doing some googling, this seems to be about the most current/relevant thing I have found wrt to running freeipa server on CentOS
http://howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
which I'm not totally adverse to doing but I have to ask, is there something packaged? (I've looked in 'testing' and in 'extras' and in epel)
Has anyone followed some other instructions?
Craig
On Tue, 2009-04-07 at 08:24 -0700, Craig White wrote:
doing some googling, this seems to be about the most current/relevant thing I have found wrt to running freeipa server on CentOS
http://howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
which I'm not totally adverse to doing but I have to ask, is there something packaged? (I've looked in 'testing' and in 'extras' and in epel)
Has anyone followed some other instructions?
---- hmmm...no one using freeipa I think.
I was able to get it to compile using the above but that was version 1.0.0 and they're up to 1.2.1 on their web site. Fedora 10 has 1.2.0 src rpm but it has a requirement of popt-devel which I couldn't find for CentOS-5. I could build the Fedora 10 version of the popt/popt-devel rpms but I couldn't install popt-devel without popt and that caused all sorts of issues with rpm/rpm-devel/rpm-build, to the point where I chickened out. When I commented out the requirement for popt-devel in the spec file, of course it wouldn't build anyway (ldapi-plugin-winsync didn't seem to me to be related to popt-devel but who knows). ;-(
It would seem that if Red Hat were serious about freeipa, they would make it so that it actually could build a non-ancient version on RHEL (CentOS).
Craig
Hi,
On Tue, Apr 7, 2009 at 23:42, Craig White craigwhite@azapple.com wrote:
Fedora 10 has 1.2.0 src rpm but it has a requirement of popt-devel which I couldn't find for CentOS-5.
CentOS5's "popt" package contains the development libraries and headers. rpm -ql popt shows that libpopt.a, libpopt.so and popt.h are there, so you should be able to safely remove that dependency from the specfile and build it from there.
When I commented out the requirement for popt-devel in the spec file, of course it wouldn't build anyway (ldapi-plugin-winsync didn't seem to me to be related to popt-devel but who knows). ;-(
Definitely not related.
Have you looked into the CentOS Directory Server instead? http://wiki.centos.org/HowTos/DirectoryServerSetup
I don't know if that one contains all the components of FreeIPA, but at least the main ones should be there.
It would seem that if Red Hat were serious about freeipa, they would make it so that it actually could build a non-ancient version on RHEL (CentOS).
As usual, if you want cutting-edge it will be in Fedora. If you want stable it will be in RHEL/CentOS.
It seems to me that FreeIPA is a quite contained and integrated package, and it makes sense to have dedicated machines to run it. Why don't you just use FreeIPA itself instead of trying to shoehorn its packages into CentOS, ending up with something that will probably lack the advantages of both parts?
HTH, Filipe
On Wed, 2009-04-08 at 00:06 -0400, Filipe Brandenburger wrote:
Hi,
On Tue, Apr 7, 2009 at 23:42, Craig White craigwhite@azapple.com wrote:
Fedora 10 has 1.2.0 src rpm but it has a requirement of popt-devel which I couldn't find for CentOS-5.
CentOS5's "popt" package contains the development libraries and headers. rpm -ql popt shows that libpopt.a, libpopt.so and popt.h are there, so you should be able to safely remove that dependency from the specfile and build it from there.
---- you could be right. I checked on my Fedora system and the file list from popt-devel seemed to have a lot more than just the popt on CentOS but I didn't look at it all that closely. As I said, I just commented it out (the dependency). ----
When I commented out the requirement for popt-devel in the spec file, of course it wouldn't build anyway (ldapi-plugin-winsync didn't seem to me to be related to popt-devel but who knows). ;-(
Definitely not related.
Have you looked into the CentOS Directory Server instead? http://wiki.centos.org/HowTos/DirectoryServerSetup
I don't know if that one contains all the components of FreeIPA, but at least the main ones should be there.
---- no, I haven't and I probably will. I wanted to play with freeipa because I had a little time for experimenting. I typically use OpenLDAP but have Fedora-DS running at a clients place. I think I like OpenLDAP more but I would like Fedora-DS (or CentOS-DS) more if it were integrated with kerberos, policy and audit. ----
It would seem that if Red Hat were serious about freeipa, they would make it so that it actually could build a non-ancient version on RHEL (CentOS).
