On 11/16/2011 01:09 PM, Stephen Gallagher wrote:
On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote:
         >
         >
         >
         >
         >          Just tried to install sssd from the above repo.
         >
         >          There's only packages for the old 10.04 lucid and
         >          10.10 maverick, nothing for 11.04 natty or 11.11
         >          oneiric. I tried to install on natty using packages
         >          from maverick, but it depends on packages no longer
         >          available in the natty package tree. :(
         >
         >          However for oneric sssd 1.5.13 seem to have made it
         >          into the universe package tree:
         >          http://packages.ubuntu.com/oneiric/sssd
         >
         >
         >
         >          Rgds,
         >          Siggi
         >
         >
         >  Siggi,
         >
         >
         >  Thanks, but why would I want sssd on my client machine?
         >
         >
         >  Or - why would the current LDAP client that Ubuntu at least
         >  claims to have not work?
         >
         >


         The reasons I've found so far is:

         * Lack of support for the host based access control rules
         found in IPA
         * Need to have the config file with a username/password for
         the system to bind to the ldap directory readable by
         everyone... (not secure)
         * SSSD uses the kerberos host key to talk to LDAP (secure)
         * No daemon keeping track of available ldap servers, e.g. in a
         failover situation you'll keep asking the server that's down,
         delaying your client response.
         * No offline caching of credentials (very handy if you have
         laptops).

         I'm sure the SSSD developers can give you lots more. :)

I think you've hit most of the major points. The less-obvious one is
that at it reduces load on the LDAP server as well, since all
communications come from a single connection in the SSSD, whereas with
traditional nss_ldap, each client application would be holding its own
connection.


Siggi,


Thanks, all of those are valid. I just installed sssd on an Ubuntu
machine here, may end up using it.


But from what you are saying it still sounds like the existing LDAP
client on Ubuntu ought to still work, even if in a less than secure
fashion. And it doesn't seem to.
I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu
before, so I know it's possible. I assume you have a configuration bug.
I don't know where Ubuntu keeps its config, so I can't easily help you
there.


See my previous postings to the list for details. Below is what should be a complete list of files that need modifications. They are self explanatory, with syntax provided in the default file.

Various LDAP config files. I've symlinked all these config files into /etc/ldap.conf and set all settings there.
/etc/ldap.conf
/etc/ldap/ldap.conf
/etc/libnss-ldap.conf
/etc/pam_ldap.conf
/etc/sudo-ldap.conf

Kerberos:
/etc/krb5.conf

automount :
/etc/autofs_ldap_auth.conf
/etc/default/autofs

If you want nfs4+krb5, you'll need to edit these as well:
/etc/default/nfs-common
/etc/idmapd.conf

For making some apps such as thunderbird not crash with nss_ldap, install nscd.
/etc/nscd.conf

Modify sshd_config and ssh_config to use GSSAPI, and to delegate credentials to hosts on your network:
/etc/ssh/sshd_config
/etc/ssh/ssh_config

ntp:
/etc/ntp.conf

Remember to make a copy of /etc/ipa/ca.crt from the IPA server to the Ubuntu machine to make SSL connections to the LDAP server.

And that should be all the files you need to edit (besides nsswitch.conf and perhaps resolv.conf). If you want the automount to work fully, you'll have to do a workaround for fixing the race condition that often occur at bootup, as the network is not always up when the automounter starts.


Rgds,
Siggi


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to