On Wed, Feb 27, 2013 at 09:47:39AM +0100, Jan-Frode Myklebust wrote:
> On Wed, Feb 27, 2013 at 09:31:43AM +0100, Jakub Hrozek wrote:
> > 
> > Are there any issues you are seeing with IPA's sssd_be? It would
> > definitely be better to fix those first rather than attempting a
> > workaround like this.
> 
> I've earlier been hit by a bug in nested groups (or netgroups) where the
> ipa backend would segfault, leaving sssd running but unable to
> authenticate. 
> 
> I believe it was this problem:
> 
>       
> https://fedorahosted.org/sssd/changeset/db90c1b60c729995f34af2431ede61ea7493e540/
> 
> And therefore wonder if it makes sense, or even is advisable to have
> backup backends to make sure to never lose the user database.
> 
> 

In general the IPA backend is more or less a wrapper around the LDAP and
Kerberos backends with defaults set to match the IPA server setup and
couple of exceptions:
    * nested groups are handled differently (due to the memberof
      attribute)
    * initgroups can be handled differently (due to the memberof
      attribute)
    * the netgroups code is different, IPA has native netgroups support

So in the above cases, you might be able to work around a bug in the IPA
provider by following a different code path, but in the general case,
the same bugs would exist in both IPA and LDAP/Kerberos.

Plus some features are IPA specific at the time being such as IPA support
of HBAC access control rules and SELinux user mappings.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to