Feature changed by: Ralf Haferkamp (rhafer) Feature #310176, revision 3 Title: Switch to sssd for LDAP/Kerberos authentication openSUSE-11.4: Unconfirmed Priority Requester: Mandatory Requested by: Ralf Haferkamp (rhafer) Description: Because of the various issues we face with nss_ldap/pam_ldap (see e.g. bug#477061, bug#157078 and others) and because of the added value sssd gives us (e.g. offline support, integrated kerberos support). We should change yast2-ldap-client to configure sssd instead of nss_ldap/pam_ldap/pam_kerberos. sssd packages are already available for 11.3. We still need to add support for it in pam-config. Relations: - related feature (feature/id: 308902) - nss_ldap issue #2 (novell/bugzilla/id: 157078) https://bugzilla.novell.com/show_bug.cgi?id=157078 - - nss_ldap issue #1 (novell/bugzilla/id: 477061) - https://bugzilla.novell.com/show_bug.cgi?id=477061 + - nss_ldap issue #1 (novell/bugzilla/id: 598158) + https://bugzilla.novell.com/show_bug.cgi?id=598158 -- openSUSE Feature: https://features.opensuse.org/310176

Feature changed by: Andreas Jaeger (a_jaeger) Feature #310176, revision 5 Title: Switch to sssd for LDAP/Kerberos authentication openSUSE-11.4: Evaluation Priority Requester: Mandatory Requested by: Ralf Haferkamp (rhafer) + Developer: (Novell) Description: Because of the various issues we face with nss_ldap/pam_ldap (see e.g. bug#477061, bug#157078 and others) and because of the added value sssd gives us (e.g. offline support, integrated kerberos support). We should change yast2-ldap-client to configure sssd instead of nss_ldap/pam_ldap/pam_kerberos. sssd packages are already available for 11.3. We still need to add support for it in pam-config. Relations: - related feature (feature/id: 308902) - nss_ldap issue #2 (novell/bugzilla/id: 157078) https://bugzilla.novell.com/show_bug.cgi?id=157078 - nss_ldap issue #1 (novell/bugzilla/id: 598158) https://bugzilla.novell.com/show_bug.cgi?id=598158 Discussion: #1: Andreas Jaeger (a_jaeger) (2010-07-20 09:37:55) Note: This feature tracks the basesystem changes for this, especially pam_ldap. The YaST part is tracked in fate#308902. + #2: Andreas Jaeger (a_jaeger) (2010-07-20 09:40:20) + It also tracks changes in glibc to fix bnc#621454 and bnc#477061. -- openSUSE Feature: https://features.opensuse.org/310176

Feature changed by: Bidossessi SODONON (bidossessi) Feature #310176, revision 8 Title: Switch to sssd for LDAP/Kerberos authentication openSUSE-11.4: Evaluation Priority Requester: Mandatory Requested by: Ralf Haferkamp (rhafer) Developer: (Novell) Description: Because of the various issues we face with nss_ldap/pam_ldap (see e.g. bug#477061, bug#157078 and others) and because of the added value sssd gives us (e.g. offline support, integrated kerberos support). We should change yast2-ldap-client to configure sssd instead of nss_ldap/pam_ldap/pam_kerberos. sssd packages are already available for 11.3. We still need to add support for it in pam-config. Relations: - related feature (feature/id: 308902) - nss_ldap issue #2 (novell/bugzilla/id: 157078) https://bugzilla.novell.com/show_bug.cgi?id=157078 - nss_ldap issue #1 (novell/bugzilla/id: 598158) https://bugzilla.novell.com/show_bug.cgi?id=598158 Discussion: #1: Andreas Jaeger (a_jaeger) (2010-07-20 09:37:55) Note: This feature tracks the basesystem changes for this, especially pam_ldap. The YaST part is tracked in fate#308902. #4: Andreas Jaeger (a_jaeger) (2010-07-20 11:01:40) (reply to #1) Correction pam-config instead of pam_ldap since pam_ldap does not need to be changed. #2: Andreas Jaeger (a_jaeger) (2010-07-20 09:40:20) It also tracks changes in glibc to fix bnc#621454 and bnc#477061. + #5: Bidossessi SODONON (bidossessi) (2010-08-05 17:32:41) + Does this feature imply replacing both the LDAP client and Kerberos + client modules with a single SSSD module in Yast? Would that be + advisable for servers? -- openSUSE Feature: https://features.opensuse.org/310176

