[Freeipa-users] LDAP authentication into FreeIPA
Stephen Gallagher
sgallagh at redhat.com
Wed Nov 16 12:09:41 UTC 2011
On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote:
> >
> >
> >
> >
> > Just tried to install sssd from the above repo.
> >
> > There's only packages for the old 10.04 lucid and
> > 10.10 maverick, nothing for 11.04 natty or 11.11
> > oneiric. I tried to install on natty using packages
> > from maverick, but it depends on packages no longer
> > available in the natty package tree. :(
> >
> > However for oneric sssd 1.5.13 seem to have made it
> > into the universe package tree:
> > http://packages.ubuntu.com/oneiric/sssd
> >
> >
> >
> > Rgds,
> > Siggi
> >
> >
> > Siggi,
> >
> >
> > Thanks, but why would I want sssd on my client machine?
> >
> >
> > Or - why would the current LDAP client that Ubuntu at least
> > claims to have not work?
> >
> >
>
>
> The reasons I've found so far is:
>
> * Lack of support for the host based access control rules
> found in IPA
> * Need to have the config file with a username/password for
> the system to bind to the ldap directory readable by
> everyone... (not secure)
> * SSSD uses the kerberos host key to talk to LDAP (secure)
> * No daemon keeping track of available ldap servers, e.g. in a
> failover situation you'll keep asking the server that's down,
> delaying your client response.
> * No offline caching of credentials (very handy if you have
> laptops).
>
> I'm sure the SSSD developers can give you lots more. :)
I think you've hit most of the major points. The less-obvious one is
that at it reduces load on the LDAP server as well, since all
communications come from a single connection in the SSSD, whereas with
traditional nss_ldap, each client application would be holding its own
connection.
>
> Siggi,
>
>
> Thanks, all of those are valid. I just installed sssd on an Ubuntu
> machine here, may end up using it.
>
>
> But from what you are saying it still sounds like the existing LDAP
> client on Ubuntu ought to still work, even if in a less than secure
> fashion. And it doesn't seem to.
I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu
before, so I know it's possible. I assume you have a configuration bug.
I don't know where Ubuntu keeps its config, so I can't easily help you
there.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111116/140b4914/attachment.sig>
More information about the Freeipa-users
mailing list