[Freeipa-users] Debian clients?

Sigbjorn Lie sigbjorn at nixtra.com
Fri Sep 16 18:21:43 UTC 2011 

On 09/16/2011 05:19 PM, Johan Sunnerstig wrote:
> Hello.
> I'm wondering if anyone has used FreeIPA with Debian clients, and if 
> so, what client software you opted to use?
> Right now I have nss-pam-ldapd 
> (http://arthurdejong.org/nss-pam-ldapd/) and the MIT-based krb 
> software that's included in Debian 6 working decently. By that I mean 
> I can use it to allow logins as expected, but so far I haven't worked 
> out allowing or disallowing login based on group membership.
>
> Obviously the best solution would be a "real" IPA client, but has 
> anyone attempted this? I mucked around a bit with the SSSD included in 
> the Debian repos(1.2.1) but didn't get it to work. Though in all 
> fairness I didn't try THAT hard since it seems like SSSD has evolved 
> quite a bit since 1.2.1.
> Is the SSSD route worthwhile?
>
> I really just need group based logins, sudo controls I can handle 
> based on groups with Puppet, but again, if the real client route isn't 
> too much work that's of course preferable.
>
> I hope this makes sense, late friday and I have a horrible headache, 
> so if it doesn't I apologize in advance. :)

Hi Johan,

I'm using Ubuntu with FreeIPA. I'm not using the ldapd as I've found it 
unreliable. I'm using the libnss-ldap and manually configured kerberos. 
ldapd does not support nested groups last I checked, that's a downside 
too. It's not perfect, sssd would have been better, but it works just fine.

If you lower the bind_timelimit and timelimit quite low (a few seconds) 
it's not too bad when a ipa server is unavailable. nscd is required to 
overcome some issues with the libnss-ldap. (Such as Thunderbird 
segfaulting...)

I've used cfengine to make an IPA config script for clients not 
supporting sssd and ipa-client-install. I'm sure you could do the same 
with puppet.

To get group based login, I've used the AllowGroups property in sshd.

Hope this makes sense. :)

Regards,
Siggi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110916/79aac944/attachment.htm>

More information about the Freeipa-users mailing list