[Freeipa-devel] [Freeipa-users] FreeIPA on Debian
Dmitri Pal
dpal at redhat.com
Sun Sep 1 00:52:19 UTC 2013
On 08/31/2013 03:50 PM, Michał Dwużnik wrote:
> Hi guys,
>
>
> I do not know whether it will reach ALL the lists Dmitri put in, but anyway:
>
> I do am interested heavily in getting a nice inter distro product (and
> if sth works both on RH-like and Deb-like distros that's quite some
> bases covered...)
> I'm afraid I'm not able to take the responsibility of building the deb
> support myself (no skills, no time), but feel like I do need it and I
> can spent some considerable time testing
> (I'm still having a production NIS around and I would like to test the
> interoperability when it stops being 'production'...) builds if they
> appear...
>
> I feel like IPA is getting the well established components and builds
> an added value ON them and not AGAINST them, making life easier (and
> hiding the not so beatiful guts under a nice interface, too...):
> Integrating KRB5 and LDAP is something people do every now and then,
> but it comes with cnsiderable pain of reading contradictory guides not
> updated for 10 years,
> dealing with examples using crypto mechanism that should be long forgotten...
> ('first, before configuring LDAP set up KRB5, having a test principal
> get back to this LDAP guide'
> and some two links away:
> 'first, get the your LDAP feet wet, when you're able to do ldapsearch
> get back and construct those ldifs to build krb5 database in ldap'
> followed by 'make a new realm, but don't use krb5_newrealm'...).
>
> Freeipa gives hope of NOT having to deal with cn=config manually,
> (it's a really nice thing, but ldifs are sth that should be hidden
> from view, and most guides
> for ldap/krb5 integration require creating LOTS of those 'by hand',
> which makes quite a steep learning curve...).
> The abundance of PAM modules for ldap/krb5 does not make it any easier
> (shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the
> multitude of different caching tools.
> (to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).
>
> Having something solid to start with todays hordes of products
> requiring some auth integration thingie would be really nice
>
> OTOH that would be nice to have some documentation without EXAMPLE.COM inside :>
>
> I think getting freeipa working on Debian would be a great 'social'
> move, sure to be valued among the Linux community (ok, at least the
> part of community not centered on their own personal computers...),
> but the transition to 'Freeipa is wideely adopted product for ...'
> would surely need more people than a couple of guys in RH raising the
> Debian cause and a few Debian users like me.
>
> Thanks to work by Alexandre Ellert it's possible to get freeipa
> working with wheezy with relatively no hassle, but I'm afraid the
> world needs more than him :>
>
> Trying that I haven't seen any obvious 'fedorisms' inside...
>
> As for 'let's have a dream' part -> I would like to see sth similar to
> nsscache included with the freeipa suite for some really lightweight
> clients,
> for more than one reason...
>
> Dmitri, thanks for raising the flag!
>
> Michał
>
> PS:Any idea for some advertisement on Debian side?
I have no idea but where and how this effort can be advertised but any
ideas are welcome!
I think it would be great if someone passes it on to other lists that
might be interested in joining the effort.
>
> On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal <dpal at redhat.com> wrote:
>> Hello,
>>
>> Sorry for cross posting to 4 different lists but it seems that this is
>> the best way to include most of people who might be interested in this
>> discussion.
>>
>> The question of "When FreeIPA will be available on Debian?" has been
>> coming up periodically on the list(s) without any resolution. However it
>> is clear that it would be beneficial for the community and the project.
>>
>> May be it is time to try again?
>> Let us see why it yet has not happened?
>>
>> 1) Some components need to be ported to Debian especially Dogtag and a
>> slew of its new RESTEasy dependencies. This requires time and quite an
>> effort from someone familiar with the domain.
>> 2) The code needs to be changed in installer and potentially in other
>> places as it might have had some Fedorizms blended in
>> 3) Someone needs to own packages in Debian and maintain them, someone
>> with good knowledge of the distro and time to take ownership of about 50
>> packages.
>>
>> Can we pull it off together this time?
>> Say we plan for some Dogtag and IPA domain experts to work on the port
>> during Nov 13 - Feb 14 and address 1) and 2). Would there be any
>> interest to join forces with them? Would there be anyone to take on item
>> 3) from the list above?
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list