Thanks for all the feedback, I think I'll start with this route and see if I 
can get a more recent SSSD working.
And yes, I do all my documentation in Zim, and my boss is quite supportive of 
sharing the work I/we do, so if I do get this working in a nice manner I will 
certainly be more than happy to share the documentation.

As for contributing code, I'm more than a little rusty when it comes to coding 
Python(not that I was particularly good to begin with), but maybe if I get some 
spare time I could have a go at it. :)
Thanks again for all the feedback everyone.

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Dmitri Pal [d...@redhat.com]
Sent: 16 September 2011 22:42
To: freeipa-users@redhat.com; Nalin Dahyabhai
Subject: Re: [Freeipa-users] Debian clients?

On 09/16/2011 11:19 AM, Johan Sunnerstig wrote:
I'm wondering if anyone has used FreeIPA with Debian clients, and if so, what 
client software you opted to use?
Right now I have nss-pam-ldapd (http://arthurdejong.org/nss-pam-ldapd/) and the 
MIT-based krb software that's included in Debian 6 working decently. By that I 
mean I can use it to allow logins as expected, but so far I haven't worked out 
allowing or disallowing login based on group membership.

Obviously the best solution would be a "real" IPA client, but has anyone 
attempted this? I mucked around a bit with the SSSD included in the Debian 
repos(1.2.1) but didn't get it to work. Though in all fairness I didn't try 
THAT hard since it seems like SSSD has evolved quite a bit since 1.2.1.
Is the SSSD route worthwhile?

If you can get SSSD 1.5.x (latest) working that would be best avenue as it 
supports natively IPA host based access control features.
If you manage to do so we will help you to setup it manually. If you as a 
result of this would be able to share youer experience and create a wiki page 
with the steps need to do all this manually would be awesome.

An alternative would be to try and port ipa-client to Debian.

I really just need group based logins, sudo controls I can handle based on 
groups with Puppet, but again, if the real client route isn't too much work 
that's of course preferable.

If you want something simple there might be some options in the nss ldap but 
you need to dig it from man pages or from Nalin...

I hope this makes sense, late friday and I have a horrible headache, so if it 
doesn't I apologize in advance. :)


Freeipa-users mailing list

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to