Hi, On Fri, 16 Sep 2011, Johan Sunnerstig wrote: > Hello. I'm wondering if anyone has used FreeIPA with Debian clients, > and if so, what client software you opted to use? Right now I have > nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the > MIT-based krb software that's included in Debian 6 working decently. > By that I mean I can use it to allow logins as expected, but so far > I haven't worked out allowing or disallowing login based on group > membership. > > Obviously the best solution would be a "real" IPA client, but has > anyone attempted this? I mucked around a bit with the SSSD included > in the Debian repos(1.2.1) but didn't get it to work. Though in all > fairness I didn't try THAT hard since it seems like SSSD has evolved > quite a bit since 1.2.1. Is the SSSD route worthwhile? I have made first step into allowing to support other platforms in FreeIPA. FreeIPA 2.1.2 will have an infrastructure to add new "platform backends" that implement details of platform-specific interaction with services. This does not affect configuration files per se but rather services' start/stop and check for service availability. I'm working on systemd support right now for Fedora 16 and, of course, any help on GNU/Debian-based systems is welcomed -- we are probably too far from making server bits distribution-independent but for client side we are quite close. We 'just' miss full featured replacement for Fedora's authconfig utility on Debian side (parts of which should be imported into FreeIPA in my humble opinion).
If you are willing to help or have someone else with spare hands, look at ipapython/platform/* in freeipa's upstream and check http://fedorapeople.org/gitweb?p=abbra/public_git/freeipa.git;a=shortlog;h=refs/heads/systemd-ipa-2-1 as an example on how to extend it -- it is work in progress too but it shows what you can achieve. > I really just need group based logins, sudo controls I can handle > based on groups with Puppet, but again, if the real client route > isn't too much work that's of course preferable. > > I hope this makes sense, late friday and I have a horrible headache, > so if it doesn't I apologize in advance. :) Friday night is a nice time to talk about serious stuff :) -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users