Re: [Freeipa-users] hesitate to deploy freeipa
Hi Simo, On 06/25/15 17:47, Simo Sorce wrote: Harald, the reason I (and others) started this project many years ago is that trying to set up all components myself was boring and highly error prone, and you would always end up with a bag of parts that had a lot of mismatches, and some functionality was always missing or poor or incomplete, due to the imperfect integration. Yes, the whole project is complex, but not because we like complexity, it is complex because the problem space is complex and we are bound to use existing protocols, which sometimes add in complexity, and we want to offer useful features to admins, so they can think about managing stuff and not about the plumbing all the time. Sorry to say, but this part is not in yet. ipa-client-install is included in RedHat/Fedora/Centos. On Debian it is improving (meaning I have to backport it from Testing to Jessie and Wheezy and hope), but for my other Unixes (Solaris, AIX, Suse, all designed more than 5 years ago) I have to do the plumbing on my own. Its a lot of work, but I can live with that. Missing client support is not the problem. The problem is that I do have a working environment (using NIS). NIS is deeply integrated everywhere for +20 years. I understand that NIS is not safe to use, but it is rock solid and *extremely* easy to manage and repair. If something goes wrong, then I can edit a file, run make -C /var/yp and its done. If something goes wrong with freeipa, then in the best case I have to find the bad component and fix it, as for NIS. Worst case is that 2 or more components disagree somehow. There would be several options to solve this: a) use low level component tools to manipulate their data, hoping to not make incompatible changes breaking things in other components of freeipa b) ask for help on the mailing list, which might imply a downtime of several hours and then option a) Both options don't appear very attractive to me. The best option is to study the individual components and how they are integrated, Thats the point: It is not sufficient to study the individual components. You have to know how they work together. For example, you have to know the constructs you should avoid in component A to make sure that you don't break other components of Freeipa. just like you (presumably) studied how a Unix/Linus OS is put together and operates. An OS is not simpler in anyway, but you probably do not see the complexity as menacing anymore because you are familiar with how it works. I am telling this to myself again and again, but its not sufficient to get rid of the bad feeling about it. Anyway, please don't get me wrong on this: I highly appreciate the work you and all the others do on creating and improving Freeipa. I completely agree that a modern way of identity management replacing historic tools like NIS and LDAP is overdue. Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On Mon, 29 Jun 2015, Harald Dunkel wrote: Hi Simo, On 06/25/15 17:47, Simo Sorce wrote: Harald, the reason I (and others) started this project many years ago is that trying to set up all components myself was boring and highly error prone, and you would always end up with a bag of parts that had a lot of mismatches, and some functionality was always missing or poor or incomplete, due to the imperfect integration. Yes, the whole project is complex, but not because we like complexity, it is complex because the problem space is complex and we are bound to use existing protocols, which sometimes add in complexity, and we want to offer useful features to admins, so they can think about managing stuff and not about the plumbing all the time. Sorry to say, but this part is not in yet. ipa-client-install is included in RedHat/Fedora/Centos. On Debian it is improving (meaning I have to backport it from Testing to Jessie and Wheezy and hope), but for my other Unixes (Solaris, AIX, Suse, all designed more than 5 years ago) I have to do the plumbing on my own. Its a lot of work, but I can live with that. One way to improve support for other operating systems is by contributing. I'd certainly look forward to patches coming to support these other clients. Missing client support is not the problem. The problem is that I do have a working environment (using NIS). NIS is deeply integrated everywhere for +20 years. I understand that NIS is not safe to use, but it is rock solid and *extremely* easy to manage and repair. If something goes wrong, then I can edit a file, run make -C /var/yp and its done. If something goes wrong with freeipa, then in the best case I have to find the bad component and fix it, as for NIS. Worst case is that 2 or more components disagree somehow. There would be several options to solve this: a) use low level component tools to manipulate their data, hoping to not make incompatible changes breaking things in other