[Freeipa-users] Debian clients?
Alexander Bokovoy
abokovoy at redhat.com
Fri Sep 16 19:39:55 UTC 2011
Hi,
On Fri, 16 Sep 2011, Johan Sunnerstig wrote:
> Hello. I'm wondering if anyone has used FreeIPA with Debian clients,
> and if so, what client software you opted to use? Right now I have
> nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the
> MIT-based krb software that's included in Debian 6 working decently.
> By that I mean I can use it to allow logins as expected, but so far
> I haven't worked out allowing or disallowing login based on group
> membership.
>
> Obviously the best solution would be a "real" IPA client, but has
> anyone attempted this? I mucked around a bit with the SSSD included
> in the Debian repos(1.2.1) but didn't get it to work. Though in all
> fairness I didn't try THAT hard since it seems like SSSD has evolved
> quite a bit since 1.2.1. Is the SSSD route worthwhile?
I have made first step into allowing to support other platforms in
FreeIPA. FreeIPA 2.1.2 will have an infrastructure to add new
"platform backends" that implement details of platform-specific
interaction with services. This does not affect configuration files
per se but rather services' start/stop and check for service
availability. I'm working on systemd support right now for Fedora 16
and, of course, any help on GNU/Debian-based systems is welcomed -- we
are probably too far from making server bits distribution-independent
but for client side we are quite close. We 'just' miss full featured
replacement for Fedora's authconfig utility on Debian side (parts of
which should be imported into FreeIPA in my humble opinion).
If you are willing to help or have someone else with spare hands, look
at ipapython/platform/* in freeipa's upstream and check
http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1
as an example on how to extend it -- it is work in progress too but it
shows what you can achieve.
> I really just need group based logins, sudo controls I can handle
> based on groups with Puppet, but again, if the real client route
> isn't too much work that's of course preferable.
>
> I hope this makes sense, late friday and I have a horrible headache,
> so if it doesn't I apologize in advance. :)
Friday night is a nice time to talk about serious stuff :)
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list