[Freeipa-users] authentication against compat

Jakub Hrozek jhrozek at redhat.com
Mon Feb 17 14:03:00 UTC 2014 

On Fri, Feb 14, 2014 at 09:36:33AM +0200, Alexander Bokovoy wrote:
> On Thu, 13 Feb 2014, Steve Dainard wrote:
> >I don't think this is an issue of bugs or documentation, more of design.
> >Perhaps there's someplace other than a users list this belongs in but:
> >
> >If IPA is a centrally managed identity and access control system, should
> >these configurations not be passed to clients, rather than every client
> >needing configuration changes post join? Obviously I can automate config
> >changes, but why would I want to? I don't think sudoers priv is a fringe
> >case, its pretty much THE case for access/admin control. I cringe to
> >compare to a Windows domain, but I don't have to manually tell a domain
> >client that it should respect the rules I set on a domain controller, I
> >joined it to the domain for this reason.
> When majority of expected features are already implemented, it is easy
> to fall into assumption that everything has to be complete from start.
> That's understandable but we are dealing with a living and evolving
> project where a feature addition often means integrating across multiple
> actual free software projects, all with their own priorities and
> schedules, step by step, or things will never happen.
> 
> SUDO integration is not an exception here. First we needed to expand
> SUDO's support for external plugins. When SUDO data was placed in LDAP,
> it appeared that existing schema isn't really optimal, so FreeIPA schema
> was designed better (but incompatible with existing one from SUDO LDAP),
> but required a compatibility part to work with existing SUDO LDAP
> plugin. Next, we implemented SUDO provider in SSSD for the existing SUDO
> LDAP schema as it gave SSSD wider coverage of SUDO support. Now we
> implemented support for native FreeIPA schema. The next step is to
> integrate configuration of it in ipa-client-install so that clients will
> get set up properly if there are SUDO rules configured on the server or
> ipa-client-install was actually given a bless from the admin (via CLI
> option or answering a question).
> 
> It takes time and effort. Unsurprisingly, this is a relatively minor
> feature in the grand picture because we have dozens of such features all
> asking for attention and time, and our development teams are not
> expanding infinitely regardless how we all wished. :)
> 
> Any help is welcome!

By the way the native sudo backend is being worked on actively by an
external contributor in the form of a thesis. We expect to have it
implemented by May.

More information about the Freeipa-users mailing list