components of freeipa b) ask for help on the mailing list, which might imply a downtime of several hours and then option a) Both options don't appear very attractive to me. Do you have specific problems with slapi-nis support for NIS services? Do you mind filing bugs with details? https://fedorahosted.org/slapi-nis/ is where you should file those bugs. The best option is to study the individual components and how they are integrated, Thats the point: It is not sufficient to study the individual components. You have to know how they work together. For example, you have to know the constructs you should avoid in component A to make sure that you don't break other components of Freeipa. This is not really different for other complex environments. What we are trying with FreeIPA is to get defaults right for majority of cases where people who don't know all details need to start quick and efficient, including security aspects. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On (26/06/15 10:10), Prasun Gera wrote: More importantly, ipa-client-install is just a thin configuration tool. If ipa-client-install is not available on your platform you can configure everything manually and it will work (as long as the client is standard-compliant). I.e. the client side is *in the worst case* (without ipa-client-install) equally hard to setup as for any home-made solution. Yes, on Ubuntu 12.04, the issue is probably more related to the script than the underlying packages, which I upgraded from their respective ppas. The most complete documentation for getting ipa running, ironically, comes from this bug report https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1280215 which is marked as won't fix. (This affects 12.04 btw which is lts). On FreeNAS, it has to do with Hiemdal v/s MIT kerberos. https://bugs.pcbsd.org/issues/2147 SSSD on FreeBSD is compiled with MIT kerberos (/usr/local/*) and not with default Heimdal which is in standard paths. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
Hi Harold Perhaps you should not think of FreeIPA as a product. Perhaps a better analogy is a Product Stack. Another example would be LAMP. And as far as I can make out, the point of the FreeIPA project is to better integrate the various products that build the stack. A very important factor - at least to me is this community: It is vibrant and active, you get advice, they listen and change things. For example I can think of at least 3 changes made to the documentation in the last few months due to mistakes I had made! I second the use of Apache Directory Studio - very useful for peaking under the hood and studying the guts of your LDAP directory. Cheers Chris From: Rich Megginson rmegg...@redhat.com To: freeipa-users@redhat.com Date: 25.06.2015 20:32 Subject:Re: [Freeipa-users] hesitate to deploy freeipa Sent by:freeipa-users-boun...@redhat.com On 06/25/2015 12:12 PM, Thomas Sailer wrote: Am 25.06.2015 um 17:47 schrieb Simo Sorce: Yes, the whole project is complex, but not because we like complexity, it is complex because the problem space is complex and we are bound to use existing protocols, which sometimes add in complexity, and we want to offer useful features to admins, so they can think about managing stuff and not about the plumbing all the time. Sure, the problem space is a lot more complex than say ls. But I think there is room for improvement, by making the individual tools somewhat more resilient to unexpected behaviour in other components. +1 - just look at the bug lists for freeipa, 389, sssd, dogtag, etc. For example, if there's any nsuniqueid group present in a users entry, login authentication via sssd breaks with a cryptic error message. It would be nice, IMO, if it didn't break or if it at least issued a better error message. Sure. For starters, there's https://fedorahosted.org/389/ticket/48161 Furthermore, a good graphical generic LDAP editor would make the admin's life significantly easier, IMO. I so far haven't found one. There's gq, which works, mostly, but crashes relatively frequently. I'm mostly using ldapvi now, which works quite well but only after studying its manual. Have you tried Apache Directory Studio? Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On 26.6.2015 09:21, Christopher Lamb wrote: A very important factor - at least to me is this community: It is vibrant and active, you get advice, they listen and change things. For example I can think of at least 3 changes made to the documentation in the last few months due to mistakes I had made! BTW if you feel that something is incorrect (not only) in the docs please file a bug. If you want to contribute even more then feel free to send patch! Git repository with documentation source code is available to you. See http://www.freeipa.org/page/Contribute/Documentation for further details or ask this list. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
