within the realm of possibility but would be quite a bit of work.

I'd guess that a good bit of the IPA installer would need to be reworked 
as well.

>  * different Directory Information Tree (DIT): replace with openldap-dit [1].
> 
> [1]: https://launchpad.net/openldap-dit
> 
>  My question is how tight are the management tools and the DIT coupled?

Very tightly coupled. Not something that couldn't be changed but it 
would really be quite a fork.

> 
>  * deployment scripts: replace with puppet recipes/manifests.
> 
> Here is my current proposal for karmic (schedule for October 2009):
>  * package SSSD.
>  * package FreeIPA 1.2.1 management tools.
> 
> I've got several other questions:
>  * When will the refactoring of the management tools will be completed?
>  * Is there an updated roadmap and timeline?

No firm timeline yet but I wouldn't expect to see anything earlier than 
this Fall/Autumn.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090630/48d22bb3/attachment.bin>

More information about the Freeipa-devel mailing list