----- Original Message -----
From: "Sigbjorn Lie" <sigbj...@nixtra.com>
To: "Stephen Gallagher" <sgall...@redhat.com>
Cc: freeipa-users@redhat.com
Sent: Wednesday, May 11, 2011 1:51:54 PM
Subject: Re: [Freeipa-users] FreeIPA for Linux desktop deployment

On Wed, May 11, 2011 14:42, Stephen Gallagher wrote:
> On Tue, 2011-05-10 at 23:42 +0200, Sigbjorn Lie wrote:
>> Hi,
>> I would like to see the ipa client scripts and possibly the admin tools
>> in a nice Solaris package. This would make my job a lot easier as we have a 
>> lot of customers
>> running Solaris. :)
>> For the server part I agree with you, keep it at RHEL.
>> SSSD @ Solaris / HP-UX / AIX ... well there isn't much (if any) of the
>> UNIX vendors selling their iron as client machines anymore. And I don't
>> see a considerable benefit in adding SSSD to servers, who will be well 
>> connected to the network
>> anyway.
> Actually, SSSD is still valuable on server systems (and is used very
> often in datacenters). The reason is that it can allow a server to ride out 
> an outage in the LDAP
> and/or Kerberos server and still handle authentication and identity requests 
> from its cache.
> We've expressed interest several times in working WITH other platforms
> to help them port the SSSD, but we've received no real commitment to 
> assisting with it. We have a
> lot on our plates already, so it is difficult for us to justify spending time 
> improving our
> competitors' offerings :)
> Also, SSSD has additional features with FreeIPA integration that
> nss_ldap and pam_krb5 do not. Specifically, it has support for managing 
> access-control using
> FreeIPA's host-based access control model. This is
> a very valuable piece of the puzzle and should not be ignored.

I see you're having a valid point about the outage support. This could be 
worked around using the
"High Availability Add-on" in RHEL, sharing an IP address between your IPA 
servers, which you
would switch to the currently active IPA server.

With regards to IPA's host-based access control: What about doing access 
control through using
netgroups via the tcp wrappers?

You could still be configuring host based access control in IPA as it's 
creating transparent
netgroups for the host groups.

These are all workarounds, I assume having the functionality available trough 
the native sssd
would be of an advantage. But this way you would the mentioned extra 
functionality of SSSD without
having to do the work of supporting your competitors operating systems. :)

Well, HBAC is more complex than simply using netgroups and tcp_wrappers. For 
example, one of the planned features for an upcoming release of FreeIPA is to 
have HBAC rules with time restrictions (so that logins are only permitted 
during certain hours). Also, tcp_wrappers is very limited, since it must be 
synced to every client machine, whereas with SSSD the HBAC rules are maintained 

Freeipa-users mailing list

Reply via email to