I've found that if you are setting up a new environment from scratch which is mostly going to involve RHEL/Fedora systems, and that you have full control over your network including DNS, DHCP etc., it should mostly be smooth sailing. However, if you already have a network of old and new machines running different versions and flavours of unix, there is significantly more work involved. That is, there is significant complexity on client side code as well which should not be discounted. Do a survey of the state of client side support on different distributions. From my experience, Ubuntu 12.04 is iffy. There's also an open ticket pushed to 'future' on FreeNAS, which is BSD based. IMO this is one of the major hurdles for wider adoption. On Fri, Jun 26, 2015 at 12:47 AM, Petr Spacek pspa...@redhat.com wrote: On 26.6.2015 09:21, Christopher Lamb wrote: A very important factor - at least to me is this community: It is vibrant and active, you get advice, they listen and change things. For example I can think of at least 3 changes made to the documentation in the last few months due to mistakes I had made! BTW if you feel that something is incorrect (not only) in the docs please file a bug. If you want to contribute even more then feel free to send patch! Git repository with documentation source code is available to you. See http://www.freeipa.org/page/Contribute/Documentation for further details or ask this list. Have a nice day! -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On (26/06/15 12:48), Petr Spacek wrote: On 26.6.2015 12:18, Lukas Slebodnik wrote: On (26/06/15 01:29), Prasun Gera wrote: I've found that if you are setting up a new environment from scratch which is mostly going to involve RHEL/Fedora systems, and that you have full control over your network including DNS, DHCP etc., it should mostly be smooth sailing. However, if you already have a network of old and new machines running different versions and flavours of unix, there is significantly more work involved. That is, there is significant complexity on client side code as well which should not be discounted. Do a survey of the state of client side support on different distributions. From my experience, Ubuntu 12.04 is iffy. There's also an open ticket pushed to ipa-client-install is not properly ported to ubuntu 12.04 and moreover there is quite there quite old version of sssd 1.11.5-1 which contains may bugs. Lots of them are fixed in upstream 1.11.7 and some of them in 1.11.8 which we would like to release in few weeks. so If you hit bugs on ubuntu 12.04 please try latest upstream version (1.11) or file bugs to ubuntu. 'future' on FreeNAS, which is BSD based. IMO this is one of the major hurdles for wider adoption. FreeNAS is based on FreeBSD and ipa-client-install is not available there. The only benefit is newer version of sssd (1.11.7) than in ubuntu 12.04. There was also thread here(freeipa-users) with document describing steps for configuration on FreeBSD. More importantly, ipa-client-install is just a thin configuration tool. If ipa-client-install is not available on your platform you can configure everything manually and it will work (as long as the client is standard-compliant). I.e. the client side is *in the worst case* (without ipa-client-install) equally hard to setup as for any home-made solution. There is a ticket[1] for description of steps done by ipa-client-install. One use-case is containers world and another is to help others to manually configure machine against FreeIPA. It is planned fo FreeIPA 4.2 release So I hope it will be finished on time. LS [1] https://fedorahosted.org/freeipa/ticket/4993 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
More importantly, ipa-client-install is just a thin configuration tool. If ipa-client-install is not available on your platform you can configure everything manually and it will work (as long as the client is standard-compliant). I.e. the client side is *in the worst case* (without ipa-client-install) equally hard to setup as for any home-made solution. Yes, on Ubuntu 12.04, the issue is probably more related to the script than the underlying packages, which I upgraded from their respective ppas. The most complete documentation for getting ipa running, ironically, comes from this bug report https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1280215 which is marked as won't fix. (This affects 12.04 btw which is lts). On FreeNAS, it has to do with Hiemdal v/s MIT kerberos. https://bugs.pcbsd.org/issues/2147 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
