On 11/15/2011 10:37 PM, Boris Epstein wrote:


On Tue, Nov 15, 2011 at 4:28 PM, Sigbjorn Lie <sigbj...@nixtra.com <mailto:sigbj...@nixtra.com>> wrote:

    On 11/15/2011 09:54 PM, Stephen Gallagher wrote:

        On Tue, 2011-11-15 at 20:40 +0000, Steven Jones wrote:

            Hi,

            I dont think there is much realistic hope of getting
            windows to
            authenticate to freeIPA......the others should be able to
            and the
            fedora docs on the freeipa documentation web page list a
            specific
            method for macs for one (but I have not tried it yet, but
            I will
            be)....ubuntu has been mentioned before....I have to
            try/do that as
            well....

            Siggi sent me some notes a while back,

            =============

            Ubuntu client install


        I don't have all of the details handy right now, but I know Timo
        Aaltonen was working on porting SSSD and ipa-client to Ubuntu
        in order
        to support the enhanced client enrollment available with those two
        packages.

        The SSSD and its dependencies are available in his PPA here:
        https://launchpad.net/~tjaalton/+archive/ppa
        <https://launchpad.net/%7Etjaalton/+archive/ppa>


    Just tried to install sssd from the above repo.

    There's only packages for the old 10.04 lucid and 10.10 maverick,
    nothing for 11.04 natty or 11.11 oneiric. I tried to install on
    natty using packages from maverick, but it depends on packages no
    longer available in the natty package tree. :(

    However for oneric sssd 1.5.13 seem to have made it into the
    universe package tree:
    http://packages.ubuntu.com/oneiric/sssd



    Rgds,
    Siggi


Siggi,

Thanks, but why would I want sssd on my client machine?

Or - why would the current LDAP client that Ubuntu at least claims to have not work?


The reasons I've found so far is:

* Lack of support for the host based access control rules found in IPA
* Need to have the config file with a username/password for the system to bind to the ldap directory readable by everyone... (not secure)
* SSSD uses the kerberos host key to talk to LDAP (secure)
* No daemon keeping track of available ldap servers, e.g. in a failover situation you'll keep asking the server that's down, delaying your client response.
* No offline caching of credentials (very handy if you have laptops).

I'm sure the SSSD developers can give you lots more. :)


Rgds,
Siggi










_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to