As usual, if you want cutting-edge it will be in Fedora. If you want stable it will be in RHEL/CentOS.
It seems to me that FreeIPA is a quite contained and integrated package, and it makes sense to have dedicated machines to run it. Why don't you just use FreeIPA itself instead of trying to shoehorn its packages into CentOS, ending up with something that will probably lack the advantages of both parts?
---- Sure but that's not typically the realm I play in. My typical client is < 50 users and having a server just for authentication is harder to justfiy.
I myself have an older server which doesn't support hardware virtualization. Perhaps you're right, I set up something in virtualization and use Fedora but the churn rate of Fedora is just too much, especially for an authentication server.
Craig
Craig White schrieb:
Sure but that's not typically the realm I play in. My typical client is < 50 users and having a server just for authentication is harder to justfiy.
In that case, shelling out the 7-something grand for RHE-IPA is probably also not an option, I assume.
I myself have an older server which doesn't support hardware virtualization. Perhaps you're right, I set up something in virtualization and use Fedora but the churn rate of Fedora is just too much, especially for an authentication server.
Craig
But maybe this is of help: http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
Regards, Rainer
On Wed, 2009-04-08 at 10:31 +0200, Rainer Duffner wrote:
Craig White schrieb:
Sure but that's not typically the realm I play in. My typical client is < 50 users and having a server just for authentication is harder to justfiy.
In that case, shelling out the 7-something grand for RHE-IPA is probably also not an option, I assume.
---- Reminds me of the old joke whose punchline goes something like, we've already determined what you are and now we're just haggling over the price. ----
I myself have an older server which doesn't support hardware virtualization. Perhaps you're right, I set up something in virtualization and use Fedora but the churn rate of Fedora is just too much, especially for an authentication server.
But maybe this is of help: http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
---- I listed that URL in my first post on this thread. I used that as a semi-guide but got build requisites from EPEL & Fedora-10-SRPMS instead just to have a shot at building 1.2.0 instead of the 1.0.0 version discussed on that page.
Thanks
Craig
Craig White wrote:
On Wed, 2009-04-08 at 10:31 +0200, Rainer Duffner wrote:
Craig White schrieb:
Sure but that's not typically the realm I play in. My typical client is < 50 users and having a server just for authentication is harder to justfiy.
In that case, shelling out the 7-something grand for RHE-IPA is probably also not an option, I assume.
Reminds me of the old joke whose punchline goes something like, we've already determined what you are and now we're just haggling over the price.
I myself have an older server which doesn't support hardware virtualization. Perhaps you're right, I set up something in virtualization and use Fedora but the churn rate of Fedora is just too much, especially for an authentication server.
But maybe this is of help: http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
I listed that URL in my first post on this thread. I used that as a semi-guide but got build requisites from EPEL & Fedora-10-SRPMS instead just to have a shot at building 1.2.0 instead of the 1.0.0 version discussed on that page.
Thanks
Craig
I've been watching the discussion and read the RHEL docs about IPA and thought "At Last" something that brings together all the bits for the little guy. Now it appears the RH is going to drop the ball. I have tried OpenLDAP and currently have a CentOS-DS running but am missing the bits that glue it all together. The actual core services (LDAP (either variant) Kerberos PAM samba etc) are simple enough to install on CentOS but the stuff that makes it "just work" is very difficult for me to get my head around and thus I've never actually got a setup working well enough to risk on my clients. The excellent how-to for amavis http://wiki.centos.org/HowTos/Amavisd is just wonderful. Congratulations and thanks to the author - it just works. We need more of this!! Back to secure authentication and having a single (replicated) place for all the users/groups/policy.... It seems enterprises have the bucks and folk to learn all the mumbo-jumbo needed to get it working, or the other scenario is integrating with microsoft based ads, neither of which fits my needs. I have purchased text books on LDAP etc and still cannot get a recipe that works for a small enterprise with maybe two or three servers, one or two locations and less than 50 people. I end up doing all the admin by hand - samba is working, the clients can simply log in once on their windoze machine but oh the back ground work to keep it going.....sigh. Any good documents or apps out there? Rob
Rob Kampen wrote:
I've been watching the discussion and read the RHEL docs about IPA and thought "At Last" something that brings together all the bits for the little guy. Now it appears the RH is going to drop the ball. I have tried OpenLDAP and currently have a CentOS-DS running but am missing the bits that glue it all together. The actual core services (LDAP (either variant) Kerberos PAM samba etc) are simple enough to install on CentOS but the stuff that makes it "just work" is very difficult for me to get my head around and thus I've never actually got a setup working well enough to risk on my clients.
