Latest FreeIPA On CentOS

Home » CentOS » Latest FreeIPA On CentOS
CentOS 6 Comments

We’re looking to run freeipa on CentOS-6.5.

It seems the version available for 6.5 is 3.0, whereas the latest 3.x is
3.3.5 (available in F19 & 20). And now I see 4.0 was just released and will be in F21 (with support for native OTP-based 2FA!).

Has anyone attempted rebuilds against the F19/20 3.3.5 RPMS for CentOS?
Given the dependency chain, is it worth going down this rabbit hole?

Otherwise, is everyone who is running CentOS and FreeIPA pretty much using
3.0?

Since it’s a new build, I was hoping we could start with the latest stable, but not ready yet to run RHEL7/CentOS7 or Fedora in our environment.

johnny

6 thoughts on - Latest FreeIPA On CentOS

  • Am Mon, 14 Jul 2014 11:47:32 -0400
    schrieb Johnny Tan :

    CentOS7 has 3.3

    I don’t know if RedHat will backport it to 6.x like they did previously.

    I think we will start with what is in CentOS 7.0 and see how far we get. We will even buy RHEL-lics for it.

    I certainly don’t want to run Fedora in production – and I don’t want to do the backport for such a complicated piece of software myself.

  • 2014-07-14 17:57 GMT+02:00 Rainer Duffner :

    ​RH will *not* do a backport of 3.3 to RHEL 6.x.

    Alexander Bokovoy (from Red Hat) on the freeipa-users list (feb. 17):
    “RHEL 6.x lacks many of the dependencies required for IPA 3.3. Newer MIT Kerberos (with API and ABI change for KDC database driver and many other changes required for trusts and two-factor authentication), newer Dogtag which relies on several dozens of Java packages and newer tomcat, systemd (we use socket activation and tmpfiles.d a lot), newer SSSD. Kerberos ccache stored in the kernel space (KEYRING ccache type)
    requires changes at kernel level which are also needed for kerberized NFSv4 for trusts as AD users have large Kerebros tickets when they are members of many groups and so on.”

    – Jitse

  • Isn’t that the sort of thing that ‘software collections’ are intended to provide? It would be encouraging to see something actually built on top of them.

  • 2014-07-14 21:33 GMT+02:00 Les Mikesell :

    ​True, but FreeIPA ≥​ 3.2 depends on systemd. I don’t think it’s possible to put that into SCL…

    – Jitse

  • Thanks for the info. We’ll stick with 6.5 / 3.0 for now and hope the upgrade path is not strenuous. From first glances, it seems the manual part is going from 3.1 to something above, with the DogTag change. Hopefully that’s the only laborious part.

  • Am 14.07.2014 um 21:02 schrieb Jitse Klomp :

    I was pretty certain about it, too – but I don’t read the free-ipa lists (already too many subscriptions I can barely glance over…).

    So, thanks for bringing it to everyone’s attention ;-)