On 08/15/2012 10:19 AM, Ondrej Valousek wrote:

1) IPA is based on the 389 LDAP server not OpenLDAP
2) SSSD does not provide front end to Samba/Winbind it just has similar functionality. In future we might reuse more of the samba libraries. Currently we use some samba libraries in SSSD but more as building blocks for the solution than the back end that connects to AD.
I see.
3) There is a project called reamld, this project would perform AD join of SSSD in the Linux environment. It will replace the need for your sss_adjoin script
Thanks for the info. Unfortunately this project did not find its way into RHEL 6 so we can not use it. But I will mention it on my presentation
4) Can you please elaborate a bit on the tools? Which tools Centrify has that would be useful for SSSD to have? Can you file tickets with those?
The tools we would welcome the most would be:
adflush - flush all databases, force reload all data from ldap servers. Right now I have to stop sssd, delete all ldb files and start sssd again - this is a bit cruel.

There is a cache management utility now. Have you looked at it? Is there any functionality missing there?

adinfo - tell the user is there is some working connection to any ldap server or whether we are running completely in the disconnected mode. Right now I have to dig through the logs to find out.
I think both have been discussed here, but the idea was eventually abandoned by the sssd developers

Yes I agree having a way to dump current status of the SSSD responders and providers would be a nice to have. But it is not quite simple.
I think we have a ticket for this.
See some thoughts that Stephen recorded there:

5) In addition to direct automounter support in SSSD there is also direct sudo support, management of the SSH keys and SELinux user mapping integration coming at the same time.
I will mention that.
6) I do not think you emphasize the value of IPA.
True. This was on purpose because my main objective is get something we already have (Centrify) cheaper & better. I understand that using IPA would give us further benefits, but this is out of my current scope.

Also you mentioned DNS sites, https://fedorahosted.org/sssd/ticket/1032
Is it required or the notion of the primary and secondary servers that was added in 1.9 sufficiently addresses the issue?
This ticket was actually created by me and I see that the solution for this one has been deferred :-( .
Primary & secondary servers support in 1.9 will not help us as we need a true sites support as per the ticket above. I believe it would be useful for large IPA domains, too.

I see.
Can you please add a comment to the ticket explaining why the preferred server support is not sufficient and the support of sites is required. 

Many thanks
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?