I have started with SME: http://wiki.contribs.org/Main_Page
This is a good NT Domain + equiv on Centos 4.7 and they have Centos 5.2 (I hope now 5.3) in beta.
I have not looked enough into their roadmap to see what is being done with LDAP...
Another effort on Fedora is Amahi.org. This is more a home product with a WorkGroup orientation. The inclusion of home apps like streaming music makes it very attractive.
SME is a well organized effort, originally back? by Mitel. Amahi started as a one-man effort (though the one man behind it has impressive credentials) and has developed a 'plugin' community.
Craig well knows the efforts of a couple of k12 guys to get some SAMBA integration together (http://majen.net/smbldap/). This seems to have stagnated.
I am hoping that SME continues to evolve. Their VoIP version is the perfect place to get serious with LDAP.
On Wed, 2009-04-08 at 13:11 -0400, Robert Moskowitz wrote:
Rob Kampen wrote:
I've been watching the discussion and read the RHEL docs about IPA and thought "At Last" something that brings together all the bits for the little guy. Now it appears the RH is going to drop the ball. I have tried OpenLDAP and currently have a CentOS-DS running but am missing the bits that glue it all together. The actual core services (LDAP (either variant) Kerberos PAM samba etc) are simple enough to install on CentOS but the stuff that makes it "just work" is very difficult for me to get my head around and thus I've never actually got a setup working well enough to risk on my clients.
I have started with SME: http://wiki.contribs.org/Main_Page
This is a good NT Domain + equiv on Centos 4.7 and they have Centos 5.2 (I hope now 5.3) in beta.
I have not looked enough into their roadmap to see what is being done with LDAP...
Another effort on Fedora is Amahi.org. This is more a home product with a WorkGroup orientation. The inclusion of home apps like streaming music makes it very attractive.
SME is a well organized effort, originally back? by Mitel. Amahi started as a one-man effort (though the one man behind it has impressive credentials) and has developed a 'plugin' community.
Craig well knows the efforts of a couple of k12 guys to get some SAMBA integration together (http://majen.net/smbldap/). This seems to have stagnated.
I am hoping that SME continues to evolve. Their VoIP version is the perfect place to get serious with LDAP.
---- indeed, I do know about the k12ltsp efforts and the result was somewhat predictable.
All of the networks that I have setup and maintain use LDAP for authentication (Linux/Macintosh/Windows) and use a Samba PDC/BDC, DNS, DHCP, etc. and in fact, use the same users $HOME directory regardless of which OS they log into. I have also adapted automounts for Linux & Macintosh users into LDAP but Windows users mount shares via login scripts. I have also been using WPKG for automatic software installation on Windows systems.
I don't have much interest in SME myself. FreeIPA seemed to have the whole bundle.
Craig
Craig White wrote:
All of the networks that I have setup and maintain use LDAP for authentication (Linux/Macintosh/Windows) and use a Samba PDC/BDC, DNS, DHCP, etc. and in fact, use the same users $HOME directory regardless of which OS they log into. I have also adapted automounts for Linux & Macintosh users into LDAP but Windows users mount shares via login scripts. I have also been using WPKG for automatic software installation on Windows systems.
I don't have much interest in SME myself. FreeIPA seemed to have the whole bundle.
The place where SME becomes interesting is where someone who doesn't know Linux wants a server for a home or small office setting mostly running windows - and they want to install and maintain it themselves instead of having you do it for them.
On Wed, 2009-04-08 at 12:36 -0500, Les Mikesell wrote:
Craig White wrote:
I don't have much interest in SME myself. FreeIPA seemed to have the whole bundle.
The place where SME becomes interesting is where someone who doesn't know Linux wants a server for a home or small office setting mostly running windows - and they want to install and maintain it themselves instead of having you do it for them.
---- makes sense to me - I'm just not interested in using it myself.
