Switch all LDAP client machines to use sssd?

To: debian-edu@lists.debian.org
Subject: Switch all LDAP client machines to use sssd?
From: Petter Reinholdtsen <pere@hungry.com>
Date: Fri, 12 Sep 2014 11:08:10 +0200
Message-id: <[🔎] 20140912090810.GX22717@ulrik.uio.no>

Hi.

I wonder if we should switch over to sssd as the primary
authentication (PAM) and directory lookup (NSS) mechanism in Debian
Edu Jessie.  This would make configuration easier and make it easier
to hook up a Debian Edu client to other kind of authentication and
directory services, like Active Directory or an non-Debian Edu LDAP
server.

At the moment the roaming workstation use sssd (libpam-sss and
libnss-sss) for authentication and directory lookup (and libnss-ldapd
for the networks database), while the other use libpam-krb5 for
authentication and libnss-ldapd for directory lookup.

I propose we switch all networked profiles to use the same setup we
use in roaming workstations.  It is tested and work well, even in
non-Debian Edu environments.  For example I can install a roaming
workstation at the university of Oslo and it will automatically use
the Kerberos and LDAP service provided here for authentication and
user lookup. :) I expect it to work similarly in other environments
too.

At the moment, sssd do not seem to handle the network nss database,
but I am not sure if that is a problem.  The network entries are only
used to make the route output nicer, as far as I know, and we can
easily drop them.

Are there other problems we need to consider before switching?

-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Prev by Date: debian-edu-config_1.727_amd64.changes ACCEPTED into unstable
Next by Date: Dovecot ssl config
Previous by thread: debian-edu-config_1.727_amd64.changes ACCEPTED into unstable
Next by thread: Packages missing desktop files - can you provide patches?
Index(es):
- Date
- Thread