Hello,
Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion.
The question of "When FreeIPA will be available on Debian?" has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project.
May be it is time to try again? Let us see why it yet has not happened?
1) Some components need to be ported to Debian especially Dogtag and a slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. 2) The code needs to be changed in installer and potentially in other places as it might have had some Fedorizms blended in 3) Someone needs to own packages in Debian and maintain them, someone with good knowledge of the distro and time to take ownership of about 50 packages.
Can we pull it off together this time? Say we plan for some Dogtag and IPA domain experts to work on the port during Nov 13 - Feb 14 and address 1) and 2). Would there be any interest to join forces with them? Would there be anyone to take on item 3) from the list above?
Hi guys,
I do not know whether it will reach ALL the lists Dmitri put in, but anyway:
I do am interested heavily in getting a nice inter distro product (and if sth works both on RH-like and Deb-like distros that's quite some bases covered...) I'm afraid I'm not able to take the responsibility of building the deb support myself (no skills, no time), but feel like I do need it and I can spent some considerable time testing (I'm still having a production NIS around and I would like to test the interoperability when it stops being 'production'...) builds if they appear...
I feel like IPA is getting the well established components and builds an added value ON them and not AGAINST them, making life easier (and hiding the not so beatiful guts under a nice interface, too...): Integrating KRB5 and LDAP is something people do every now and then, but it comes with cnsiderable pain of reading contradictory guides not updated for 10 years, dealing with examples using crypto mechanism that should be long forgotten... ('first, before configuring LDAP set up KRB5, having a test principal get back to this LDAP guide' and some two links away: 'first, get the your LDAP feet wet, when you're able to do ldapsearch get back and construct those ldifs to build krb5 database in ldap' followed by 'make a new realm, but don't use krb5_newrealm'...).
Freeipa gives hope of NOT having to deal with cn=config manually, (it's a really nice thing, but ldifs are sth that should be hidden from view, and most guides for ldap/krb5 integration require creating LOTS of those 'by hand', which makes quite a steep learning curve...). The abundance of PAM modules for ldap/krb5 does not make it any easier (shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the multitude of different caching tools. (to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).
Having something solid to start with todays hordes of products requiring some auth integration thingie would be really nice
OTOH that would be nice to have some documentation without EXAMPLE.COM inside :>
I think getting freeipa working on Debian would be a great 'social' move, sure to be valued among the Linux community (ok, at least the part of community not centered on their own personal computers...), but the transition to 'Freeipa is wideely adopted product for ...' would surely need more people than a couple of guys in RH raising the Debian cause and a few Debian users like me.
Thanks to work by Alexandre Ellert it's possible to get freeipa working with wheezy with relatively no hassle, but I'm afraid the world needs more than him :>
Trying that I haven't seen any obvious 'fedorisms' inside...
As for 'let's have a dream' part -> I would like to see sth similar to nsscache included with the freeipa suite for some really lightweight clients, for more than one reason...
Dmitri, thanks for raising the flag!
Michał
PS:Any idea for some advertisement on Debian side?
On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal dpal@redhat.com wrote:
Hello,
Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion.
The question of "When FreeIPA will be available on Debian?" has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project.
May be it is time to try again? Let us see why it yet has not happened?
- Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. 2) The code needs to be changed in installer and potentially in other places as it might have had some Fedorizms blended in 3) Someone needs to own packages in Debian and maintain them, someone with good knowledge of the distro and time to take ownership of about 50 packages.
Can we pull it off together this time? Say we plan for some Dogtag and IPA domain experts to work on the port during Nov 13 - Feb 14 and address 1) and 2). Would there be any interest to join forces with them? Would there be anyone to take on item 3) from the list above?
-- Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
It's a nice idea to get FreeIPA on Debian.
Let me point to some Debian resources related to FreeIPA:
http://lists.alioth.debian.org/mailman/listinfo/pkg-freeipa-devel http://qa.debian.org/developer.php?login=pkg-freeipa-devel%40lists.alioth.de...
I don't know who is behind pkg-freeipa-devel@lists.alioth.debian.org. I would recommend sending there an email, CC'ing debian-devel.
I can maintain one or two Debian packages (but not 50) however i'm not an official Debian Developer.
Best regards.
On 08/31/2013 03:50 PM, Michał Dwużnik wrote:
Hi guys,
I do not know whether it will reach ALL the lists Dmitri put in, but anyway:
I do am interested heavily in getting a nice inter distro product (and if sth works both on RH-like and Deb-like distros that's quite some bases covered...) I'm afraid I'm not able to take the responsibility of building the deb support myself (no skills, no time), but feel like I do need it and I can spent some considerable time testing (I'm still having a production NIS around and I would like to test the interoperability when it stops being 'production'...) builds if they appear...
