[Freeipa-users] LDAP authentication into FreeIPA
Boris Epstein
borepstein at gmail.com
Tue Nov 15 21:51:56 UTC 2011
>
>
>>>
>>>
>> Just tried to install sssd from the above repo.
>>
>> There's only packages for the old 10.04 lucid and 10.10 maverick, nothing
>> for 11.04 natty or 11.11 oneiric. I tried to install on natty using
>> packages from maverick, but it depends on packages no longer available in
>> the natty package tree. :(
>>
>> However for oneric sssd 1.5.13 seem to have made it into the universe
>> package tree:
>> http://packages.ubuntu.com/oneiric/sssd
>>
>>
>>
>> Rgds,
>> Siggi
>
>
> Siggi,
>
> Thanks, but why would I want sssd on my client machine?
>
> Or - why would the current LDAP client that Ubuntu at least claims to
> have not work?
>
>
> The reasons I've found so far is:
>
> * Lack of support for the host based access control rules found in IPA
> * Need to have the config file with a username/password for the system to
> bind to the ldap directory readable by everyone... (not secure)
> * SSSD uses the kerberos host key to talk to LDAP (secure)
> * No daemon keeping track of available ldap servers, e.g. in a failover
> situation you'll keep asking the server that's down, delaying your client
> response.
> * No offline caching of credentials (very handy if you have laptops).
>
> I'm sure the SSSD developers can give you lots more. :)
>
>
> Rgds,
> Siggi
>
Siggi,
Thanks, all of those are valid. I just installed sssd on an Ubuntu machine
here, may end up using it.
But from what you are saying it still sounds like the existing LDAP client
on Ubuntu ought to still work, even if in a less than secure fashion. And
it doesn't seem to.
Boris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111115/7dd3c336/attachment.htm>
More information about the Freeipa-users
mailing list