Craig
Robert Moskowitz wrote:
I've been watching the discussion and read the RHEL docs about IPA and thought "At Last" something that brings together all the bits for the little guy. Now it appears the RH is going to drop the ball. I have tried OpenLDAP and currently have a CentOS-DS running but am missing the bits that glue it all together. The actual core services (LDAP (either variant) Kerberos PAM samba etc) are simple enough to install on CentOS but the stuff that makes it "just work" is very difficult for me to get my head around and thus I've never actually got a setup working well enough to risk on my clients.
I have started with SME: http://wiki.contribs.org/Main_Page
This is a good NT Domain + equiv on Centos 4.7 and they have Centos 5.2 (I hope now 5.3) in beta.
I have not looked enough into their roadmap to see what is being done with LDAP...
Another effort on Fedora is Amahi.org. This is more a home product with a WorkGroup orientation. The inclusion of home apps like streaming music makes it very attractive.
SME is a well organized effort, originally back? by Mitel. Amahi started as a one-man effort (though the one man behind it has impressive credentials) and has developed a 'plugin' community.
Craig well knows the efforts of a couple of k12 guys to get some SAMBA integration together (http://majen.net/smbldap/). This seems to have stagnated.
I am hoping that SME continues to evolve. Their VoIP version is the perfect place to get serious with LDAP.
Has anyone looked at the version of ClarkConnect now in beta? This is similar to SME but perhaps a more modern approach (and with separate free/commercial versions...). The blurb claims that the initial setup provides LDAP authentication for easy expansion. That's something I've thought every Linux distro should have had for years, but I don't know if it actually works.
<<snip>>
Has anyone looked at the version of ClarkConnect now in beta? This is similar to SME but perhaps a more modern approach (and with separate free/commercial versions...). The blurb claims that the initial setup provides LDAP authentication for easy expansion. That's something I've thought every Linux distro should have had for years, but I don't know if it actually works.
I'm waiting for it to come out of beta to see how it works. I run the previous version at home and I love it.
Am 08.04.2009 um 19:30 schrieb Les Mikesell:
Robert Moskowitz wrote:
I've been watching the discussion and read the RHEL docs about IPA and thought "At Last" something that brings together all the bits for the little guy. Now it appears the RH is going to drop the ball. I have tried OpenLDAP and currently have a CentOS-DS running but am missing the bits that glue it all together. The actual core services (LDAP (either variant) Kerberos PAM samba etc) are simple enough to install on CentOS but the stuff that makes it "just work" is very difficult for me to get my head around and thus I've never actually got a setup working well enough to risk on my clients.
I have started with SME: http://wiki.contribs.org/Main_Page
This is a good NT Domain + equiv on Centos 4.7 and they have Centos 5.2 (I hope now 5.3) in beta.
I have not looked enough into their roadmap to see what is being done with LDAP...
Another effort on Fedora is Amahi.org. This is more a home product with a WorkGroup orientation. The inclusion of home apps like streaming music makes it very attractive.
SME is a well organized effort, originally back? by Mitel. Amahi started as a one-man effort (though the one man behind it has impressive credentials) and has developed a 'plugin' community.
Craig well knows the efforts of a couple of k12 guys to get some SAMBA integration together (http://majen.net/smbldap/). This seems to have stagnated.
I am hoping that SME continues to evolve. Their VoIP version is the perfect place to get serious with LDAP.
Has anyone looked at the version of ClarkConnect now in beta? This is similar to SME but perhaps a more modern approach (and with separate free/commercial versions...). The blurb claims that the initial setup provides LDAP authentication for easy expansion. That's something I've thought every Linux distro should have had for years, but I don't know if it actually works.
Maybe I understood that wrong, but the point about Free/RHEL-IPA is/ was that it doesn't use LDAP for authentication. It uses Kerberos for that. There are - as far as I understood - no passwords in LDAP.
FreeIPA isn't really intended as a Samba-replacement, but as a NIS- replacement. If you're like me and have possibly hundrets of unix-servers to maintain, being able to provide a sane, centralized login-management for them would be not great, it would be a revolution ;-)
It's AD for Unix done right. Or mostly - I've only played briefly with it (lack of time).
IMO, if you have Windows-Clients, you need a Windows-Server, earlier or later (and AD, or buy into the Novell-stack...). Stuff like IPA will eventually help you to keep the Unix- and Windows- world synchronized without foisting anything on any of them that they weren't really intended to do.
