[Freeipa-devel] Ubuntu interests in FreeIPA

Simo Sorce ssorce at redhat.com
Tue Jun 30 13:30:30 UTC 2009 

On Mon, 2009-06-29 at 19:20 -0400, Mathias Gug wrote:
> Hi,
> 
> I'm part of the Ubuntu Server Team. I've been looking at the FreeIPA
> project for some time  now and how it could be integrated in Ubuntu for
> the next release (Karmic scheduled October 2009). I'd like to get your
> input on my proposal.
> 
> Interesting components of FreeIPA that I'd like to get integrated in Ubuntu:
> 
>  * sssd (there is already a work in progress to get debian packages in
>    the next release (karmic)).
>  * the management tools: web UI + cli + XML-RPC backend.
>  * MIT kerberos.
> 
> Components that I'm looking into replacing:
>  
>  * replace 389 Directory Server with openldap. 
>  
>  The main reason being that the 389 Directory server is not available in
>  the Ubuntu archive yet (there is a work in progress to get it included
>  in Debian/Ubuntu) while openldap is already in the archive and the
>  currently recommended directory solution in Ubuntu.
> 
>  My question is how tight are FreeIPA and 389 Directory Server coupled?

Very, we use many features of 389DS and a good amount of plugins not
available for openldap. It would require a quite substantial amount of
work and testing just to port the slapi plugins.

Second, OpenLDAP has experimental object level multimaster replication.
389DS has attribute level multimaster replication and coflict
resolution. All the tools to manage replication setup would have to be
rewritten.

ACIs are slightly different between 389DS and openLDAP, that would
require to change part of the installation and management tools.

There are probably other issues, that will pop-up once someone attacks
the problem.

I have no problems in principle on supporting multiple LDAP servers in
IPA, but that will require a substantial amount of work.

>  * different Directory Information Tree (DIT): replace with openldap-dit [1].
> 
> [1]: https://launchpad.net/openldap-dit

First of all I think you may be confusing/conflating DIT and Schema.

In 1. the schema is incompatible with the MIT kerberos ldap driver as it
uses the heimdal schema.

On the pure DIT side I don't see any reason to change FreeIPA DIT. We
choose the DIT carefully based on many factors, that is unlikely it is
going to change, it would only make things incompatible with no benefit
whatsoever. (OpenLDAP can use the FreeIPA DIT w/o any problem).

>  My question is how tight are the management tools and the DIT coupled?
> 
>  * deployment scripts: replace with puppet recipes/manifests.

Our installation scripts are python scripts delivered with the package,
I see no reason to deliver them via puppet.

> Here is my current proposal for karmic (schedule for October 2009):
>  * package SSSD.
>  * package FreeIPA 1.2.1 management tools.

The management tools are bonded to schema, DIT, plugins, once you get
them running, you have the whole shebang anyway.

> I've got several other questions:
>  * When will the refactoring of the management tools will be completed?

I'll let Rob make an estimate here.

>  * Is there an updated roadmap and timeline?

Not yet.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list