Feature changed by: Ralf Haferkamp (rhafer) Feature #310176, revision 10 Title: Switch to sssd for LDAP/Kerberos authentication openSUSE-11.4: Evaluation Priority Requester: Mandatory Requested by: Ralf Haferkamp (rhafer) Developer: (Novell) Description: Because of the various issues we face with nss_ldap/pam_ldap (see e.g. bug#477061, bug#157078 and others) and because of the added value sssd gives us (e.g. offline support, integrated kerberos support). We should change yast2-ldap-client to configure sssd instead of nss_ldap/pam_ldap/pam_kerberos. sssd packages are already available for 11.3. We still need to add support for it in pam-config. Relations: - related feature (feature/id: 308902) - nss_ldap issue #2 (novell/bugzilla/id: 157078) https://bugzilla.novell.com/show_bug.cgi?id=157078 - nss_ldap issue #1 (novell/bugzilla/id: 598158) https://bugzilla.novell.com/show_bug.cgi?id=598158 Discussion: #1: Andreas Jaeger (a_jaeger) (2010-07-20 09:37:55) Note: This feature tracks the basesystem changes for this, especially pam_ldap. The YaST part is tracked in fate#308902. #4: Andreas Jaeger (a_jaeger) (2010-07-20 11:01:40) (reply to #1) Correction pam-config instead of pam_ldap since pam_ldap does not need to be changed. + #7: Ralf Haferkamp (rhafer) (2010-09-09 15:34:07) (reply to #4) + sssd support has now been implemented in pam-config (starting with + Version  0.77) #2: Andreas Jaeger (a_jaeger) (2010-07-20 09:40:20) It also tracks changes in glibc to fix bnc#621454 and bnc#477061. #5: Bidossessi SODONON (bidossessi) (2010-08-05 17:32:41) Does this feature imply replacing both the LDAP client and Kerberos client modules with a single SSSD module in Yast? Would that be advisable for servers? #6: Matthias Eckermann (mge1512) (2010-08-05 17:49:22) (reply to #5) It's far too early to talk about replacement in my view: while sssd sounds not too bad as of today, experience and code consolidation will show, if it is the right way for the future. We should include it in future versions for openSUSE to give it a real field testing before cutting the proven modules. + #8: Ralf Haferkamp (rhafer) (2010-09-09 15:35:15) (reply to #5) + Please note that the YaST related changes are tracked in fate#308902 -- openSUSE Feature: https://features.opensuse.org/310176

Feature changed by: Marcus Meissner (msmeissn) Feature #310176, revision 13 Title: Switch to sssd for LDAP/Kerberos authentication openSUSE-11.4: Evaluation Priority Requester: Mandatory Info Provider: (Novell) Requested by: Ralf Haferkamp (rhafer) Developer: (Novell) Description: Because of the various issues we face with nss_ldap/pam_ldap (see e.g. bug#477061, bug#157078 and others) and because of the added value sssd gives us (e.g. offline support, integrated kerberos support). We should change yast2-ldap-client to configure sssd instead of nss_ldap/pam_ldap/pam_kerberos. sssd packages are already available for 11.3. We still need to add support for it in pam-config. Relations: - related feature (feature/id: 308902) - nss_ldap issue #2 (novell/bugzilla/id: 157078) https://bugzilla.novell.com/show_bug.cgi?id=157078 - nss_ldap issue #1 (novell/bugzilla/id: 598158) https://bugzilla.novell.com/show_bug.cgi?id=598158 Discussion: #1: Andreas Jaeger (a_jaeger) (2010-07-20 09:37:55) Note: This feature tracks the basesystem changes for this, especially pam_ldap. The YaST part is tracked in fate#308902. #4: Andreas Jaeger (a_jaeger) (2010-07-20 11:01:40) (reply to #1) Correction pam-config instead of pam_ldap since pam_ldap does not need to be changed. #7: Ralf Haferkamp (rhafer) (2010-09-09 15:34:07) (reply to #4) sssd support has now been implemented in pam-config (starting with Version  0.77) #2: Andreas Jaeger (a_jaeger) (2010-07-20 09:40:20) It also tracks changes in glibc to fix bnc#621454 and bnc#477061. #5: Bidossessi SODONON (bidossessi) (2010-08-05 17:32:41) Does this feature imply replacing both the LDAP client and Kerberos client modules with a single SSSD module in Yast? Would that be advisable for servers? #6: Matthias Eckermann (mge1512) (2010-08-05 17:49:22) (reply to #5) It's far too early to talk about replacement in my view: while sssd sounds not too bad as of today, experience and code consolidation will show, if it is the right way for the future. We should include it in future versions for openSUSE to give it a real field testing before cutting the proven modules. #8: Ralf Haferkamp (rhafer) (2010-09-09 15:35:15) (reply to #5) Please note that the YaST related changes are tracked in fate#308902 #9: Andreas Jaeger (a_jaeger) (2010-09-15 16:40:19) Marcus, please schedule a security review of sssd. Are there any comments for the evaluation of this feature from the security team? + #10: Marcus Meissner (msmeissn) (2010-11-10 10:56:13) (reply to #9) + Sorry, I missed the NEEDINFO. + I now opened an AUDIT tracking bug, we will review. -- openSUSE Feature: https://features.opensuse.org/310176

