<html><head></head><body><div>On Wed, 2017-12-13 at 16:53 -0500, DJ-Pfulio via Ale wrote:</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>Last time I looked into FreeIPA, the code port to debian had stalled.
Seems that a few of the 500 different projects, all using different
programming languages, had failed to port to Debian. </pre></blockquote><h1 id="firstHeading" class="firstHeading page-header">
<span dir="auto">Releases/4.5.2</span>
</h1>
<div id="contentSub"></div>
<h2><span class="mw-headline" id="Highlights_in_4.5.2"><img alt="Release date" src="https://www.freeipa.org/images/thumb/1/15/Calendar.png/25px-Calendar.png" title="Release date" srcset="/images/thumb/1/15/Calendar.png/38px-Calendar.png 1.5x, /images/thumb/1/15/Calendar.png/50px-Calendar.png 2x" width="25" height="25"> <i>Released 2017-06-18</i></span></h2><h2><span class="mw-headline">Highlights in 4.5.2</span></h2>
<ul><li> 5860: depracate --no-sssd option</li></ul>
<p>Option '--no-sssd' has been deprecated because SSSD is recommened to use on modern platforms - Fedora, RHEL 6, RHEL 7, Debian. <-- Still in the mix :-)</p><p><br></p><p>I _don't_ see precompiled binaries so non-rpm is a second-class release issue.</p><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>
Ok, I jest, but FreeIPA is one of those typical "enterprisy" solutions
from RH that was built using 70 other projects, each with a different
idea of what is best.
</pre></blockquote><div><br></div><div>Oh yeah :-) It glued some jboss web stuff onto pile of backend things; 389DS, bind (yeah, uses bind for DNS), Kerberos, ssh, openssl certificate management tool dogtag.</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>
Introducing Cent here is not gonna happen, but thanks. I'd rather roll
my own LDAP GUI. I don't remember any issues using ssh with LDAP auth
on Ubuntu. It has been a few years, but it "just worked" by setting up
PAM correctly.</pre></blockquote><div>ssh works fine with LDAP backend for passwords with typical PAM setup. The ssh change in CentOS added an LDAP lookup for ssh pub_key. That's a special patch from a while back. Not sure if it's in openssh outside of the RPM world.</div><div><br></div><div>Check out apache directory server: <a href="http://directory.apache.org/apacheds/downloads.html">http://directory.apache.org/apacheds/downloads.html</a></div><div><br></div><div>Of course being an apache project, it's written in java</div><blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><pre>
On 12/13/2017 04:34 PM, Jim Kinney wrote:
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
Take a look at FreeIPA. It uses LDAP for storage and Kerberos for
authentication. The sss daemon handles comms with the server. The server
can be replicated rather easily.
There's a web gui for running it as well as a very potent cli backend
for scripting needs. It can be as simple as just making sure the same
password is on all systems or a complicated as Fred can only access the
storage machine at 2pm on Tuesdays. By "joining" a machine to the
service it now runs local auth then sss auth for users and anything else
you choose. I have some sudo processes handled by it (Fred can use a
certain sudo operation on a certain machine and a different operation on
a different machine and it's all handled through the replicated
service). When users push their ssh pub key to their data page, it can
be used to authenticate to any machine in the network (there's a patched
sshd that uses an LDAP lookup for the authorized_keys).
I ran a primary server off a VM and a backup server off an old desktop
for about 100+ users. Client support is solid for Debian and Ubuntu (the
sshd patch I don't know about outside of rpm-world) as well as CentOS
and Fedora of course. The server install is easy on CentOS (RedHat calls
it IDM server). I've not looked to see if Debian server code is just a
tarball or a real package set.
On Wed, 2017-12-13 at 20:46 +0000, Lightner, Jeffrey via Ale wrote:
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
I wasn't aware of the lack of a Linux server for NIS+. As noted I've not used NIS+ and it has been years since I used NIS. Apparently even the client support development was stopped in 2012:
<a href="http://www.linux-nis.org/nisplus/">http://www.linux-nis.org/nisplus/</a>
-----Original Message-----
From: Ale [<a href="mailto:ale-bounces@ale.org">mailto:ale-bounces@ale.org</a>] On Behalf Of DJ-Pfulio via Ale
Sent: Wednesday, December 13, 2017 3:21 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] How do you deal with SSO at home?
On 12/13/2017 02:14 PM, Lightner, Jeffrey wrote:
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex">
I thought NIS+ solved the issues of original NIS. I've never used
NIS+ so wouldn't swear to it.
</blockquote>
NIS+ clients are free. NIS+ server is Solaris only. That's a deal
breaker for me. Need a Linux-based solution, prefer Ubuntu Server or Debian. RHEL/CentOS is a big as for 1 part of an existing infrastructure.
I need a mix of POSIX and web authentication. Shared storage is server-to-server, not user-to-server, so I don't need that.
I've used LDAP previously, using Zimbra (with openldap) as the source DB for everything. Zimbra updates over the years broke that integration and I'm unwilling to deal with those hassles anymore.
Rant reply - people with just a few email addresses don't have much hope for security. Certainly you should never use the same email for your bank and **any** other accounts. Same for Amazon. Same for your broker.
Same for your 401(k) provider. So that means most professional people here need at least 6 email addresses if you add in a social account and work.
I liked how NIS worked, but I just can't take those security risks today. It is a different world.
_______________________________________________
</blockquote>
</blockquote>
_______________________________________________
Ale mailing list
<a href="mailto:Ale@ale.org">Ale@ale.org</a>
<a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
</pre></blockquote><div><span><pre><pre>-- <br></pre>James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
</pre></span></div></body></html>