[Freeipa-users] LDAP authentication into FreeIPA

Stephen Gallagher sgallagh at redhat.com
Wed Nov 16 12:09:41 UTC 2011 

On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote:
>         >                 
>         >                 
>         >         
>         >         
>         >         Just tried to install sssd from the above repo.
>         >         
>         >         There's only packages for the old 10.04 lucid and
>         >         10.10 maverick, nothing for 11.04 natty or 11.11
>         >         oneiric. I tried to install on natty using packages
>         >         from maverick, but it depends on packages no longer
>         >         available in the natty package tree. :(
>         >         
>         >         However for oneric sssd 1.5.13 seem to have made it
>         >         into the universe package tree:
>         >         http://packages.ubuntu.com/oneiric/sssd
>         >         
>         >         
>         >         
>         >         Rgds,
>         >         Siggi
>         > 
>         > 
>         > Siggi,
>         > 
>         > 
>         > Thanks, but why would I want sssd on my client machine?
>         > 
>         > 
>         > Or - why would the current LDAP client that Ubuntu at least
>         > claims to have not work?
>         > 
>         > 
>         
>         
>         The reasons I've found so far is:
>         
>         * Lack of support for the host based access control rules
>         found in IPA
>         * Need to have the config file with a username/password for
>         the system to bind to the ldap directory readable by
>         everyone... (not secure)
>         * SSSD uses the kerberos host key to talk to LDAP (secure)
>         * No daemon keeping track of available ldap servers, e.g. in a
>         failover situation you'll keep asking the server that's down,
>         delaying your client response.
>         * No offline caching of credentials (very handy if you have
>         laptops).
>         
>         I'm sure the SSSD developers can give you lots more. :)


I think you've hit most of the major points. The less-obvious one is
that at it reduces load on the LDAP server as well, since all
communications come from a single connection in the SSSD, whereas with
traditional nss_ldap, each client application would be holding its own
connection.


> 
> Siggi,
> 
> 
> Thanks, all of those are valid. I just installed sssd on an Ubuntu
> machine here, may end up using it.
> 
> 
> But from what you are saying it still sounds like the existing LDAP
> client on Ubuntu ought to still work, even if in a less than secure
> fashion. And it doesn't seem to.

I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu
before, so I know it's possible. I assume you have a configuration bug.
I don't know where Ubuntu keeps its config, so I can't easily help you
there.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111116/140b4914/attachment.sig>

More information about the Freeipa-users mailing list