[Freeipa-devel] [Freeipa-users] FreeIPA on Debian

Michał Dwużnik michal.dwuznik at gmail.com
Sat Aug 31 19:50:57 UTC 2013 

Hi guys,


I do not know whether it will reach ALL the lists Dmitri put in, but anyway:

I do am interested heavily in getting a nice inter distro product (and
if sth works both on RH-like and Deb-like distros that's quite some
bases covered...)
I'm afraid I'm not able to take the responsibility of building the deb
support myself (no skills, no time), but feel like I do need it and I
can spent some considerable time testing
(I'm still having a production NIS around and I would like to test the
interoperability when it stops being 'production'...) builds if they
appear...

I feel like IPA is getting the well established components and builds
an added value ON them and not AGAINST them, making life easier (and
hiding the not so beatiful guts under a nice interface, too...):
Integrating KRB5 and LDAP is something people do every now and then,
but it comes with cnsiderable pain of reading contradictory guides not
updated for 10 years,
dealing with examples using crypto mechanism that should be long forgotten...
('first, before configuring LDAP set up KRB5, having a test principal
get back to this LDAP guide'
 and some two links away:
 'first, get the your LDAP feet wet, when you're able to do ldapsearch
get back and construct those ldifs to build krb5 database in ldap'
followed by 'make a new realm, but don't use krb5_newrealm'...).

Freeipa gives hope of NOT having to deal with cn=config manually,
(it's a really nice thing, but ldifs are sth that should be hidden
from view, and most guides
for ldap/krb5 integration require creating LOTS of those 'by hand',
which makes quite a steep learning curve...).
The abundance of PAM modules for ldap/krb5 does not make it any easier
(shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the
multitude of different caching tools.
(to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).

Having something solid to start with todays hordes of products
requiring some auth integration thingie would be really nice

OTOH that would be nice to have some documentation without EXAMPLE.COM inside :>

I think getting freeipa working on Debian would be a great 'social'
move, sure to be valued among the Linux community (ok, at least the
part of community not centered on their own personal computers...),
but the transition to 'Freeipa is wideely adopted product for ...'
would surely need more people than a couple of guys in RH raising the
Debian cause and a few Debian users like me.

Thanks to work by  Alexandre Ellert it's possible to get freeipa
working with wheezy with relatively no hassle, but I'm afraid the
world needs more than him :>

Trying that I haven't seen any obvious 'fedorisms' inside...

As for 'let's have a dream' part -> I would like to see sth similar to
nsscache included with the  freeipa suite for some really lightweight
clients,
for more than one reason...

Dmitri, thanks for raising the flag!

Michał

PS:Any idea for some advertisement on Debian side?

On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal <dpal at redhat.com> wrote:
> Hello,
>
> Sorry for cross posting to 4 different lists but it seems that this is
> the best way to include most of people who might be interested in this
> discussion.
>
> The question of "When FreeIPA will be available on Debian?" has been
> coming up periodically on the list(s) without any resolution. However it
> is clear that it would be beneficial for the community and the project.
>
> May be it is time to try again?
> Let us see why it yet has not happened?
>
> 1) Some components need to be ported to Debian especially Dogtag and a
> slew of its new RESTEasy dependencies. This requires time and quite an
> effort from someone familiar with the domain.
> 2) The code needs to be changed in installer and potentially in other
> places as it might have had some Fedorizms blended in
> 3) Someone needs to own packages in Debian and maintain them, someone
> with good knowledge of the distro and time to take ownership of about 50
> packages.
>
> Can we pull it off together this time?
> Say we plan for some Dogtag and IPA domain experts to work on the port
> during Nov 13 - Feb 14 and address 1) and 2). Would there be any
> interest to join forces with them? Would there be anyone to take on item
> 3) from the list above?
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users



-- 
Michal Dwuznik

More information about the Freeipa-devel mailing list