I feel like IPA is getting the well established components and builds an added value ON them and not AGAINST them, making life easier (and hiding the not so beatiful guts under a nice interface, too...): Integrating KRB5 and LDAP is something people do every now and then, but it comes with cnsiderable pain of reading contradictory guides not updated for 10 years, dealing with examples using crypto mechanism that should be long forgotten... ('first, before configuring LDAP set up KRB5, having a test principal get back to this LDAP guide' and some two links away: 'first, get the your LDAP feet wet, when you're able to do ldapsearch get back and construct those ldifs to build krb5 database in ldap' followed by 'make a new realm, but don't use krb5_newrealm'...).
Freeipa gives hope of NOT having to deal with cn=config manually, (it's a really nice thing, but ldifs are sth that should be hidden from view, and most guides for ldap/krb5 integration require creating LOTS of those 'by hand', which makes quite a steep learning curve...). The abundance of PAM modules for ldap/krb5 does not make it any easier (shishi? heimdall? MIT?; libpam-ldap or libpam-ldapd?), nor the multitude of different caching tools. (to mention only nslcd, nsscache, libpam-ccreds, nss_updatedb...).
Having something solid to start with todays hordes of products requiring some auth integration thingie would be really nice
OTOH that would be nice to have some documentation without EXAMPLE.COM inside :>
I think getting freeipa working on Debian would be a great 'social' move, sure to be valued among the Linux community (ok, at least the part of community not centered on their own personal computers...), but the transition to 'Freeipa is wideely adopted product for ...' would surely need more people than a couple of guys in RH raising the Debian cause and a few Debian users like me.
Thanks to work by Alexandre Ellert it's possible to get freeipa working with wheezy with relatively no hassle, but I'm afraid the world needs more than him :>
Trying that I haven't seen any obvious 'fedorisms' inside...
As for 'let's have a dream' part -> I would like to see sth similar to nsscache included with the freeipa suite for some really lightweight clients, for more than one reason...
Dmitri, thanks for raising the flag!
Michał
PS:Any idea for some advertisement on Debian side?
I have no idea but where and how this effort can be advertised but any ideas are welcome! I think it would be great if someone passes it on to other lists that might be interested in joining the effort.
On Fri, Aug 30, 2013 at 11:04 PM, Dmitri Pal dpal@redhat.com wrote:
Hello,
Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion.
The question of "When FreeIPA will be available on Debian?" has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project.
May be it is time to try again? Let us see why it yet has not happened?
- Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain. 2) The code needs to be changed in installer and potentially in other places as it might have had some Fedorizms blended in 3) Someone needs to own packages in Debian and maintain them, someone with good knowledge of the distro and time to take ownership of about 50 packages.
Can we pull it off together this time? Say we plan for some Dogtag and IPA domain experts to work on the port during Nov 13 - Feb 14 and address 1) and 2). Would there be any interest to join forces with them? Would there be anyone to take on item 3) from the list above?
-- Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
On 31.08.2013 00:04, Dmitri Pal wrote:
Hello,
Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion.
The question of "When FreeIPA will be available on Debian?" has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project.
Hi,
As you know, I've been packaging stuff for the past two years with the goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has been accomplished, but quite a bit is still missing too..
May be it is time to try again? Let us see why it yet has not happened?
- Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain.
Yes, this is the biggest blocker. Dogtag 9 is packaged in git and working, but I'm not going to push that to the distro. It can be used for testing the IPA server though, before we have Dogtag 10. Once the prereqs are in place the Dogtag git should be easy to rebase with 10.x.
I did start packaging some of the dependencies, but hit a wall when some maven component needed a different release than another one.. AIUI this is a known issue with maven based projects..
Other blockers off the top of my head include:
- support for shared certificate database in NSS * patches sent to the Debian bug (#537866), maintainer isn't too responsive - dyndb support in bind * haven't asked the maintainer to add it to bind9, it might happen - porting the IPA server installer for Debian * this has been discussed on the list at some point, and I guess upstream knows best how the code needs to be organized to make it happen..
- The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
yep, and I need to send the platform module for the client soon, the latest version seems to be working fine.
- Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50 packages.
I'm doing this on my spare time, which has meant obvious delays in shipping something. Would be great to have more skillful people (pun intended) on the pkg-freeipa team..
Can we pull it off together this time? Say we plan for some Dogtag and IPA domain experts to work on the port during Nov 13 - Feb 14 and address 1) and 2). Would there be any interest to join forces with them? Would there be anyone to take on item 3) from the list above?
I could send an email to debian-devel@ asking if someone is interested in helping us out. And maybe blog about it too (on planet.ubuntu.com)..
On 09/01/2013 02:20 PM, Timo Aaltonen wrote:
On 31.08.2013 00:04, Dmitri Pal wrote:
Hello,
Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion.