Feature changed by: Matthias Eckermann (mge1512) Feature #310176, revision 15 Title: Switch to sssd for LDAP/Kerberos authentication openSUSE-11.4: Evaluation by project manager Priority Requester: Mandatory Info Provider: (Novell) Requested by: Ralf Haferkamp (rhafer) Product Manager: (Novell) Product Manager: (Novell) Project Manager: (Novell) Developer: (Novell) Partner organization: openSUSE.org Description: Because of the various issues we face with nss_ldap/pam_ldap (see e.g. bug#477061, bug#157078 and others) and because of the added value sssd gives us (e.g. offline support, integrated kerberos support). We should - change yast2-ldap-client to configure sssd instead of + change yast2-ldap-client to configure sssd instead of (in addition to) nss_ldap/pam_ldap/pam_kerberos. sssd packages are already available for 11.3. We still need to add support for it in pam-config. Relations: - related feature (feature/id: 308902) - nss_ldap issue #2 (novell/bugzilla/id: 157078) https://bugzilla.novell.com/show_bug.cgi?id=157078 - nss_ldap issue #1 (novell/bugzilla/id: 598158) https://bugzilla.novell.com/show_bug.cgi?id=598158 - feature/duplicate: 310820 Discussion: #1: Andreas Jaeger (a_jaeger) (2010-07-20 09:37:55) Note: This feature tracks the basesystem changes for this, especially pam_ldap. The YaST part is tracked in fate#308902. #4: Andreas Jaeger (a_jaeger) (2010-07-20 11:01:40) (reply to #1) Correction pam-config instead of pam_ldap since pam_ldap does not need to be changed. #7: Ralf Haferkamp (rhafer) (2010-09-09 15:34:07) (reply to #4) sssd support has now been implemented in pam-config (starting with Version  0.77) #2: Andreas Jaeger (a_jaeger) (2010-07-20 09:40:20) It also tracks changes in glibc to fix bnc#621454 and bnc#477061. #5: Bidossessi SODONON (bidossessi) (2010-08-05 17:32:41) Does this feature imply replacing both the LDAP client and Kerberos client modules with a single SSSD module in Yast? Would that be advisable for servers? #6: Matthias Eckermann (mge1512) (2010-08-05 17:49:22) (reply to #5) It's far too early to talk about replacement in my view: while sssd sounds not too bad as of today, experience and code consolidation will show, if it is the right way for the future. We should include it in future versions for openSUSE to give it a real field testing before cutting the proven modules. #8: Ralf Haferkamp (rhafer) (2010-09-09 15:35:15) (reply to #5) Please note that the YaST related changes are tracked in fate#308902 #9: Andreas Jaeger (a_jaeger) (2010-09-15 16:40:19) Marcus, please schedule a security review of sssd. Are there any comments for the evaluation of this feature from the security team? #10: Marcus Meissner (msmeissn) (2010-11-10 10:56:13) (reply to #9) Sorry, I missed the NEEDINFO. I now opened an AUDIT tracking bug, we will review. -- openSUSE Feature: https://features.opensuse.org/310176

