Discussion:
FreeIPA on Debian
(too old to reply)
Dmitri Pal
2013-08-30 21:04:15 UTC
Permalink
Hello,

Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.

The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.

May be it is time to try again?
Let us see why it yet has not happened?

1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.

Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Michał Dwużnik
2013-08-31 19:50:57 UTC
Permalink
Hi guys,


I do not know whether it will reach ALL the lists Dmitri put in, but anyway:

I do am interested heavily in getting a nice inter distro product (and
if sth works both on RH-like and Deb-like distros that's quite some
bases covered...)
I'm afraid I'm not able to take the responsibility of building the deb
support myself (no skills, no time), but feel like I do need it and I
can spent some considerable time testing
(I'm still having a production NIS around and I would like to test the
interoperability when it stops being 'production'...) builds if they
appear...

I feel like IPA is getting the well established components and builds
an added value ON them and not AGAINST them, making life easier (and
hiding the not so beatiful guts under a nice interface, too...):
Integrating KRB5 and LDAP is something people do every now and then,
but it comes with cnsiderable pain of reading contradictory guides not
updated for 10 years,
dealing with examples using crypto mechanism that should be long forgotten...
('first, before configuring LDAP set up KRB5, having a test principal
get back to this LDAP guide'
and some two links away:
'first, get the your LDAP feet wet, when you're able to do ldapsearch
get back and construct those ldifs to build krb5 database in ldap'
followed by 'make a new realm, but don't use krb5_newrealm'...).

Freeipa gives hope of NOT having to deal with cn=config manually,
(it's a really nice thing, but ldifs are sth that should be hidden
from view, and most guides
for ldap/krb5 integration require creating LOTS of those 'by hand',
which makes quite a steep learning curve...).
The abundance of PAM modules for ldap/krb5 does not make it any easier
(shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the
multitude of different caching tools.
(to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).

Having something solid to start with todays hordes of products
requiring some auth integration thingie would be really nice

OTOH that would be nice to have some documentation without EXAMPLE.COM inside :>

I think getting freeipa working on Debian would be a great 'social'
move, sure to be valued among the Linux community (ok, at least the
part of community not centered on their own personal computers...),
but the transition to 'Freeipa is wideely adopted product for ...'
would surely need more people than a couple of guys in RH raising the
Debian cause and a few Debian users like me.

Thanks to work by Alexandre Ellert it's possible to get freeipa
working with wheezy with relatively no hassle, but I'm afraid the
world needs more than him :>

Trying that I haven't seen any obvious 'fedorisms' inside...

As for 'let's have a dream' part -> I would like to see sth similar to
nsscache included with the freeipa suite for some really lightweight
clients,
for more than one reason...

Dmitri, thanks for raising the flag!

Michał

PS:Any idea for some advertisement on Debian side?
Post by Dmitri Pal
Hello,
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.
The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Michal Dwuznik
Arturo Borrero Gonzalez
2013-08-31 21:03:37 UTC
Permalink
It's a nice idea to get FreeIPA on Debian.

Let me point to some Debian resources related to FreeIPA:

http://lists.alioth.debian.org/mailman/listinfo/pkg-freeipa-devel
http://qa.debian.org/developer.php?login=pkg-freeipa-devel%40lists.alioth.debian.org

I don't know who is behind pkg-freeipa-devel at lists.alioth.debian.org.
I would recommend sending there an email, CC'ing debian-devel.

I can maintain one or two Debian packages (but not 50) however i'm not
an official Debian Developer.

