[Freeipa-users] meaning of several domains in sssd.conf
Jakub Hrozek
jhrozek at redhat.com
Wed Feb 27 09:12:34 UTC 2013
On Wed, Feb 27, 2013 at 09:47:39AM +0100, Jan-Frode Myklebust wrote:
> On Wed, Feb 27, 2013 at 09:31:43AM +0100, Jakub Hrozek wrote:
> >
> > Are there any issues you are seeing with IPA's sssd_be? It would
> > definitely be better to fix those first rather than attempting a
> > workaround like this.
>
> I've earlier been hit by a bug in nested groups (or netgroups) where the
> ipa backend would segfault, leaving sssd running but unable to
> authenticate.
>
> I believe it was this problem:
>
> https://fedorahosted.org/sssd/changeset/db90c1b60c729995f34af2431ede61ea7493e540/
>
> And therefore wonder if it makes sense, or even is advisable to have
> backup backends to make sure to never lose the user database.
>
>
In general the IPA backend is more or less a wrapper around the LDAP and
Kerberos backends with defaults set to match the IPA server setup and
couple of exceptions:
* nested groups are handled differently (due to the memberof
attribute)
* initgroups can be handled differently (due to the memberof
attribute)
* the netgroups code is different, IPA has native netgroups support
So in the above cases, you might be able to work around a bug in the IPA
provider by following a different code path, but in the general case,
the same bugs would exist in both IPA and LDAP/Kerberos.
Plus some features are IPA specific at the time being such as IPA support
of HBAC access control rules and SELinux user mappings.
More information about the Freeipa-users
mailing list