[Freeipa-users] LDAP authentication into FreeIPA
Sigbjorn Lie
sigbjorn at nixtra.com
Tue Nov 15 21:49:05 UTC 2011
On 11/15/2011 10:37 PM, Boris Epstein wrote:
>
>
> On Tue, Nov 15, 2011 at 4:28 PM, Sigbjorn Lie <sigbjorn at nixtra.com
> <mailto:sigbjorn at nixtra.com>> wrote:
>
> On 11/15/2011 09:54 PM, Stephen Gallagher wrote:
>
> On Tue, 2011-11-15 at 20:40 +0000, Steven Jones wrote:
>
> Hi,
>
> I dont think there is much realistic hope of getting
> windows to
> authenticate to freeIPA......the others should be able to
> and the
> fedora docs on the freeipa documentation web page list a
> specific
> method for macs for one (but I have not tried it yet, but
> I will
> be)....ubuntu has been mentioned before....I have to
> try/do that as
> well....
>
> Siggi sent me some notes a while back,
>
> =============
>
> Ubuntu client install
>
>
> I don't have all of the details handy right now, but I know Timo
> Aaltonen was working on porting SSSD and ipa-client to Ubuntu
> in order
> to support the enhanced client enrollment available with those two
> packages.
>
> The SSSD and its dependencies are available in his PPA here:
> https://launchpad.net/~tjaalton/+archive/ppa
> <https://launchpad.net/%7Etjaalton/+archive/ppa>
>
>
> Just tried to install sssd from the above repo.
>
> There's only packages for the old 10.04 lucid and 10.10 maverick,
> nothing for 11.04 natty or 11.11 oneiric. I tried to install on
> natty using packages from maverick, but it depends on packages no
> longer available in the natty package tree. :(
>
> However for oneric sssd 1.5.13 seem to have made it into the
> universe package tree:
> http://packages.ubuntu.com/oneiric/sssd
>
>
>
> Rgds,
> Siggi
>
>
> Siggi,
>
> Thanks, but why would I want sssd on my client machine?
>
> Or - why would the current LDAP client that Ubuntu at least claims to
> have not work?
>
The reasons I've found so far is:
* Lack of support for the host based access control rules found in IPA
* Need to have the config file with a username/password for the system
to bind to the ldap directory readable by everyone... (not secure)
* SSSD uses the kerberos host key to talk to LDAP (secure)
* No daemon keeping track of available ldap servers, e.g. in a failover
situation you'll keep asking the server that's down, delaying your
client response.
* No offline caching of credentials (very handy if you have laptops).
I'm sure the SSSD developers can give you lots more. :)
Rgds,
Siggi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111115/5b90c8d2/attachment.htm>
More information about the Freeipa-users
mailing list