Authentication services in Ubuntu
Timo Aaltonen
tjaalton at ubuntu.com
Mon Jun 3 19:06:35 UTC 2013
On 03.06.2013 12:36, Ballock Tokarski wrote:
> Hello,
>
> Thanks for the comments, the feedback is very much appreciated.
>
> Now I am wondering what are the next steps. Thanks to Timo's points and
> his efforts, there is not much to do on the pure SSSD part:
> - SSSD in main
>
> For directory joining stuff - for MS-based server-side Kerberos tickets
> we are currently using msktutil, which works decently in the MS
> environment. This tool is neither in Main nor in Universe. Perhaps
> that's something we can at least upload to Universe (which I believe
> would mean uploading to Debian?)?
>
> We could also do some investigations on realmd from Fedora/RedHat which
> is their tool for joining a Directory service. I believe it's not just
> for MS AD. Realmd has not been packaged for .deb yet, I believe. And I
> am not sure how RedHat-specific it is.
It's on raring & saucy at least (0.12-0ubuntu1), but not on Debian.
> Then the remaining thing is the configuration helper. Perhaps we could
> fork RedHat's system-auth-config?
If that'd work with the installer.. but I doubt it. Adding support for
this in user-setup shouldn't be too hard, just use the UI/ideas from
authconfig as a starting point..
Or maybe I'm hoping too much to be able to just preseed a few values and
it'd all be automatic from there on, and provide the gui bits for
joining a realm manually :)
> Even if we decided that we do not need to care about "legacy" LDAP
> authentication, I would propose to fix the Ubuntu packages in the same
> way the Debian packages are done - by not requiring ldap-auth-config. I
> have just checked the Ubuntu maintainer of the libpam-ldap and it seems
> to be "Ubuntu Core Developers
> <mailto:ubuntu-devel-discuss at lists.ubuntu.com>" with an email to this
> list. So, can we make it happen?
ldap-auth-config is an ubuntu specific package, which seems to be
basically unmaintained for some time now. Then again I don't see why
libpam/nss-ldap should be touched, if we're going to use lib*-sss.. the
obsolete package(s) could be dropped once the new stuff is working.
--
t
More information about the Ubuntu-devel-discuss
mailing list