On Wed, Feb 27, 2013 at 09:47:39AM +0100, Jan-Frode Myklebust wrote:
> On Wed, Feb 27, 2013 at 09:31:43AM +0100, Jakub Hrozek wrote:
> > Are there any issues you are seeing with IPA's sssd_be? It would
> > definitely be better to fix those first rather than attempting a
> > workaround like this.
> I've earlier been hit by a bug in nested groups (or netgroups) where the
> ipa backend would segfault, leaving sssd running but unable to
> I believe it was this problem:
> And therefore wonder if it makes sense, or even is advisable to have
> backup backends to make sure to never lose the user database.
In general the IPA backend is more or less a wrapper around the LDAP and
Kerberos backends with defaults set to match the IPA server setup and
couple of exceptions:
* nested groups are handled differently (due to the memberof
* initgroups can be handled differently (due to the memberof
* the netgroups code is different, IPA has native netgroups support
So in the above cases, you might be able to work around a bug in the IPA
provider by following a different code path, but in the general case,
the same bugs would exist in both IPA and LDAP/Kerberos.
Plus some features are IPA specific at the time being such as IPA support
of HBAC access control rules and SELinux user mappings.
Freeipa-users mailing list