The question of "When FreeIPA will be available on Debian?" has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project.
Hi,
As you know, I've been packaging stuff for the past two years with the goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has been accomplished, but quite a bit is still missing too..
May be it is time to try again? Let us see why it yet has not happened?
- Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain.
Yes, this is the biggest blocker. Dogtag 9 is packaged in git and working, but I'm not going to push that to the distro. It can be used for testing the IPA server though, before we have Dogtag 10. Once the prereqs are in place the Dogtag git should be easy to rebase with 10.x.
I did start packaging some of the dependencies, but hit a wall when some maven component needed a different release than another one.. AIUI this is a known issue with maven based projects..
Other blockers off the top of my head include:
- support for shared certificate database in NSS
- patches sent to the Debian bug (#537866), maintainer isn't too responsive
How can we help?
- dyndb support in bind
- haven't asked the maintainer to add it to bind9, it might happen
Are you talking about byndb maintainer or bind9 Debian maintainer? May be we should connect the two?
- porting the IPA server installer for Debian
- this has been discussed on the list at some point, and I guess upstream knows best how the code needs to be organized to make it happen..
Yes I how so too.
- The code needs to be changed in installer and potentially in other
places as it might have had some Fedorizms blended in
yep, and I need to send the platform module for the client soon, the latest version seems to be working fine.
This is great.
- Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50 packages.
I'm doing this on my spare time, which has meant obvious delays in shipping something. Would be great to have more skillful people (pun intended) on the pkg-freeipa team..
Are you the only person there so far?
Can we pull it off together this time? Say we plan for some Dogtag and IPA domain experts to work on the port during Nov 13 - Feb 14 and address 1) and 2). Would there be any interest to join forces with them? Would there be anyone to take on item 3) from the list above?
I could send an email to debian-devel@ asking if someone is interested in helping us out. And maybe blog about it too (on planet.ubuntu.com)..
Yes that would help.
Thank you very much for your efforts!
On 01.09.2013 21:43, Dmitri Pal wrote:
On 09/01/2013 02:20 PM, Timo Aaltonen wrote:
On 31.08.2013 00:04, Dmitri Pal wrote:
Hello,
Sorry for cross posting to 4 different lists but it seems that this is the best way to include most of people who might be interested in this discussion.
The question of "When FreeIPA will be available on Debian?" has been coming up periodically on the list(s) without any resolution. However it is clear that it would be beneficial for the community and the project.
Hi,
As you know, I've been packaging stuff for the past two years with the goal of eventually having FreeIPA server on Debian/Ubuntu. A lot has been accomplished, but quite a bit is still missing too..
May be it is time to try again? Let us see why it yet has not happened?
- Some components need to be ported to Debian especially Dogtag and a
slew of its new RESTEasy dependencies. This requires time and quite an effort from someone familiar with the domain.
Yes, this is the biggest blocker. Dogtag 9 is packaged in git and working, but I'm not going to push that to the distro. It can be used for testing the IPA server though, before we have Dogtag 10. Once the prereqs are in place the Dogtag git should be easy to rebase with 10.x.
I did start packaging some of the dependencies, but hit a wall when some maven component needed a different release than another one.. AIUI this is a known issue with maven based projects..
Other blockers off the top of my head include:
- support for shared certificate database in NSS
- patches sent to the Debian bug (#537866), maintainer isn't too responsive
How can we help?
I don't think you can, guess it just needs some perseverance on my side..
- dyndb support in bind
- haven't asked the maintainer to add it to bind9, it might happen
Are you talking about byndb maintainer or bind9 Debian maintainer? May be we should connect the two?
the debian bind maintainer, I heard from the dyndb maintainer that bind10 might support it natively, but getting that in Debian might still be further in the future, so if we'd need dyndb by early next year it's probably needed to have it via bind9 first.
- Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50 packages.
I'm doing this on my spare time, which has meant obvious delays in shipping something. Would be great to have more skillful people (pun intended) on the pkg-freeipa team..
Are you the only person there so far?
pretty much, there have been some debian developers sponsoring packages to the distro (I'm not a DD yet), but they've all fled before too long :)
On Sun, Sep 01, 2013 at 09:20:30PM +0300, Timo Aaltonen wrote:
- Someone needs to own packages in Debian and maintain them, someone
with good knowledge of the distro and time to take ownership of about 50 packages.
I'm doing this on my spare time, which has meant obvious delays in shipping something. Would be great to have more skillful people (pun intended) on the pkg-freeipa team..
Let me just say that I was always amazed at the level of quality bug reports and collaboration that came from Ubuntu community via your packages. This Friday we received several bug reports that will be important to fix in 1.11.
Please keep up the good work!
sssd-devel@lists.fedorahosted.org