[Freeipa-devel] [RFC] Serving legacy systems cliens for trusts

Jakub Hrozek jhrozek at redhat.com
Thu May 30 09:18:58 UTC 2013

On Thu, May 30, 2013 at 11:01:02AM +0200, Sumit Bose wrote:
> > For Lunix and older SSSD version we in fact have a problem.
> > What I want to avoid is to have to define procedures and patches for all
>                 ^^^^^^ ?
> > the clients. However if you use ipa-client-install it would configure
> > sssd the old way.
> > How to make it configured the new way? Manually? This is error prone and
> > people will be reluctant to reconfigure SSSD. Automatically? Means
> > patches to all the versions of the clients.
> > How we are going to deal with the huge test matrix?
> I think rolling out patches to old sssd versions is not a good idea and
> I think we won't have the time to prepare all the needed patches in a
> reasonable time-frame.
> For SSSD versions which do not allow multiple search bases (1.5 and 1.6)
> I would suggest to add a new domain section for the AD user with LDAP
> and Kerberos provider. This would allow IPA users to works as before and
> add the AD users to the client. Maybe this would also be a better
> solution for the other SSSD versions instead of multiple search bases,
> at least it's a solution for all versions.

+1, I remember that the patches to support multiple search bases were
highly non-trivial and caused some regressions at the time (which is
completely understandable given their size). Backporting them would be a
devel and QE nightmare, we would have to backport not only the patches
but all the fixes for the regressions.

The only drawback of multiple domains is slightly worse performance as
with multiple domains you need to iterate over the domains in the
responders and contact the DP for every domains while with multiple
search bases the whole logic happens in the DP without the round-trips
to PAM or NSS responders. This disadvantage doesn't apply when using
FQDNs as then you shortcut to the correct domain already.

> Since we have the python config API for SSSD the needed changes to the
> sssd.conf might be scriptable with a reasonable effort. Maybe this can
> be added to ipa-client-install with a new option like
> --enable-legacy-trust-support which can add the news section to existing
> configuration or include it for new installations?
> bye,
> Sumit

More information about the Freeipa-devel mailing list