Best regards.
--
Arturo Borrero González
Departamento de Seguridad Informática (nis at cica.es)
Centro Informatico Cientifico de Andalucia (CICA)
Avda. Reina Mercedes s/n - 41012 - Sevilla (Spain)
Tfno.: +34 955 056 600 / FAX: +34 955 056 650
Consejería de Economía, Innovación, Ciencia y Empleo
Junta de Andalucía
Dmitri Pal
2013-09-01 00:52:19 UTC
Permalink
Post by Michał Dwużnik
Hi guys,
I do am interested heavily in getting a nice inter distro product (and
if sth works both on RH-like and Deb-like distros that's quite some
bases covered...)
I'm afraid I'm not able to take the responsibility of building the deb
support myself (no skills, no time), but feel like I do need it and I
can spent some considerable time testing
(I'm still having a production NIS around and I would like to test the
interoperability when it stops being 'production'...) builds if they
appear...
I feel like IPA is getting the well established components and builds
an added value ON them and not AGAINST them, making life easier (and
Integrating KRB5 and LDAP is something people do every now and then,
but it comes with cnsiderable pain of reading contradictory guides not
updated for 10 years,
dealing with examples using crypto mechanism that should be long forgotten...
('first, before configuring LDAP set up KRB5, having a test principal
get back to this LDAP guide'
'first, get the your LDAP feet wet, when you're able to do ldapsearch
get back and construct those ldifs to build krb5 database in ldap'
followed by 'make a new realm, but don't use krb5_newrealm'...).
Freeipa gives hope of NOT having to deal with cn=config manually,
(it's a really nice thing, but ldifs are sth that should be hidden
from view, and most guides
for ldap/krb5 integration require creating LOTS of those 'by hand',
which makes quite a steep learning curve...).
The abundance of PAM modules for ldap/krb5 does not make it any easier
(shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the
multitude of different caching tools.
(to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).
Having something solid to start with todays hordes of products
requiring some auth integration thingie would be really nice
OTOH that would be nice to have some documentation without EXAMPLE.COM inside :>
I think getting freeipa working on Debian would be a great 'social'
move, sure to be valued among the Linux community (ok, at least the
part of community not centered on their own personal computers...),
but the transition to 'Freeipa is wideely adopted product for ...'
would surely need more people than a couple of guys in RH raising the
Debian cause and a few Debian users like me.
Thanks to work by Alexandre Ellert it's possible to get freeipa
working with wheezy with relatively no hassle, but I'm afraid the
world needs more than him :>
Trying that I haven't seen any obvious 'fedorisms' inside...
As for 'let's have a dream' part -> I would like to see sth similar to
nsscache included with the freeipa suite for some really lightweight
clients,
for more than one reason...
Dmitri, thanks for raising the flag!
Michał
PS:Any idea for some advertisement on Debian side?
I have no idea but where and how this effort can be advertised but any
ideas are welcome!
I think it would be great if someone passes it on to other lists that
might be interested in joining the effort.
Post by Michał Dwużnik
Post by Dmitri Pal
Hello,
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.
The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Timo Aaltonen
2013-09-01 18:20:30 UTC
Permalink
Post by Dmitri Pal
Hello,
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.
The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
Hi,

As you know, I've been packaging stuff for the past two years with the
goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has
been accomplished, but quite a bit is still missing too..
Post by Dmitri Pal
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
Yes, this is the biggest blocker. Dogtag 9 is packaged in git and
working, but I'm not going to push that to the distro. It can be used
for testing the IPA server though, before we have Dogtag 10. Once the
prereqs are in place the Dogtag git should be easy to rebase with 10.x.

I did start packaging some of the dependencies, but hit a wall when some
maven component needed a different release than another one.. AIUI this
is a known issue with maven based projects..

Other blockers off the top of my head include:

- support for shared certificate database in NSS
* patches sent to the Debian bug (#537866), maintainer isn't too
responsive
- dyndb support in bind
* haven't asked the maintainer to add it to bind9, it might happen
- porting the IPA server installer for Debian
* this has been discussed on the list at some point, and I guess
upstream knows best how the code needs to be organized to make it
happen..
Post by Dmitri Pal
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
yep, and I need to send the platform module for the client soon, the
latest version seems to be working fine.
Post by Dmitri Pal
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
I'm doing this on my spare time, which has meant obvious delays in
shipping something. Would be great to have more skillful people (pun
intended) on the pkg-freeipa team..
Post by Dmitri Pal
Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?
I could send an email to debian-devel@ asking if someone is interested
in helping us out. And maybe blog about it too (on planet.ubuntu.com)..
--
t
Dmitri Pal
2013-09-01 18:43:05 UTC
Permalink
Post by Timo Aaltonen
Post by Dmitri Pal
Hello,
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.
The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
Hi,
As you know, I've been packaging stuff for the past two years with the
goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has
been accomplished, but quite a bit is still missing too..
Post by Dmitri Pal
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
Yes, this is the biggest blocker. Dogtag 9 is packaged in git and
working, but I'm not going to push that to the distro. It can be used
for testing the IPA server though, before we have Dogtag 10. Once the
prereqs are in place the Dogtag git should be easy to rebase with 10.x.
I did start packaging some of the dependencies, but hit a wall when some
maven component needed a different release than another one.. AIUI this
is a known issue with maven based projects..
- support for shared certificate database in NSS
* patches sent to the Debian bug (#537866), maintainer isn't too
responsive
How can we help?
Post by Timo Aaltonen
- dyndb support in bind
* haven't asked the maintainer to add it to bind9, it might happen
Are you talking about byndb maintainer or bind9 Debian maintainer?
May be we should connect the two?
Post by Timo Aaltonen
- porting the IPA server installer for Debian
* this has been discussed on the list at some point, and I guess
upstream knows best how the code needs to be organized to make it
happen..
Yes I how so too.
Post by Timo Aaltonen
Post by Dmitri Pal
2) The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
yep, and I need to send the platform module for the client soon, the
latest version seems to be working fine.
This is great.
Post by Timo Aaltonen
Post by Dmitri Pal
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
I'm doing this on my spare time, which has meant obvious delays in
shipping something. Would be great to have more skillful people (pun
intended) on the pkg-freeipa team..
Are you the only person there so far?
Post by Timo Aaltonen
Post by Dmitri Pal
Can we pull it off together this time?
Say we plan for some Dogtag and IPA domain experts to work on the port
during Nov 13 - Feb 14 and address 1) and 2). Would there be any
interest to join forces with them? Would there be anyone to take on item
3) from the list above?
in helping us out. And maybe blog about it too (on planet.ubuntu.com)..
Yes that would help.

