On 11/16/2011 01:09 PM, Stephen Gallagher wrote:
On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote:
> Just tried to install sssd from the above repo.
> There's only packages for the old 10.04 lucid and
> 10.10 maverick, nothing for 11.04 natty or 11.11
> oneiric. I tried to install on natty using packages
> from maverick, but it depends on packages no longer
> available in the natty package tree. :(
> However for oneric sssd 1.5.13 seem to have made it
> into the universe package tree:
> Thanks, but why would I want sssd on my client machine?
> Or - why would the current LDAP client that Ubuntu at least
> claims to have not work?
The reasons I've found so far is:
* Lack of support for the host based access control rules
found in IPA
* Need to have the config file with a username/password for
the system to bind to the ldap directory readable by
everyone... (not secure)
* SSSD uses the kerberos host key to talk to LDAP (secure)
* No daemon keeping track of available ldap servers, e.g. in a
failover situation you'll keep asking the server that's down,
delaying your client response.
* No offline caching of credentials (very handy if you have
I'm sure the SSSD developers can give you lots more. :)
I think you've hit most of the major points. The less-obvious one is
that at it reduces load on the LDAP server as well, since all
communications come from a single connection in the SSSD, whereas with
traditional nss_ldap, each client application would be holding its own
Thanks, all of those are valid. I just installed sssd on an Ubuntu
machine here, may end up using it.
But from what you are saying it still sounds like the existing LDAP
client on Ubuntu ought to still work, even if in a less than secure
fashion. And it doesn't seem to.
I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu
before, so I know it's possible. I assume you have a configuration bug.
I don't know where Ubuntu keeps its config, so I can't easily help you
See my previous postings to the list for details. Below is what should
be a complete list of files that need modifications. They are self
explanatory, with syntax provided in the default file.
Various LDAP config files. I've symlinked all these config files into
/etc/ldap.conf and set all settings there.
If you want nfs4+krb5, you'll need to edit these as well:
For making some apps such as thunderbird not crash with nss_ldap,
Modify sshd_config and ssh_config to use GSSAPI, and to delegate
credentials to hosts on your network:
Remember to make a copy of /etc/ipa/ca.crt from the IPA server to the
Ubuntu machine to make SSL connections to the LDAP server.
And that should be all the files you need to edit (besides nsswitch.conf
and perhaps resolv.conf). If you want the automount to work fully,
you'll have to do a workaround for fixing the race condition that often
occur at bootup, as the network is not always up when the automounter
Freeipa-users mailing list