Rainer
Craig White wrote:
doing some googling, this seems to be about the most current/relevant thing I have found wrt to running freeipa server on CentOS
http://howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
That mostly looks to be a waste of time to me, specially given that Red Hat have made it public that FreeIPA might not really ever be a RHEL product line, and if it does make it, the packaging format etc will be very different from whats out there at the moment.
And to the idiot who wrote that article on howtoforge : ( how do they find such brain dead morons ? ) directly url'ing the testing repo is really not recommended.
- KB
On Wed, 2009-04-08 at 10:24 +0100, Karanbir Singh wrote:
Craig White wrote:
doing some googling, this seems to be about the most current/relevant thing I have found wrt to running freeipa server on CentOS
http://howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
That mostly looks to be a waste of time to me, specially given that Red Hat have made it public that FreeIPA might not really ever be a RHEL product line, and if it does make it, the packaging format etc will be very different from whats out there at the moment.
And to the idiot who wrote that article on howtoforge : ( how do they find such brain dead morons ? ) directly url'ing the testing repo is really not recommended.
---- I just sort of used that as a guideline and used EPEL first, Fedora-10 source second for packages to try to build because of things I noticed in the changelogs, etc. I managed to get all the requisites handled except for popt-devel which I discussed but that didn't seem to be the deal breaker.
Now that I recognize that the current version of freeipa wasn't meant to be built on RHEL, I will change course because I don't want to make that my mission if they don't.
Craig
Craig White wrote:
doing some googling, this seems to be about the most current/relevant thing I have found wrt to running freeipa server on CentOS
http://howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
which I'm not totally adverse to doing but I have to ask, is there something packaged? (I've looked in 'testing' and in 'extras' and in epel)
Has anyone followed some other instructions?
Craig
I spoke with Simo Sorce at the Fosdem event regarding that (having IPA/FreeIPA rpms sitting in the Extras repository) Due to the fact that Red Hat made it clear now that the actual RHEIPA will be discontinued (at least in its actual form and will probably change to something else ...) we still don't know what direction to take. Rebuilding FreeIPA is probably possible too but how long will that be possible ? FreeIPA isn't looking at being backward compatible and don't focus on RHEL interopability. It can probably work for a certain time, but surely not as long as an Enterprise timelife ... That's maybe worth discussing it though. On the other hand, centos-ds is in the testing repo for a while and there were not a lot of feedback : the plan is/was to move it to extras when enough testing/reports have hit the -devel list ...
On Wed, 2009-04-08 at 13:26 +0200, Fabian Arrotin wrote:
Craig White wrote:
doing some googling, this seems to be about the most current/relevant thing I have found wrt to running freeipa server on CentOS
http://howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
which I'm not totally adverse to doing but I have to ask, is there something packaged? (I've looked in 'testing' and in 'extras' and in epel)
Has anyone followed some other instructions?
Craig
I spoke with Simo Sorce at the Fosdem event regarding that (having IPA/FreeIPA rpms sitting in the Extras repository) Due to the fact that Red Hat made it clear now that the actual RHEIPA will be discontinued (at least in its actual form and will probably change to something else ...) we still don't know what direction to take. Rebuilding FreeIPA is probably possible too but how long will that be possible ? FreeIPA isn't looking at being backward compatible and don't focus on RHEL interopability. It can probably work for a certain time, but surely not as long as an Enterprise timelife ... That's maybe worth discussing it though. On the other hand, centos-ds is in the testing repo for a while and there were not a lot of feedback : the plan is/was to move it to extras when enough testing/reports have hit the -devel list ...
---- obviously Simo is in a position to know about these things.
I guess the thing that surprises me is that I went to the Red Hat road show last September and they were promoting FreeIPA as the up and coming technology and so I was rather shocked that it seemed impossible (to me anyway) to build a reasonably current version on CentOS (and by extension, RHEL).
I will install CentOS-DS but I suspect that what I will find is that it is a stable version of Fedora-DS which is fine, but I have Fedora-DS running somewhere else already and by itself, it didn't give me any goosebumps and was more painful to setup than OpenLDAP.
Craig
-
Craig White -
Fabian Arrotin -
Filipe Brandenburger -
Karanbir Singh -
Les Mikesell -
Rainer Duffner -
Rob Kampen -
Robert Moskowitz -
Scott Silva