Mailinglist Archive: opensuse-features (253 mails)

< Previous Next >
[openFATE 310176] Switch to sssd for LDAP/Kerberos authentication
  • From: fate_noreply@xxxxxxx
  • Date: Wed, 15 Sep 2010 16:40:30 +0200 (CEST)
  • Message-id: <feature-310176-12@xxxxxxxxxxxxxx>
Feature changed by: Andreas Jaeger (a_jaeger)
Feature #310176, revision 12
Title: Switch to sssd for LDAP/Kerberos authentication

openSUSE-11.4: Evaluation
Priority
Requester: Mandatory

+ Info Provider: (Novell)
Requested by: Ralf Haferkamp (rhafer)
Developer: (Novell)

Description:
Because of the various issues we face with nss_ldap/pam_ldap (see e.g.
bug#477061, bug#157078 and others) and because of the added value sssd
gives us (e.g. offline support, integrated kerberos support). We should
change yast2-ldap-client to configure sssd instead of
nss_ldap/pam_ldap/pam_kerberos.
sssd packages are already available for 11.3. We still need to add
support for it in pam-config.

Relations:
- related feature (feature/id: 308902)
- nss_ldap issue #2 (novell/bugzilla/id: 157078)
https://bugzilla.novell.com/show_bug.cgi?id=157078
- nss_ldap issue #1 (novell/bugzilla/id: 598158)
https://bugzilla.novell.com/show_bug.cgi?id=598158

Discussion:
#1: Andreas Jaeger (a_jaeger) (2010-07-20 09:37:55)
Note: This feature tracks the basesystem changes for this, especially
pam_ldap. The YaST part is tracked in fate#308902.

#4: Andreas Jaeger (a_jaeger) (2010-07-20 11:01:40) (reply to #1)
Correction pam-config instead of pam_ldap since pam_ldap does not need
to be changed.

#7: Ralf Haferkamp (rhafer) (2010-09-09 15:34:07) (reply to #4)
sssd support has now been implemented in pam-config (starting with
Version  0.77)

#2: Andreas Jaeger (a_jaeger) (2010-07-20 09:40:20)
It also tracks changes in glibc to fix bnc#621454 and bnc#477061.

#5: Bidossessi SODONON (bidossessi) (2010-08-05 17:32:41)
Does this feature imply replacing both the LDAP client and Kerberos
client modules with a single SSSD module in Yast? Would that be
advisable for servers?

#6: Matthias Eckermann (mge1512) (2010-08-05 17:49:22) (reply to #5)
It's far too early to talk about replacement in my view: while sssd
sounds not too bad as of today, experience and code consolidation will
show, if it is the right way for the future. We should include it in
future versions for openSUSE to give it a real field testing before
cutting the proven modules.

#8: Ralf Haferkamp (rhafer) (2010-09-09 15:35:15) (reply to #5)
Please note that the YaST related changes are tracked in fate#308902

+ #9: Andreas Jaeger (a_jaeger) (2010-09-15 16:40:19)
+ Marcus, please schedule a security review of sssd.
+ Are there any comments for the evaluation of this feature from the
+ security team?



--
openSUSE Feature:
https://features.opensuse.org/310176

< Previous Next >