hi, On Wed, Jun 24, 2015 at 9:06 AM, Harald Dunkel harald.dun...@aixigo.de wrote: Hi folks, I have a general problem with freeipa: It is *highly* complex and depends upon too many systems working together correctly (IMHO). My concern is, if there is a problem, then the usual tools following the Unix paradigm (do one thing and do it well) don't help anymore. I can speak only for my own stomach, but it turns upside down when I think about this. my 2 cents: any organization growing its linux/unix computer park beneath a certain threshold will come accross the problem of synchronizing its user and group information accross the whole computer fleet. On top of that, organizations are increasingly feeling the need to prove (compliance, in management terms) that the communication protocols used to exchange information between the internal systems are secure (this is specially true in the US because of e-commerce laws, but also in post Snowden Europe). So you need to use tls and kerberos in your internal communications. You can try and run all that using the stock software by MIT/Heimdal, coupled to openldap and openssl, but I pretty much doubt you will get a nicer and easier to use product than what you already can get using freely available software thanks to the Red Hat folks. I've done it, it worked but it was complicated for new staff and difficult to delegate because everything was cli based (not help-desk friendly). Is it new and daunting at first? Sure, if you have never been exposed to ldap/kerberos/tls before this is a lot to wrap your head into the first time. But let me assure you, the protocol knowledge you will gain by learning this will be a big win for you as an IT professional because you will come across those systems everywhere (and certainly not only in linux networks but anywhere where computers are used in an enterprise networks). Besides these points, freeipa offers so much more. Thanks to sssd you can actually have laptops leave the network and authenticate while on the road, for intance, putting it on par with Windows on that point. You can use OTP and two factor authentication for vpn netwoks. You can have a central automounter. You can have true role based access control (these users may login using those protocols on those hosts, but not on the others). You have centralized sudo rules. We will soon have subordinate certificate authorities and user certificates. People are using the native ldap database for plenty of applications (basically, most things you can used ldap for), tying it to their configuration management solutions using 'legacy' netgroups databases. And obviously, people are integrating it into their Windows AD infrastructure using kerberos trusts or plain ldap replication. There is room for improvement. I am looking forward to using smartcard certificates with kerberos (PKINIT) for dumping user passwords (at least admin passwords). SAML integrations (getting there with ipsilon), kerberos trusts between ipa realms, ..., etc. So the question is not really why you hesitate to deploy ipa, but why you have not deployed it yet ;-) -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On (26/06/15 01:29), Prasun Gera wrote: I've found that if you are setting up a new environment from scratch which is mostly going to involve RHEL/Fedora systems, and that you have full control over your network including DNS, DHCP etc., it should mostly be smooth sailing. However, if you already have a network of old and new machines running different versions and flavours of unix, there is significantly more work involved. That is, there is significant complexity on client side code as well which should not be discounted. Do a survey of the state of client side support on different distributions. From my experience, Ubuntu 12.04 is iffy. There's also an open ticket pushed to ipa-client-install is not properly ported to ubuntu 12.04 and moreover there is quite there quite old version of sssd 1.11.5-1 which contains may bugs. Lots of them are fixed in upstream 1.11.7 and some of them in 1.11.8 which we would like to release in few weeks. so If you hit bugs on ubuntu 12.04 please try latest upstream version (1.11) or file bugs to ubuntu. 'future' on FreeNAS, which is BSD based. IMO this is one of the major hurdles for wider adoption. FreeNAS is based on FreeBSD and ipa-client-install is not available there. The only benefit is newer version of sssd (1.11.7) than in ubuntu 12.04. There was also thread here(freeipa-users) with document describing steps for configuration on FreeBSD. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On 26.6.2015 12:18, Lukas Slebodnik wrote: On (26/06/15 01:29), Prasun Gera wrote: I've found that if you are setting up a new environment from scratch which is mostly going to involve RHEL/Fedora systems, and that you have full control over your network including DNS, DHCP etc., it should mostly be smooth sailing. However, if you already have a network of old and new machines running different versions and flavours of unix, there is significantly more work involved. That is, there is significant complexity on client side code as well which should not be discounted. Do a survey of the state of client side support on different distributions. From my experience, Ubuntu 12.04 is iffy. There's also an open ticket pushed to ipa-client-install is not properly ported to ubuntu 12.04 and moreover there is quite there quite old version of sssd 1.11.5-1 which contains may bugs. Lots of them are fixed in upstream 1.11.7 and some of them in 1.11.8 which we would like to release in few weeks. so If you hit bugs on ubuntu 12.04 please try latest upstream version (1.11) or file bugs to ubuntu. 