On 05-06-19 19:08, Maciej Delmanowski wrote:
So, the question is, what's still missing from your setup? Any
wishes about
where the project should head next?
Right now I mostly miss roles for Docker container management, an
authoritative DNS server, a SAML iDP with two-factor authentication and
an OpenVPN server (with LDAP and maybe 2FA). I've implemented these as
custom Ansible roles which I plan on improving and contributing to DebOps.
There are some gaps in the documentation that should be filled. Some
basic things like provisioning a new host took me quite some time to
figure out when I first tried DebOps, for example. I read on the list
that Nicolas Quiniou-Briand wants to work on that, which is great!
That's unfortunate. Fusion Directory looks like a really awesome
LDAP
management suite with support for many schemas, services, etc. I hoped to add
support for it in the future, hopefully somewhat integrated with DebOps. Do
you know what exactly was broken, or perhaps it was your own setup that was
incompatible with new LDAP tree set up by DebOps environment and adding Fusion
Directory on top of that would still work?
I tried out the new LDAP roles before migrating our existing directory.
I installed FusionDirectory from stretch-backports after running the
ldap/init-directory playbook, but the final step of the installation
process required performing migrations on the LDAP directory that
failed, leaving me with a broken setup. I didn't investigate it further.
Unfortunately, LDAP Account Manager package was removed from Debin
Buster:
https://tracker.debian.org/news/1036031/ldap-account-manager-removed-from...
So it will take some time until is available again. Upstream provides .deb
packages but only as a direct download. That's why I was looking to add Fusion
Directory support instead, but if you say that it breaks the current LDAP
setup created by DebOps, hmmm... I wonder if something can be done about it.
Yeah I noticed that as well. It was also the main reason why we wanted
to use FusionDirectory in the first place. I guess we'll backport the
upstream packages when we migrate to Buster.
Note that FusionDirectory has an ACL system of its own, which might not
be easy to combine with the ACL rules that are set by DebOps. All LDAP
operations are performed by an LDAP admin user under the hood. What I
like about LDAP Account Manager (besides the directory tree browser) is
that it does not require an administrative user, additional LDAP schemas
or inserting/migrating LDAP entries to work.
Imre