As a possible approach to getting things started, would it be possible
to use Alien and a JEOS install to get the FreeIPA server running on a
Debian system, and then work on converting over the dependencies one at
It seems like there are likely to be a series of Debian vs Fedora
issues, WRT things like Python Path (lib vs lib64) and so forth.
Also, the Dogtag install is a very Custom way of configuring a Tomcat
App. It is likely to But up against the Debian packaging standards for
Java Web Apps: http://dep.debian.net/deps/dep7/
One other difference between the Debian and Fedora philosophies is that,
after apt-get install, you tend to have a deployed service, whereas the
Yum/RPM based approach calls for a post deployment configuration stage.
It sounds like the effort should be split along the Core FreeIPA work
and the Dogtag work. We used to have a "Self-Signed" Ca approach for
IPA that would be useful to have again. With the current "External CA"
work, we might be able to do something similar: generate the
certificates we need in a self-signed manner and provide them to the IPA
server. That will let the Dogtag effort continue without holding up the
rest of the work.
On 09/01/2013 04:35 PM, Timo Aaltonen wrote:
On 01.09.2013 21:43, Dmitri Pal wrote:
On 09/01/2013 02:20 PM, Timo Aaltonen wrote:
On 31.08.2013 00:04, Dmitri Pal wrote:
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
As you know, I've been packaging stuff for the past two years with the
goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has
been accomplished, but quite a bit is still missing too..
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
Yes, this is the biggest blocker. Dogtag 9 is packaged in git and
working, but I'm not going to push that to the distro. It can be used
for testing the IPA server though, before we have Dogtag 10. Once the
prereqs are in place the Dogtag git should be easy to rebase with 10.x.
I did start packaging some of the dependencies, but hit a wall when some
maven component needed a different release than another one.. AIUI this
is a known issue with maven based projects..
Other blockers off the top of my head include:
- support for shared certificate database in NSS
* patches sent to the Debian bug (#537866), maintainer isn't too
How can we help?
I don't think you can, guess it just needs some perseverance on my side..
- dyndb support in bind
* haven't asked the maintainer to add it to bind9, it might happen
Are you talking about byndb maintainer or bind9 Debian maintainer?
May be we should connect the two?
the debian bind maintainer, I heard from the dyndb maintainer that
bind10 might support it natively, but getting that in Debian might still
be further in the future, so if we'd need dyndb by early next year it's
probably needed to have it via bind9 first.
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
I'm doing this on my spare time, which has meant obvious delays in
shipping something. Would be great to have more skillful people (pun
intended) on the pkg-freeipa team..
Are you the only person there so far?
pretty much, there have been some debian developers sponsoring packages
to the distro (I'm not a DD yet), but they've all fled before too long :)
Freeipa-devel mailing list