'future' on FreeNAS, which is BSD based. IMO this is one of the major hurdles for wider adoption. FreeNAS is based on FreeBSD and ipa-client-install is not available there. The only benefit is newer version of sssd (1.11.7) than in ubuntu 12.04. There was also thread here(freeipa-users) with document describing steps for configuration on FreeBSD. More importantly, ipa-client-install is just a thin configuration tool. If ipa-client-install is not available on your platform you can configure everything manually and it will work (as long as the client is standard-compliant). I.e. the client side is *in the worst case* (without ipa-client-install) equally hard to setup as for any home-made solution. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On Thu, 2015-06-25 at 15:33 +, Craig White wrote: -Original Message- From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Harald Dunkel Sent: Wednesday, June 24, 2015 12:07 AM To: freeipa-users Subject: [Freeipa-users] hesitate to deploy freeipa Hi folks, I have a general problem with freeipa: It is *highly* complex and depends upon too many systems working together correctly (IMHO). My concern is, if there is a problem, then the usual tools following the Unix paradigm (do one thing and do it well) don't help anymore. I can speak only for my own stomach, but it turns upside down when I think about this. Your thoughts on this? Well, it's a good thing that you don't use XWindows. You already have a humble opinion on something that you aren't using yet? Seriously? It's clearly not for you, thanks for playing. Craig Craig, it is a legitimate question to ask, there is no need to make snarky remarks. Harald, the reason I (and others) started this project many years ago is that trying to set up all components myself was boring and highly error prone, and you would always end up with a bag of parts that had a lot of mismatches, and some functionality was always missing or poor or incomplete, due to the imperfect integration. Yes, the whole project is complex, but not because we like complexity, it is complex because the problem space is complex and we are bound to use existing protocols, which sometimes add in complexity, and we want to offer useful features to admins, so they can think about managing stuff and not about the plumbing all the time. The best option is to study the individual components and how they are integrated, just like you (presumably) studied how a Unix/Linus OS is put together and operates. An OS is not simpler in anyway, but you probably do not see the complexity as menacing anymore because you are familiar with how it works. The same familiarity can be attained with FreeIPA, all the components are available, the configuration directives are mostly where you expect them to be, and all the glue code is in the FreeIPA repositories if you want to go deep into the minutiae, and understand the nuanced integration for some of the plumbing. It can be studied and understood. I would say that time would be better invested in learning how FreeIPA works rather than trying to build your own and be the only one that knows (or forgets) how things were put together ad hoc. Collaborating on a project means you are not alone and can share experiences, ask for help and in general get up to speed with various parts of the infrastructure as you need it, not being forced to know everything like a pro before even starting. This is my humble opinion. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
+1. After maintaining these components separately for years, getting everything as a single package with tested integration between them from release-to-release is huge. If you are worried about the complexity, take a look at any good Windows Server documentation set. It's thousands of pages. RH IPA doesn't have this advantage, but the fact that it's gaining traction without that all that says a lot of good things to me. Sent from my iPhone On Jun 25, 2015, at 07:40, Petr Spacek pspa...