[Freeipa-devel] [RFC] Serving legacy systems cliens for trusts

Dmitri Pal dpal at redhat.com
Thu May 30 23:43:37 UTC 2013


[...]
>>>
>>> For Lunix and older SSSD version we in fact have a problem.
>>> What I want to avoid is to have to define procedures and patches for
>>> all
>>                ^^^^^^ ?
>>> the clients. However if you use ipa-client-install it would configure
>>> sssd the old way.
>>> How to make it configured the new way? Manually? This is error prone
>>> and
>>> people will be reluctant to reconfigure SSSD. Automatically? Means
>>> patches to all the versions of the clients.
>>> How we are going to deal with the huge test matrix?
>>
>> I think rolling out patches to old sssd versions is not a good idea and
>> I think we won't have the time to prepare all the needed patches in a
>> reasonable time-frame.
>>
>> For SSSD versions which do not allow multiple search bases (1.5 and 1.6)
>> I would suggest to add a new domain section for the AD user with LDAP
>> and Kerberos provider. This would allow IPA users to works as before and
>> add the AD users to the client. Maybe this would also be a better
>> solution for the other SSSD versions instead of multiple search bases,
>> at least it's a solution for all versions.
>>
>> Since we have the python config API for SSSD the needed changes to the
>> sssd.conf might be scriptable with a reasonable effort. Maybe this can
>> be added to ipa-client-install with a new option like
>> --enable-legacy-trust-support which can add the news section to existing
>> configuration or include it for new installations?
> Bigger question is what is simpler: write configuration instructions or
> modify/provide additional script for old SSSD?
>
> Remeber that trusts with AD are most likely established when IPA clients
> are already rolled out. Changing ipa-client-install is not helpful for
> this case since the clients are already there.
>
> Perhaps a better approach would be documentation for non-SSSD case and a
> simple snippet that can be run alone or in use with puppet/etc to deploy
> massively. The snippet would use SSSDConfig Python API to add needed
> modifications to the clients' SSSD configuration.
>
> We can even extend IPA server tools to allow generating such snippets
> based on the trusts configuration. After all, we do have control over
> IPA server in such cases.
>
>
> I have updated wiki page with discussed ideas.

Sorry but this is not enough.
I do not see a discussion the design about the client side solutuon
procedure.

I am looking for a session that would contain a table (or like):

--------------------------------------------------------------------------
|   Type/Version of the client   | Action                                |
--------------------------------------------------------------------------
| Solaris/HP-UX/AIX (non sssd)   | Configure manually to recognize AD as |
|                                | a domain following following steps ...|
--------------------------------------------------------------------------
| Clients that have SSSD         | If the client is already installed    |   
| before 1.9                     | and configured do X                   |
|                                | If it is a fresh install of the       |
|                                | client do Y                           |  
--------------------------------------------------------------------------
| SSSD 1.9 and later             | Use the following ipa-client-install  |
|                                | flags XYZ and/or authconfig command   |
|                                | ABC                                   |
--------------------------------------------------------------------------

Can something like this be added to wiki and corresponding tickets to provide a testable
replacements for XYZ above be filed in trac? 

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/






More information about the Freeipa-devel mailing list