<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 09/16/2011 05:19 PM, Johan Sunnerstig wrote:
<blockquote
cite="mid:47CE7527FAFAD348AEA328EB66E545A114E8EDEF@exchappvp1.adauriga.auriganet.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0,
0); font-size: 10pt;">Hello.<br>
I'm wondering if anyone has used FreeIPA with Debian clients,
and if so, what client software you opted to use?<br>
Right now I have nss-pam-ldapd
(<a class="moz-txt-link-freetext" href="http://arthurdejong.org/nss-pam-ldapd/">http://arthurdejong.org/nss-pam-ldapd/</a>) and the MIT-based krb
software that's included in Debian 6 working decently. By that I
mean I can use it to allow logins as expected, but so far I
haven't worked out allowing or disallowing login based on group
membership.<br>
<br>
Obviously the best solution would be a "real" IPA client, but
has anyone attempted this? I mucked around a bit with the SSSD
included in the Debian repos(1.2.1) but didn't get it to work.
Though in all fairness I didn't try THAT hard since it seems
like SSSD has evolved quite a bit since 1.2.1.<br>
Is the SSSD route worthwhile?<br>
<br>
I really just need group based logins, sudo controls I can
handle based on groups with Puppet, but again, if the real
client route isn't too much work that's of course preferable.<br>
<br>
I hope this makes sense, late friday and I have a horrible
headache, so if it doesn't I apologize in advance. :)<br>
</div>
</blockquote>
<br>
Hi Johan,<br>
<br>
I'm using Ubuntu with FreeIPA. I'm not using the ldapd as I've found
it unreliable. I'm using the libnss-ldap and manually configured
kerberos. ldapd does not support nested groups last I checked,
that's a downside too. It's not perfect, sssd would have been
better, but it works just fine.<br>
<br>
If you lower the bind_timelimit and timelimit quite low (a few
seconds) it's not too bad when a ipa server is unavailable. nscd is
required to overcome some issues with the libnss-ldap. (Such as
Thunderbird segfaulting...)<br>
<br>
I've used cfengine to make an IPA config script for clients not
supporting sssd and ipa-client-install. I'm sure you could do the
same with puppet.<br>
<br>
To get group based login, I've used the AllowGroups property in
sshd. <br>
<br>
Hope this makes sense. :)<br>
<br>
Regards,<br>
Siggi<br>
<br>
</body>
</html>