On 08/15/2012 10:19 AM, Ondrej Valousek wrote:
> 1) IPA is based on the 389 LDAP server not OpenLDAP
Ok.
> 2) SSSD does not provide front end to Samba/Winbind it just has
> similar functionality. In future we might reuse more of the samba
> libraries. Currently we use some samba libraries in SSSD but more as
> building blocks for the solution than the back end that connects to AD.
I see.
> 3) There is a project called reamld, this project would perform AD
> join of SSSD in the Linux environment. It will replace the need for
> your sss_adjoin script
Thanks for the info. Unfortunately this project did not find its way
into RHEL 6 so we can not use it. But I will mention it on my presentation
> 4) Can you please elaborate a bit on the tools? Which tools Centrify
> has that would be useful for SSSD to have? Can you file tickets with
> those?
The tools we would welcome the most would be:
*adflush* - flush all databases, force reload all data from ldap
servers. Right now I have to stop sssd, delete all ldb files and start
sssd again - this is a bit cruel.
There is a cache management utility now. Have you looked at it? Is there
any functionality missing there?
*adinfo* - tell the user is there is some working connection to any
ldap server or whether we are running completely in the disconnected
mode. Right now I have to dig through the logs to find out.
I think both have been discussed here, but the idea was eventually
abandoned by the sssd developers
Yes I agree having a way to dump current status of the SSSD responders
and providers would be a nice to have. But it is not quite simple.
I think we have a ticket for this.
See some thoughts that Stephen recorded there:
https://fedorahosted.org/sssd/ticket/385#comment:12
> 5) In addition to direct automounter support in SSSD there is
also
> direct sudo support, management of the SSH keys and SELinux user
> mapping integration coming at the same time.
I will mention that.
> 6) I do not think you emphasize the value of IPA.
True. This was on purpose because my main objective is get something
we already have (Centrify) cheaper & better. I understand that using
IPA would give us further benefits, but this is out of my current scope.
>
> Also you mentioned DNS sites,
https://fedorahosted.org/sssd/ticket/1032
> Is it required or the notion of the primary and secondary servers
> that was added in 1.9 sufficiently addresses the issue?
This ticket was actually created by me and I see that the solution for
this one has been deferred :-( .
Primary & secondary servers support in 1.9 will not help us as we need
a true sites support as per the ticket above. I believe it would be
useful for large IPA domains, too.
I see.
Can you please add a comment to the ticket explaining why the preferred
server support is not sufficient and the support of sites is required.
Many thanks
Ondrej
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/