@redhat.com wrote: On 24.6.2015 09:06, Harald Dunkel wrote: Hi folks, I have a general problem with freeipa: It is *highly* complex and depends upon too many systems working together correctly (IMHO). My concern is, if there is a problem, then the usual tools following the Unix paradigm (do one thing and do it well) don't help anymore. I can speak only for my own stomach, but it turns upside down when I think about this. Your thoughts on this? Yes, FreeIPA is complex. On the other hand, you will get the same complexity when you try to integrate the same services yourself + you will get all the maintenance cost as a bonus. I can speak from my own sysadmin experience :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On 24.6.2015 09:06, Harald Dunkel wrote: Hi folks, I have a general problem with freeipa: It is *highly* complex and depends upon too many systems working together correctly (IMHO). My concern is, if there is a problem, then the usual tools following the Unix paradigm (do one thing and do it well) don't help anymore. I can speak only for my own stomach, but it turns upside down when I think about this. Your thoughts on this? Yes, FreeIPA is complex. On the other hand, you will get the same complexity when you try to integrate the same services yourself + you will get all the maintenance cost as a bonus. I can speak from my own sysadmin experience :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On 06/25/2015 12:12 PM, Thomas Sailer wrote: Am 25.06.2015 um 17:47 schrieb Simo Sorce: Yes, the whole project is complex, but not because we like complexity, it is complex because the problem space is complex and we are bound to use existing protocols, which sometimes add in complexity, and we want to offer useful features to admins, so they can think about managing stuff and not about the plumbing all the time. Sure, the problem space is a lot more complex than say ls. But I think there is room for improvement, by making the individual tools somewhat more resilient to unexpected behaviour in other components. +1 - just look at the bug lists for freeipa, 389, sssd, dogtag, etc. For example, if there's any nsuniqueid group present in a users entry, login authentication via sssd breaks with a cryptic error message. It would be nice, IMO, if it didn't break or if it at least issued a better error message. Sure. For starters, there's https://fedorahosted.org/389/ticket/48161 Furthermore, a good graphical generic LDAP editor would make the admin's life significantly easier, IMO. I so far haven't found one. There's gq, which works, mostly, but crashes relatively frequently. I'm mostly using ldapvi now, which works quite well but only after studying its manual. Have you tried Apache Directory Studio? Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
Am 25.06.2015 um 17:47 schrieb Simo Sorce: Yes, the whole project is complex, but not because we like complexity, it is complex because the problem space is complex and we are bound to use existing protocols, which sometimes add in complexity, and we want to offer useful features to admins, so they can think about managing stuff and not about the plumbing all the time. Sure, the problem space is a lot more complex than say ls. But I think there is room for improvement, by making the individual tools somewhat more resilient to unexpected behaviour in other components. For example, if there's any nsuniqueid group present in a users entry, login authentication via sssd breaks with a cryptic error message. It would be nice, IMO, if it didn't break or if it at least issued a better error message. Furthermore, a good graphical generic LDAP editor would make the admin's life significantly easier, IMO. I so far haven't found one. There's gq, which works, mostly, but crashes relatively frequently. I'm mostly using ldapvi now, which works quite well but only after studying its manual. Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] hesitate to deploy freeipa
On Thu, Jun 25, 2015 at 12:30:24PM -0600, Rich Megginson wrote: On 06/25/2015 12:12 PM, Thomas Sailer wrote: Am 25.06.2015 um 17:47 schrieb Simo Sorce: Yes, the whole project is complex, but not because we like complexity, it is complex because the problem space is complex and we are bound to use existing protocols, which sometimes add in complexity, and we want to offer useful features to admins, so they can think about managing stuff and not about the plumbing all the time. Sure, the problem space is a lot more complex than say ls. But I think there is room for improvement, by making the individual tools somewhat more resilient to unexpected behaviour in other components. +1 - just look at the bug lists for freeipa, 389, sssd, dogtag, etc. For example, if there's any nsuniqueid group present in a users entry, login authentication via sssd breaks with a cryptic error message. It would be nice, IMO, if it didn't break or if it at least issued a better error message. Sure. For starters, there's https://fedorahosted.org/389/ticket/48161 On the SSSD side there's https://fedorahosted.org/sssd/ticket/2605 to deal with this problem. I'm genuinely interested in hearing how we can improve SSSD! Please file tickets or start threads on sssd-users/sssd-devel! -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project