And I should proof read emails before sending them :P To clarify several points: - LDAP client as well as Kerberos client configuration editors are still present in SLES 11, they have been removed from openSUSE 13.1 (and onwards) as well as in SLES 12. - Users should be encouraged to use SSSD instead of nss_ldap in new deployments. - The new configuration editor is an effort to correct the buggy&boring SSSD configuration editor in SLES 12 and openSUSE, as well as bringing those feature highlights. Regards, Howard On Wed, 27 Apr 2016, Howard Guo wrote:
Morning Darin.
You might recall that in legacy openSUSE releases as well as SLES 11, there are "LDAP client" and "Kerberos client" configuration editors. Those were removed in favour of SSSD - a fantastic piece of software that truly makes authentication configuration painless (but still can borrow some conveniences from an editor UI).
During the course of SLES 12 development, both LDAP and Kerberos configuration editors were dropped to encourage users to try SSSD, and a basic and buggy SSSD configuration editor emerged.
Reivisiting nss_ldap, the development activities indeed suggest that it has gone into maintenance mode, nevertheless it has worked very well for lots of Linux users, and remains to be popular. Hence the new authentication configuration editor enhances the experience of configuring /etc/ldap.conf.
You see, the only thing authentication technologies do not lack are choices and complexity; autofs brings even more switches into the scheme. The one-click automount enabler works very well for hooking up autofs with LDAP, but if you have to further hand-craft autofs maps, the editor cannot help yet.
Regarding PAM configuration, the editor makes use of pam-config utility, but it makes several further adjustments to ensure that you cannot intentionally or unintentionally lock yourself out of the system.
Regards, Howard
The development activities on nss_ldap indeed suggest that it has gone into maintenance mode, we have not seen new features in years. Moving forward
On Tue, 26 Apr 2016, Darin Perusich wrote:
One other thing...are you modifying the pam.d files directly without using pam-config(8)? If so, IMO, that is probably not a good idea since pam-config tends to clobber manual modifications to the common-{account,auth,password} files and ensures things are properly ordered. -- Later, Darin
On Tue, Apr 26, 2016 at 12:16 PM, Darin Perusich <darin@darins.net> wrote:
This looks like a very interesting addition, having battled with configuring nearly all the above on various distros and nearly every version of openSUSE/SUSE since version 9.x. Are you still supporting nss_ldap and pam_ldap, given the PADL code is effictively dead, or has it been removed in favor of SSSD? It also says "single click" for enabling autofs, but it's rarely that easy. Does the module take into account needing to configure autofs_ldap_auth.conf(5) or the various schema object's and attribute's that are defined in /etc/sysconfig/autofs for getting the auto.{master|home|misc} maps?
Personally I'm not a fan of having my Linux/UNIX systems authenticate directly against AD, given the various schema deficiencies and RFC non-compliance. I've always preferred spinning up a couple "real" LDAP servers, shameless plug for ForgeRock's OpenDJ;-), and using Passthru Authentication against AD so users don't need to remember yet another password.
Looking forward to checking this out, thanks for the hard work!
-- Later, Darin
On Tue, Apr 26, 2016 at 10:47 AM, Howard Guo <hguo@suse.com> wrote:
Hello fellow Tumbleweed users.
If you have Windows administration background or have used "authconfig" on other Linux distrubtions, then you might have realised how difficult it is to enroll an openSUSE computer to Microsoft AD or generic LDAP/Kerberos domain - there's no tool to help you.
The situation is about to change soon, although authconfig isn't coming to openSUSE yet, but the latest & comprehensive system authentication configuration editor is coming to Yast, you can track the package progress here: https://build.opensuse.org/request/show/391701
Feature highlights: - Enroll an openSUSE computer to Microsoft AD domain in a three easy point&click steps. - For generic LDAP/Kerberos domain, the simple and intruitive user interface helps entering and validating all essential parameters. - Enable automount for your AutoFS-enabled network via a single click. - The configuration editor is fully compatible with AutoYast, for automated machine provisioning needs.
Enjoy.
Kind regards, Howard -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org