On Thu, 30 May 2013, Dmitri Pal wrote:
[...]
For Lunix and older SSSD version we in fact have a problem.
What I want to avoid is to have to define procedures and patches for
all
^^^^^^ ?
the clients. However if you use ipa-client-install it would configure
sssd the old way.
How to make it configured the new way? Manually? This is error prone
and
people will be reluctant to reconfigure SSSD. Automatically? Means
patches to all the versions of the clients.
How we are going to deal with the huge test matrix?
I think rolling out patches to old sssd versions is not a good idea and
I think we won't have the time to prepare all the needed patches in a
reasonable time-frame.
For SSSD versions which do not allow multiple search bases (1.5 and 1.6)
I would suggest to add a new domain section for the AD user with LDAP
and Kerberos provider. This would allow IPA users to works as before and
add the AD users to the client. Maybe this would also be a better
solution for the other SSSD versions instead of multiple search bases,
at least it's a solution for all versions.
Since we have the python config API for SSSD the needed changes to the
sssd.conf might be scriptable with a reasonable effort. Maybe this can
be added to ipa-client-install with a new option like
--enable-legacy-trust-support which can add the news section to existing
configuration or include it for new installations?
Bigger question is what is simpler: write configuration instructions or
modify/provide additional script for old SSSD?
Remeber that trusts with AD are most likely established when IPA clients
are already rolled out. Changing ipa-client-install is not helpful for
this case since the clients are already there.
Perhaps a better approach would be documentation for non-SSSD case and a
simple snippet that can be run alone or in use with puppet/etc to deploy
massively. The snippet would use SSSDConfig Python API to add needed
modifications to the clients' SSSD configuration.
We can even extend IPA server tools to allow generating such snippets
based on the trusts configuration. After all, we do have control over
IPA server in such cases.
I have updated wiki page with discussed ideas.
Sorry but this is not enough.
I do not see a discussion the design about the client side solutuon
procedure.
I am looking for a session that would contain a table (or like):
--------------------------------------------------------------------------
| Type/Version of the client | Action |
--------------------------------------------------------------------------
| Solaris/HP-UX/AIX (non sssd) | Configure manually to recognize AD as |
| | a domain following following steps ...|
--------------------------------------------------------------------------
| Clients that have SSSD | If the client is already installed |
| before 1.9 | and configured do X |
| | If it is a fresh install of the |
| | client do Y |
--------------------------------------------------------------------------
| SSSD 1.9 and later | Use the following ipa-client-install |
| | flags XYZ and/or authconfig command |
| | ABC |
--------------------------------------------------------------------------
Can something like this be added to wiki and corresponding tickets to provide a
testable
replacements for XYZ above be filed in trac?
I've added more, including three tickets to cover specific
configurations.
Unfortunately, we have limits in multiple search bases approach by
the commercial UNIX vendors since their LDAP modules do not support
multiple search bases. For all of those platforms there is PADL pam_ldap
available which can be used for the same purpose.
If we still want to support native pam_ldap on Solaris (which don't work
with multiple search bases), we'd have to merge LDAP trees.
#3670 [RFE] tool to create configurations for old legacy clients for trusts
https://fedorahosted.org/freeipa/ticket/3670
#3671 add support for SSSD 1.5-1.8 configurations to ipa-advise-client
https://fedorahosted.org/freeipa/ticket/3671
#3672 add support for PADL pam_ldap/nss_ldap configurations to ipa-advise-client
https://fedorahosted.org/freeipa/ticket/3672
ipa-advise-client tool would look up existing IPA server configuration
and decide how should look sample configuration for the specified case.
It will generate a script that will output needed configuration files
(or their snippets) or commands that should be executed on the client
side.
The reason for this indirection is to allow greater flexibility in
future, like being able to check PAM configuration at the client side
before recommending changes (or run authconfig).
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
