Now my more productive response ...  ;)

  o  Short version ...

SSSD support of Policy Objects is well proliferated.

  o  In bullets ...

_If_ we are going to include 'Policy Objects' ...
 - Start with the IPA ones, specifically where ...
 - SSSD**, w/o IPA, supports them so not only ...
 - All Linux distros** support them, but ...
 - Any LDAP server (OpenLDAP, 389, etc... ) does too

  o  Case-in-point ...

**This assumption is the the most frustrating reality I deal with
day-in, day out:
  "the only distro that supports it is Fedora,
   and is largely unsupported in the rest of them.
   Seems like a distro specific feature?"

I hear that from Ubuntu admins on SSSD regularly.  But then I ask them
to "humor me," and then they setup SSSD for the first time, and say 2
things ...

1)  "Why the heck was I hacking up PAM (LDAP/KRB5), Samba (Winbindd)
and dealing with flaky NSCD?"

SSSD was designed by some of the best Samba and Directory Server
maintainers for a reason.  Many things that SSSD implemented has been
ported and patched in Winbindd, but doesn't solve the root issues that
SSSD does.

2)  "But can't there be an easier, single client that prevents me from
having to setup anything?"

That's IPA Client.  If distros would have adopted and integrated
NSS/389/Dogtag some dozen (12) years ago, then IPA Client would be a
no-brainer.  But because they didn't, they are behind.

  o  The cringe-worthy ...

The sad thing here is, AD architects follow me better than Linux
"enthusiasts."  Especially when I explain SSSD modular stack as being
like the NT LSA modular stack.

I literally _cringe_ when Linux "enthusiasts" tell client
stakeholders, "Oh, Linux doesn't have something like that, or it's not
easy to support, so just buy" ... (insert really expensive,
proprietary client).

It's _not_ about IPA at all.
It's about Policy Objects.
SSSD supports them, including ...
With_out_ IPA.

IPA is really _nothing_ more than a 'canned' LDAP + Kerberos + DNS +
Certificate + Policy + etc..., and relies on all the features in SSSD
stack on the client side ...

Just like AD relies on the LSA stack on the client side.

If your distro supports SSSD, and virtually _everyone_ does today, a
number of Policy Objects are supported out-of-the-box.  That's what
this is literally about, _not_ the directory server.

Now the added reality is ... imagine if you had to setup AD-LDAP
'manually' and other things, with MS-Kerberos, etc...   No, the
Windows world wouldn't accept that.  Heck, Canonical doesn't even

IPA is just well-liked because you run ipa-client, and you're done.
You don't have to hack up files, from PAM to SSSD to LDAP to Kerberos
to various RPC to others.  But you do _not_ need to do such.  You can
use _any_ LDAP server for many of the policies.

_Every_ distro has SSSD now, and most have the IPA Client ported over.
But because they didn't integrate the NSS/389/Dogtag stack a dozen
years ago, they are shotgunning efforts now.

Has _nothing_ to do with "distro-specific," but user ignorance.  Many
users of many distros don't work in corporate environments where they
push open source first.  They just buy something proprietary instead.

That's the problem.  ;)

-- bjs

On Wed, Sep 21, 2016 at 7:16 AM, Bryan Smith <> wrote:
> Again, ignorance is bliss.
> DISCLAIMER: Sent from phone, please excuse any typos
> --
> Bryan J Smith - Technology Mercenary
> - -
> On Sep 21, 2016 07:09, "Mark Clarke" <> wrote:
>> On 21/09/2016 12:58, Bryan Smith wrote:
>> >
>> > They used to say the same thing about NSS/389/Dogtag.  Now every
>> > distribution is hacking in support for SSSD and IPA.  Why is that? ;)
>> >
>> > E.g.., how many people used to not only OpenLDAP was the only open
>> > source directory server, but say inherent, multi-master replication
>> > wasn't available or didn't work well?
>> >
>> > I. e., cannot help if people are unfamiliar, and distributions don't
>> > get enough maintainers to port it. The first time someone sees AD
>> > Forest Trusts at work, they are instantly drawn to it. Heck, just the
>> > SSSD portion draws them.
>> >
>> I wouldn't say NSS/389/Dogtag has been widely adopted outside RedHat yet
>> - it very well might be an emerging technology but its not something
>> every sys admin needs to know. If its included  at an "awareness level"
>> then ok - but until it gets wide spread adoption, and mind share, I
>> can't agree that it should be covered in any more details. To be frank I
>> think there the coverage in 303 is overboard. BTRFS and ZFS should have
>> a much bigger weighting in the certs - but that is not relevant here :)
>> --
>> Mark Clarke
>> 📱  +2711-781 8014
>> 🌠
>> _______________________________________________
>> lpi-examdev mailing list


Bryan J Smith  -
E-mail:  b.j.smith at  or  me at
lpi-examdev mailing list

Reply via email to