[Freeipa-devel] [RFC] Serving legacy systems cliens for trusts
Dmitri Pal
dpal at redhat.com
Thu May 30 23:43:37 UTC 2013
[...]
>>>
>>> For Lunix and older SSSD version we in fact have a problem.
>>> What I want to avoid is to have to define procedures and patches for
>>> all
>> ^^^^^^ ?
>>> the clients. However if you use ipa-client-install it would configure
>>> sssd the old way.
>>> How to make it configured the new way? Manually? This is error prone
>>> and
>>> people will be reluctant to reconfigure SSSD. Automatically? Means
>>> patches to all the versions of the clients.
>>> How we are going to deal with the huge test matrix?
>>
>> I think rolling out patches to old sssd versions is not a good idea and
>> I think we won't have the time to prepare all the needed patches in a
>> reasonable time-frame.
>>
>> For SSSD versions which do not allow multiple search bases (1.5 and 1.6)
>> I would suggest to add a new domain section for the AD user with LDAP
>> and Kerberos provider. This would allow IPA users to works as before and
>> add the AD users to the client. Maybe this would also be a better
>> solution for the other SSSD versions instead of multiple search bases,
>> at least it's a solution for all versions.
>>
>> Since we have the python config API for SSSD the needed changes to the
>> sssd.conf might be scriptable with a reasonable effort. Maybe this can
>> be added to ipa-client-install with a new option like
>> --enable-legacy-trust-support which can add the news section to existing
>> configuration or include it for new installations?
> Bigger question is what is simpler: write configuration instructions or
> modify/provide additional script for old SSSD?
>
> Remeber that trusts with AD are most likely established when IPA clients
> are already rolled out. Changing ipa-client-install is not helpful for
> this case since the clients are already there.
>
> Perhaps a better approach would be documentation for non-SSSD case and a
> simple snippet that can be run alone or in use with puppet/etc to deploy
> massively. The snippet would use SSSDConfig Python API to add needed
> modifications to the clients' SSSD configuration.
>
> We can even extend IPA server tools to allow generating such snippets
> based on the trusts configuration. After all, we do have control over
> IPA server in such cases.
>
>
> I have updated wiki page with discussed ideas.
Sorry but this is not enough.
I do not see a discussion the design about the client side solutuon
procedure.
I am looking for a session that would contain a table (or like):
--------------------------------------------------------------------------
| Type/Version of the client | Action |
--------------------------------------------------------------------------
| Solaris/HP-UX/AIX (non sssd) | Configure manually to recognize AD as |
| | a domain following following steps ...|
--------------------------------------------------------------------------
| Clients that have SSSD | If the client is already installed |
| before 1.9 | and configured do X |
| | If it is a fresh install of the |
| | client do Y |
--------------------------------------------------------------------------
| SSSD 1.9 and later | Use the following ipa-client-install |
| | flags XYZ and/or authconfig command |
| | ABC |
--------------------------------------------------------------------------
Can something like this be added to wiki and corresponding tickets to provide a testable
replacements for XYZ above be filed in trac?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list