On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote: > > > > > > > > > > Just tried to install sssd from the above repo. > > > > There's only packages for the old 10.04 lucid and > > 10.10 maverick, nothing for 11.04 natty or 11.11 > > oneiric. I tried to install on natty using packages > > from maverick, but it depends on packages no longer > > available in the natty package tree. :( > > > > However for oneric sssd 1.5.13 seem to have made it > > into the universe package tree: > > http://packages.ubuntu.com/oneiric/sssd > > > > > > > > Rgds, > > Siggi > > > > > > Siggi, > > > > > > Thanks, but why would I want sssd on my client machine? > > > > > > Or - why would the current LDAP client that Ubuntu at least > > claims to have not work? > > > > > > > The reasons I've found so far is: > > * Lack of support for the host based access control rules > found in IPA > * Need to have the config file with a username/password for > the system to bind to the ldap directory readable by > everyone... (not secure) > * SSSD uses the kerberos host key to talk to LDAP (secure) > * No daemon keeping track of available ldap servers, e.g. in a > failover situation you'll keep asking the server that's down, > delaying your client response. > * No offline caching of credentials (very handy if you have > laptops). > > I'm sure the SSSD developers can give you lots more. :)
I think you've hit most of the major points. The less-obvious one is that at it reduces load on the LDAP server as well, since all communications come from a single connection in the SSSD, whereas with traditional nss_ldap, each client application would be holding its own connection. > > Siggi, > > > Thanks, all of those are valid. I just installed sssd on an Ubuntu > machine here, may end up using it. > > > But from what you are saying it still sounds like the existing LDAP > client on Ubuntu ought to still work, even if in a less than secure > fashion. And it doesn't seem to. I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu before, so I know it's possible. I assume you have a configuration bug. I don't know where Ubuntu keeps its config, so I can't easily help you there.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
