Re: [Freeipa-devel] [Freeipa-users] FreeIPA on Debian
Hi guys,
I do not know whether it will reach ALL the lists Dmitri put in, but anyway:
I do am interested heavily in getting a nice inter distro product (and
if sth works both on RH-like and Deb-like distros that's quite some
bases covered...)
I'm afraid I'm not able to take the responsibility of building the deb
support myself (no skills, no time), but feel like I do need it and I
can spent some considerable time testing
(I'm still having a production NIS around and I would like to test the
interoperability when it stops being 'production'...) builds if they
appear...
I feel like IPA is getting the well established components and builds
an added value ON them and not AGAINST them, making life easier (and
hiding the not so beatiful guts under a nice interface, too...):
Integrating KRB5 and LDAP is something people do every now and then,
but it comes with cnsiderable pain of reading contradictory guides not
updated for 10 years,
dealing with examples using crypto mechanism that should be long forgotten...
('first, before configuring LDAP set up KRB5, having a test principal
get back to this LDAP guide'
and some two links away:
'first, get the your LDAP feet wet, when you're able to do ldapsearch
get back and construct those ldifs to build krb5 database in ldap'
followed by 'make a new realm, but don't use krb5_newrealm'...).
Freeipa gives hope of NOT having to deal with cn=config manually,
(it's a really nice thing, but ldifs are sth that should be hidden
from view, and most guides
for ldap/krb5 integration require creating LOTS of those 'by hand',
which makes quite a steep learning curve...).
The abundance of PAM modules for ldap/krb5 does not make it any easier
(shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the
multitude of different caching tools.
(to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).
Having something solid to start with todays hordes of products
requiring some auth integration thingie would be really nice
OTOH that would be nice to have some documentation without EXAMPLE.COM inside :
I think getting freeipa working on Debian would be a great 'social'
move, sure to be valued among the Linux community (ok, at least the
part of community not centered on their own personal computers...),
but the transition to 'Freeipa is wideely adopted product for ...'
would surely need more people than a couple of guys in RH raising the
Debian cause and a few Debian users like me.
Thanks to work by Alexandre Ellert it's possible to get freeipa
working with wheezy with relatively no hassle, but I'm afraid the
world needs more than him :
Trying that I haven't seen any obvious 'fedorisms' inside...
As for 'let's have a dream' part - I would like to see sth similar to
nsscache included with the freeipa suite for some really lightweight
clients,
for more than one reason...
Dmitri, thanks for raising the flag!
Michał
PS:Any idea for some advertisement on Debian side?
On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal d...@redhat.com wrote:
Hello,
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.
The question of When FreeIPA will be available on Debian? has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
freeipa-us...@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Michal Dwuznik
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] FreeIPA on Debian
It's a nice idea to get FreeIPA on Debian. Let me point to some Debian resources related to FreeIPA: http://lists.alioth.debian.org/mailman/listinfo/pkg-freeipa-devel http://qa.debian.org/developer.php?login=pkg-freeipa-devel%40lists.alioth.debian.org I don't know who is behind pkg-freeipa-de...@lists.alioth.debian.org. I would recommend sending there an email, CC'ing debian-devel. I can maintain one or two Debian packages (but not 50) however i'm not an official Debian Developer. Best regards. -- Arturo Borrero González Departamento de Seguridad Informática (n...@cica.es) Centro Informatico Cientifico de Andalucia (CICA) Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain) Tfno.: +34 955 056 600 / FAX: +34 955 056 650 Consejería de Economía, Innovación, Ciencia y Empleo Junta de Andalucía ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [Freeipa-users] FreeIPA on Debian
On 08/31/2013 03:50 PM, Michał Dwużnik wrote:
Hi guys,
I do not know whether it will reach ALL the lists Dmitri put in, but anyway:
I do am interested heavily in getting a nice inter distro product (and
if sth works both on RH-like and Deb-like distros that's quite some
bases covered...)
I'm afraid I'm not able to take the responsibility of building the deb
support myself (no skills, no time), but feel like I do need it and I
can spent some considerable time testing
(I'm still having a production NIS around and I would like to test the
interoperability when it stops being 'production'...) builds if they
appear...
I feel like IPA is getting the well established components and builds
an added value ON them and not AGAINST them, making life easier (and
hiding the not so beatiful guts under a nice interface, too...):
Integrating KRB5 and LDAP is something people do every now and then,
but it comes with cnsiderable pain of reading contradictory guides not
updated for 10 years,
dealing with examples using crypto mechanism that should be long forgotten...
('first, before configuring LDAP set up KRB5, having a test principal
get back to this LDAP guide'
and some two links away:
'first, get the your LDAP feet wet, when you're able to do ldapsearch
get back and construct those ldifs to build krb5 database in ldap'
followed by 'make a new realm, but don't use krb5_newrealm'...).
Freeipa gives hope of NOT having to deal with cn=config manually,
(it's a really nice thing, but ldifs are sth that should be hidden
from view, and most guides
for ldap/krb5 integration require creating LOTS of those 'by hand',
which makes quite a steep learning curve...).
The abundance of PAM modules for ldap/krb5 does not make it any easier
(shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the
multitude of different caching tools.
(to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).
Having something solid to start with todays hordes of products
requiring some auth integration thingie would be really nice
OTOH that would be nice to have some documentation without EXAMPLE.COM inside
:
I think getting freeipa working on Debian would be a great 'social'
move, sure to be valued among the Linux community (ok, at least the
part of community not centered on their own personal computers...),
but the transition to 'Freeipa is wideely adopted product for ...'
would surely need more people than a couple of guys in RH raising the
Debian cause and a few Debian users like me.
Thanks to work by Alexandre Ellert it's possible to get freeipa
working with wheezy with relatively no hassle, but I'm afraid the
world needs more than him :
Trying that I haven't seen any obvious 'fedorisms' inside...
As for 'let's have a dream' part - I would like to see sth similar to
nsscache included with the freeipa suite for some really lightweight
clients,
for more than one reason...
Dmitri, thanks for raising the flag!
Michał
PS:Any idea for some advertisement on Debian side?
I have no idea but where and how this effort can be advertised but any
ideas are welcome!
I think it would be great if someone passes it on to other lists that
might be interested in joining the effort.
On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal d...@redhat.com wrote:
Hello,
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.
The question of When FreeIPA will be available on Debian? has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
freeipa-us...@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