Thank you very much for your efforts!
--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
Timo Aaltonen
2013-09-01 20:35:06 UTC
Permalink
Post by Dmitri Pal
Post by Timo Aaltonen
Post by Dmitri Pal
Hello,
Sorry for cross posting to 4 different lists but it seems that this is
the best way to include most of people who might be interested in this
discussion.
The question of "When FreeIPA will be available on Debian?" has been
coming up periodically on the list(s) without any resolution. However it
is clear that it would be beneficial for the community and the project.
Hi,
As you know, I've been packaging stuff for the past two years with the
goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has
been accomplished, but quite a bit is still missing too..
Post by Dmitri Pal
May be it is time to try again?
Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an
effort from someone familiar with the domain.
Yes, this is the biggest blocker. Dogtag 9 is packaged in git and
working, but I'm not going to push that to the distro. It can be used
for testing the IPA server though, before we have Dogtag 10. Once the
prereqs are in place the Dogtag git should be easy to rebase with 10.x.
I did start packaging some of the dependencies, but hit a wall when some
maven component needed a different release than another one.. AIUI this
is a known issue with maven based projects..
- support for shared certificate database in NSS
* patches sent to the Debian bug (#537866), maintainer isn't too
responsive
How can we help?
I don't think you can, guess it just needs some perseverance on my side..
Post by Dmitri Pal
Post by Timo Aaltonen
- dyndb support in bind
* haven't asked the maintainer to add it to bind9, it might happen
Are you talking about byndb maintainer or bind9 Debian maintainer?
May be we should connect the two?
the debian bind maintainer, I heard from the dyndb maintainer that
bind10 might support it natively, but getting that in Debian might still
be further in the future, so if we'd need dyndb by early next year it's
probably needed to have it via bind9 first.
Post by Dmitri Pal
Post by Timo Aaltonen
Post by Dmitri Pal
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
I'm doing this on my spare time, which has meant obvious delays in
shipping something. Would be great to have more skillful people (pun
intended) on the pkg-freeipa team..
Are you the only person there so far?
pretty much, there have been some debian developers sponsoring packages
to the distro (I'm not a DD yet), but they've all fled before too long :)
--
t
Stephen Gallagher
2013-09-03 11:49:55 UTC
Permalink
Post by Timo Aaltonen
Post by Dmitri Pal
- dyndb support in bind * haven't asked the maintainer to add
it to bind9, it might happen
Are you talking about byndb maintainer or bind9 Debian
maintainer? May be we should connect the two?
the debian bind maintainer, I heard from the dyndb maintainer that
bind10 might support it natively, but getting that in Debian might
still be further in the future, so if we'd need dyndb by early next
year it's probably needed to have it via bind9 first.
FreeIPA ships a separate package, bind-dyndb-ldap as an add-on for
bind 9. You should be able to do the same in Debian. We should connect
the bind-dyndb-ldap upstream with you so we can figure out if that
will work.
Timo Aaltonen
2013-09-03 13:42:49 UTC
Permalink
Post by Stephen Gallagher
Post by Timo Aaltonen
Post by Dmitri Pal
- dyndb support in bind * haven't asked the maintainer to
add it to bind9, it might happen
Are you talking about byndb maintainer or bind9 Debian
maintainer? May be we should connect the two?
the debian bind maintainer, I heard from the dyndb maintainer
that bind10 might support it natively, but getting that in Debian
might still be further in the future, so if we'd need dyndb by
early next year it's probably needed to have it via bind9 first.
FreeIPA ships a separate package, bind-dyndb-ldap as an add-on for
bind 9. You should be able to do the same in Debian. We should
connect the bind-dyndb-ldap upstream with you so we can figure out
if that will work.
Yes, but it depends on a dyndb patch for bind9, won't even build
otherwise. I have bind-dyndb-ldap sitting in git until the patch is
added to Debian bind9, and contacted the maintainer yesterday so
things should get moving..

- --
t

Jakub Hrozek
2013-09-02 08:51:11 UTC
Permalink
Post by Timo Aaltonen
Post by Dmitri Pal
3) Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50
packages.
I'm doing this on my spare time, which has meant obvious delays in
shipping something. Would be great to have more skillful people (pun
intended) on the pkg-freeipa team..
Let me just say that I was always amazed at the level of quality bug reports
and collaboration that came from Ubuntu community via your packages. This
Friday we received several bug reports that will be important to fix in 1.11.

Please keep up the good work!
Continue reading on narkive:
Loading...