[Freeipa-devel] [SSSD] FreeIPA on Debian

Adam Young ayoung at redhat.com
Tue Sep 3 17:39:30 UTC 2013 

As a possible approach to getting things started, would it be possible 
to use Alien and a JEOS install to get the FreeIPA server running on a 
Debian system, and then work on  converting over the dependencies one at 
a time?

It seems like there are likely to be a series of Debian vs Fedora 
issues, WRT things like Python Path (lib vs lib64) and so forth.

Also, the Dogtag install is a very Custom way of configuring a Tomcat 
App.  It is likely to But up against the Debian packaging standards for 
Java Web Apps:  http://dep.debian.net/deps/dep7/

One other difference between the Debian and Fedora philosophies is that, 
after apt-get install, you tend to have a deployed service, whereas the 
Yum/RPM based approach calls for a post deployment configuration stage.

It sounds like the effort should be split along the Core FreeIPA work 
and the Dogtag work.  We used to have a "Self-Signed" Ca approach for 
IPA that would be useful to have again.  With the current "External CA" 
work, we might be able to do something similar:  generate the 
certificates we need in a self-signed manner and provide them to the IPA 
server.  That will let the Dogtag effort continue without holding up the 
rest of the work.



On 09/01/2013 04:35 PM, Timo Aaltonen wrote:
> On 01.09.2013 21:43, Dmitri Pal wrote:
>> On 09/01/2013 02:20 PM, Timo Aaltonen wrote:
>>> On 31.08.2013 00:04, Dmitri Pal wrote:
>>>> Hello,
>>>>
>>>> Sorry for cross posting to 4 different lists but it seems that this is
>>>> the best way to include most of people who might be interested in this
>>>> discussion.
>>>>
>>>> The question of "When FreeIPA will be available on Debian?" has been
>>>> coming up periodically on the list(s) without any resolution. However it
>>>> is clear that it would be beneficial for the community and the project.
>>> Hi,
>>>
>>> As you know, I've been packaging stuff for the past two years with the
>>> goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has
>>> been accomplished, but quite a bit is still missing too..
>>>
>>>> May be it is time to try again?
>>>> Let us see why it yet has not happened?
>>>>
>>>> 1) Some components need to be ported to Debian especially Dogtag and a
>>>> slew of its new RESTEasy dependencies. This requires time and quite an
>>>> effort from someone familiar with the domain.
>>> Yes, this is the biggest blocker. Dogtag 9 is packaged in git and
>>> working, but I'm not going to push that to the distro. It can be used
>>> for testing the IPA server though, before we have Dogtag 10. Once the
>>> prereqs are in place the Dogtag git should be easy to rebase with 10.x.
>>>
>>> I did start packaging some of the dependencies, but hit a wall when some
>>> maven component needed a different release than another one.. AIUI this
>>> is a known issue with maven based projects..
>>>
>>> Other blockers off the top of my head include:
>>>
>>> - support for shared certificate database in NSS
>>>    * patches sent to the Debian bug (#537866), maintainer isn't too
>>>      responsive
>> How can we help?
> I don't think you can, guess it just needs some perseverance on my side..
>
>>> - dyndb support in bind
>>>    * haven't asked the maintainer to add it to bind9, it might happen
>> Are you talking about byndb maintainer or bind9 Debian maintainer?
>> May be we should connect the two?
> the debian bind maintainer, I heard from the dyndb maintainer that
> bind10 might support it natively, but getting that in Debian might still
> be further in the future, so if we'd need dyndb by early next year it's
> probably needed to have it via bind9 first.
>
>>>> 3) Someone needs to own packages in Debian and maintain them, someone
>>>> with good knowledge of the distro and time to take ownership of about 50
>>>> packages.
>>> I'm doing this on my spare time, which has meant obvious delays in
>>> shipping something. Would be great to have more skillful people (pun
>>> intended) on the pkg-freeipa team..
>> Are you the only person there so far?
> pretty much, there have been some debian developers sponsoring packages
> to the distro (I'm not a DD yet), but they've all fled before too long :)
>

More information about the Freeipa-devel mailing list