Feature changed by: Thorsten Kukuk (kukuk) Feature #310176, revision 20 Title: Switch to sssd for LDAP/Kerberos authentication - openSUSE-11.4: Evaluation by project manager + openSUSE-11.4: Done Priority Requester: Mandatory Info Provider: (Novell) Requested by: Ralf Haferkamp (rhafer) Product Manager: (Novell) Product Manager: (Novell) Project Manager: (Novell) Developer: (Novell) Partner organization: openSUSE.org Description: Because of the various issues we face with nss_ldap/pam_ldap (see e.g. bug#477061, bug#157078 and others) and because of the added value sssd gives us (e.g. offline support, integrated kerberos support). We should change yast2-ldap-client to configure sssd instead of (in addition to) nss_ldap/pam_ldap/pam_kerberos. sssd packages are already available for 11.3. We still need to add support for it in pam-config. Relations: - related feature (feature/id: 308902) - nss_ldap issue #2 (novell/bugzilla/id: 157078) https://bugzilla.novell.com/show_bug.cgi?id=157078 - nss_ldap issue #1 (novell/bugzilla/id: 598158) https://bugzilla.novell.com/show_bug.cgi?id=598158 - feature/duplicate: 310820 Discussion: #1: Andreas Jaeger (a_jaeger) (2010-07-20 09:37:55) Note: This feature tracks the basesystem changes for this, especially pam_ldap. The YaST part is tracked in fate#308902. #4: Andreas Jaeger (a_jaeger) (2010-07-20 11:01:40) (reply to #1) Correction pam-config instead of pam_ldap since pam_ldap does not need to be changed. #7: Ralf Haferkamp (rhafer) (2010-09-09 15:34:07) (reply to #4) sssd support has now been implemented in pam-config (starting with Version  0.77) #2: Andreas Jaeger (a_jaeger) (2010-07-20 09:40:20) It also tracks changes in glibc to fix bnc#621454 and bnc#477061. #5: Bidossessi SODONON (bidossessi) (2010-08-05 17:32:41) Does this feature imply replacing both the LDAP client and Kerberos client modules with a single SSSD module in Yast? Would that be advisable for servers? #6: Matthias Eckermann (mge1512) (2010-08-05 17:49:22) (reply to #5) It's far too early to talk about replacement in my view: while sssd sounds not too bad as of today, experience and code consolidation will show, if it is the right way for the future. We should include it in future versions for openSUSE to give it a real field testing before cutting the proven modules. #8: Ralf Haferkamp (rhafer) (2010-09-09 15:35:15) (reply to #5) Please note that the YaST related changes are tracked in fate#308902 #9: Andreas Jaeger (a_jaeger) (2010-09-15 16:40:19) Marcus, please schedule a security review of sssd. Are there any comments for the evaluation of this feature from the security team? #10: Marcus Meissner (msmeissn) (2010-11-10 10:56:13) (reply to #9) Sorry, I missed the NEEDINFO. I now opened an AUDIT tracking bug, we will review. #12: Jiří­ Suchomel (jsuchome) (2011-03-01 13:04:39) For 11.4, feature 308902 (sssd support in YaST) was implemented and made a default option instead of pam_ldap/nss_ldap. Therefor I think this one is also finished. -- openSUSE Feature: https://features.opensuse.org/310176

Feature changed by: Marcus Meissner (msmeissn) Feature #310176, revision 27 Title: Switch to sssd for LDAP/Kerberos authentication openSUSE-11.4: Done Priority Requester: Mandatory Requested by: Ralf Haferkamp (rhafer) Partner organization: openSUSE.org Description: Because of the various issues we face with nss_ldap/pam_ldap (see e.g. bug#477061, bug#157078 and others) and because of the added value sssd gives us (e.g. offline support, integrated kerberos support). We should change yast2-ldap-client to configure sssd instead of (in addition to) nss_ldap/pam_ldap/pam_kerberos. sssd packages are already available for 11.3. We still need to add support for it in pam-config. References: packages: sssd Relations: - related feature (feature/id: 308902) - nss_ldap issue #2 (novell/bugzilla/id: 157078) https://bugzilla.novell.com/show_bug.cgi?id=157078 - nss_ldap issue #1 (novell/bugzilla/id: 598158) https://bugzilla.novell.com/show_bug.cgi?id=598158 - - feature/duplicate: 310820 + - (feature/duplicate: 310820) Discussion: #1: Andreas Jaeger (a_jaeger) (2010-07-20 09:37:55) Note: This feature tracks the basesystem changes for this, especially pam_ldap. The YaST part is tracked in fate#308902. #4: Andreas Jaeger (a_jaeger) (2010-07-20 11:01:40) (reply to #1) Correction pam-config instead of pam_ldap since pam_ldap does not need to be changed. #7: Ralf Haferkamp (rhafer) (2010-09-09 15:34:07) (reply to #4) sssd support has now been implemented in pam-config (starting with Version  0.77) #2: Andreas Jaeger (a_jaeger) (2010-07-20 09:40:20) It also tracks changes in glibc to fix bnc#621454 and bnc#477061. #5: Bidossessi SODONON (bidossessi) (2010-08-05 17:32:41) Does this feature imply replacing both the LDAP client and Kerberos client modules with a single SSSD module in Yast? Would that be advisable for servers? #6: Matthias Eckermann (mge1512) (2010-08-05 17:49:22) (reply to #5) It's far too early to talk about replacement in my view: while sssd sounds not too bad as of today, experience and code consolidation will show, if it is the right way for the future. We should include it in future versions for openSUSE to give it a real field testing before cutting the proven modules. #8: Ralf Haferkamp (rhafer) (2010-09-09 15:35:15) (reply to #5) Please note that the YaST related changes are tracked in fate#308902 #9: Andreas Jaeger (a_jaeger) (2010-09-15 16:40:19) Marcus, please schedule a security review of sssd. Are there any comments for the evaluation of this feature from the security team? #10: Marcus Meissner (msmeissn) (2010-11-10 10:56:13) (reply to #9) Sorry, I missed the NEEDINFO. I now opened an AUDIT tracking bug, we will review. #12: Jiří­ Suchomel (jsuchome) (2011-03-01 13:04:39) For 11.4, feature 308902 (sssd support in YaST) was implemented and made a default option instead of pam_ldap/nss_ldap. Therefor I think this one is also finished. -- openSUSE Feature: https://features.opensuse.org/310176