<div dir="ltr"><div>Backing up what Tony Albers and Lachlan Musicman say.</div><div>I did a lot of work with sssd this summer, and am on the FreeIPA List, though to be honest I did not deploy FreeIPA.</div><div>Indeed I SHOUDL have deployed FreeIPA - sssd does not cope well with nested groups when used on Linux.</div><div>As Lachlan says the mailing list is very helpful.</div><div><br></div><div>One caveat though - if looking at FreeIPA you will often get the answer that bug or feature xyz is implemented int he latest release.</div><div>Be prepared to run it on an up to date OS so you get the latest versions.</div><div>I would also look at what the highest version of sssd your clients can support is.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 25 Oct 2018 at 12:30, Lachlan Musicman <<a href="mailto:datakid@gmail.com">datakid@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">On Thu, 25 Oct 2018 at 18:40, Tony Brian Albers <<a href="mailto:tba@kb.dk" target="_blank">tba@kb.dk</a>> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Wed, 2018-10-24 at 11:42 -0500, Tom Harvill wrote:> <br>
> We run multiple clusters in different data centers with a single <br>
> directory (LDAP) for general authentication and some user grouping<br>
> for <br>
> special purposes (eg delineating admin users for privileges). We put <br>
> 'extra' user data in an RDBMS.<br>
> <br>
> We currently use 389-DS (aka Fedora Directory Server) and there is<br>
> some <br>
> internal pressure to switch to OpenLDAP.<br>
> <br>
> 389-DS is working well, we use the multi-master feature. It really <br>
> hasn't failed us.<br>
> <br>
> I'm writing this list to ask:<br>
> <br>
> - what directory solution do you implement?<br>
> - if LDAP, which flavor?<br>
> - do you have any opinions one way or another on the topic?<br>
> <br>
> Because 389-DS has just worked, it's sort-of out of sight and mind.<br>
> I've <br>
> been re-engaging it for a little while and from what I can see it's <br>
> fairly well documented (I don't remember this being the case when we <br>
> originally set it up 10+ years ago.) I think OpenLDAP doesn't have <br>
> integrated multi-master replication - that feature appears to be a <br>
> bolted on script.<br>
<br>
At KB one of our Hadoop clusters is using 389-DS through FreeIPA, and<br>
it works great. Our 389-DS server is getting hit pretty hard from time<br>
to time since everything is using kerberos and FreeIPA(all the jobs<br>
running on the cluster looks up users etc. in FreeIPA), but it gets by<br>
and is very stable(we've had two unexpected service stops fixable by<br>
just restarting them in 2½ years now).<br>
<br>
All hosts use sssd and user homedirs are automounted on them using<br>
krb5. <br>
<br>
IMO you should consider IdM or FreeIPA since it brings quite a lot of<br>
extra functionality while still using a standard LDAP backend.</blockquote><div><br></div><div>100% agree. FreeIPA with SSSD includes 389-DS and has been perfect. Would always recommend. I've been following the IPA/SSSD development quite closely for two years now - they are a very good team and have actively helped me with issues on the mailing lists on numerous occasions.</div><div><br></div><div>Cheers</div><div>L.<br></div></div></div>
_______________________________________________<br>
Beowulf mailing list, <a href="mailto:Beowulf@beowulf.org" target="_blank">Beowulf@beowulf.org</a> sponsored by Penguin Computing<br>
To change your subscription (digest mode or unsubscribe) visit <a href="http://www.beowulf.org/mailman/listinfo/beowulf" rel="noreferrer" target="_blank">http://www.beowulf.org/mailman/listinfo/beowulf</a><br>
</blockquote></div>