[Freeipa-users] LDAP authentication into FreeIPA

Sigbjorn Lie sigbjorn at nixtra.com
Tue Nov 15 21:49:05 UTC 2011 

On 11/15/2011 10:37 PM, Boris Epstein wrote:
>
>
> On Tue, Nov 15, 2011 at 4:28 PM, Sigbjorn Lie <sigbjorn at nixtra.com 
> <mailto:sigbjorn at nixtra.com>> wrote:
>
>     On 11/15/2011 09:54 PM, Stephen Gallagher wrote:
>
>         On Tue, 2011-11-15 at 20:40 +0000, Steven Jones wrote:
>
>             Hi,
>
>             I dont think there is much realistic hope of getting
>             windows to
>             authenticate to freeIPA......the others should be able to
>             and the
>             fedora docs on the freeipa documentation web page list a
>             specific
>             method for macs for one (but I have not tried it yet, but
>             I will
>             be)....ubuntu has been mentioned before....I have to
>             try/do that as
>             well....
>
>             Siggi sent me some notes a while back,
>
>             =============
>
>             Ubuntu client install
>
>
>         I don't have all of the details handy right now, but I know Timo
>         Aaltonen was working on porting SSSD and ipa-client to Ubuntu
>         in order
>         to support the enhanced client enrollment available with those two
>         packages.
>
>         The SSSD and its dependencies are available in his PPA here:
>         https://launchpad.net/~tjaalton/+archive/ppa
>         <https://launchpad.net/%7Etjaalton/+archive/ppa>
>
>
>     Just tried to install sssd from the above repo.
>
>     There's only packages for the old 10.04 lucid and 10.10 maverick,
>     nothing for 11.04 natty or 11.11 oneiric. I tried to install on
>     natty using packages from maverick, but it depends on packages no
>     longer available in the natty package tree. :(
>
>     However for oneric sssd 1.5.13 seem to have made it into the
>     universe package tree:
>     http://packages.ubuntu.com/oneiric/sssd
>
>
>
>     Rgds,
>     Siggi
>
>
> Siggi,
>
> Thanks, but why would I want sssd on my client machine?
>
> Or - why would the current LDAP client that Ubuntu at least claims to 
> have not work?
>

The reasons I've found so far is:

* Lack of support for the host based access control rules found in IPA
* Need to have the config file with a username/password for the system 
to bind to the ldap directory readable by everyone... (not secure)
* SSSD uses the kerberos host key to talk to LDAP (secure)
* No daemon keeping track of available ldap servers, e.g. in a failover 
situation you'll keep asking the server that's down, delaying your 
client response.
* No offline caching of credentials (very handy if you have laptops).

I'm sure the SSSD developers can give you lots more. :)


Rgds,
Siggi










-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111115/5b90c8d2/attachment.htm>

More information about the Freeipa-users mailing list