On 08/31/2013 03:50 PM, Michał Dwużnik wrote: > Hi guys, > > > I do not know whether it will reach ALL the lists Dmitri put in, but anyway: > > I do am interested heavily in getting a nice inter distro product (and > if sth works both on RH-like and Deb-like distros that's quite some > bases covered...) > I'm afraid I'm not able to take the responsibility of building the deb > support myself (no skills, no time), but feel like I do need it and I > can spent some considerable time testing > (I'm still having a production NIS around and I would like to test the > interoperability when it stops being 'production'...) builds if they > appear... > > I feel like IPA is getting the well established components and builds > an added value ON them and not AGAINST them, making life easier (and > hiding the not so beatiful guts under a nice interface, too...): > Integrating KRB5 and LDAP is something people do every now and then, > but it comes with cnsiderable pain of reading contradictory guides not > updated for 10 years, > dealing with examples using crypto mechanism that should be long forgotten... > ('first, before configuring LDAP set up KRB5, having a test principal > get back to this LDAP guide' > and some two links away: > 'first, get the your LDAP feet wet, when you're able to do ldapsearch > get back and construct those ldifs to build krb5 database in ldap' > followed by 'make a new realm, but don't use krb5_newrealm'...). > > Freeipa gives hope of NOT having to deal with cn=config manually, > (it's a really nice thing, but ldifs are sth that should be hidden > from view, and most guides > for ldap/krb5 integration require creating LOTS of those 'by hand', > which makes quite a steep learning curve...). > The abundance of PAM modules for ldap/krb5 does not make it any easier > (shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the > multitude of different caching tools. > (to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...). > > Having something solid to start with todays hordes of products > requiring some auth integration thingie would be really nice > > OTOH that would be nice to have some documentation without EXAMPLE.COM inside > :> > > I think getting freeipa working on Debian would be a great 'social' > move, sure to be valued among the Linux community (ok, at least the > part of community not centered on their own personal computers...), > but the transition to 'Freeipa is wideely adopted product for ...' > would surely need more people than a couple of guys in RH raising the > Debian cause and a few Debian users like me. > > Thanks to work by Alexandre Ellert it's possible to get freeipa > working with wheezy with relatively no hassle, but I'm afraid the > world needs more than him :> > > Trying that I haven't seen any obvious 'fedorisms' inside... > > As for 'let's have a dream' part -> I would like to see sth similar to > nsscache included with the freeipa suite for some really lightweight > clients, > for more than one reason... > > Dmitri, thanks for raising the flag! > > Michał > > PS:Any idea for some advertisement on Debian side?
I have no idea but where and how this effort can be advertised but any ideas are welcome! I think it would be great if someone passes it on to other lists that might be interested in joining the effort. > > On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal <d...@redhat.com> wrote: >> Hello, >> >> Sorry for cross posting to 4 different lists but it seems that this is >> the best way to include most of people who might be interested in this >> discussion. >> >> The question of "When FreeIPA will be available on Debian?" has been >> coming up periodically on the list(s) without any resolution. However it >> is clear that it would be beneficial for the community and the project. >> >> May be it is time to try again? >> Let us see why it yet has not happened? >> >> 1) Some components need to be ported to Debian especially Dogtag and a >> slew of its new RESTEasy dependencies. This requires time and quite an >> effort from someone familiar with the domain. >> 2) The code needs to be changed in installer and potentially in other >> places as it might have had some Fedorizms blended in >> 3) Someone needs to own packages in Debian and maintain them, someone >> with good knowledge of the distro and time to take ownership of about 50 >> packages. >> >> Can we pull it off together this time? >> Say we plan for some Dogtag and IPA domain experts to work on the port >> during Nov 13 - Feb 14 and address 1) and 2). Would there be any >> interest to join forces with them? Would there be anyone to take on item >> 3) from the list above? >> >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager for IdM portfolio >> Red Hat Inc. >> >> >> ------------------------------- >> Looking to carve out IT costs? >> www.redhat.com/carveoutcosts/ >> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipafirstname.lastname@example.org >> https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users