[Gllug] Linux based "not Active Directory"

Vidar Hokstad vidar at aardvarkmedia.co.uk
Wed May 7 13:08:21 UTC 2008 

On 7 May 2008, at 12:52, Daniel P. Berrange wrote:
>
> Take a look at our  FreeIPA project. It integrates Kerberos,  
> FreeRadius
> and Fedora Directory Server into one slick application with a very  
> nice
> web management interface & command line toolset.


FreeIPA looks interesting, but when I looked at the webpage, my first  
reaction was buzzword / "consultant speak" overload, followed by the  
thought "but what does it actually DO?" and I can't seem to find much  
in terms of hard facts on the site unless I go diving into the source  
code.

I.e. what would it actually buy me for a small to medium sized  
installation over, say, OpenLDAP + LdapDNS + phpldapadmin for example?  
A nicer management interface is  nice and all, but you have to have a  
pretty large shop before things change frequently enough that it's a  
big deal (and the same before multi-master replication becomes  
important). From the web page I can't even tell if FreeIPA has feature  
parity with the above combination in terms of what I could do with it.  
I can see there are some things that FreeIPA supports that I _can't_  
do with the above, but unfortunately none of those things matters to  
me (if I had a larger install it would, though).

More specifically, I noticed Debian-based distro's were noticeably  
absent from the client installation docs, and the docs that are there  
seems to say very little about what the client installation actually  
covers (in terms of what applications will actually be able to use the  
ipa client support). Any plans for Debian support on the client, or at  
least some info on what needs to be in place?

When setting up OpenLDAP here, the biggest problems we ran into was  
not the server, by the way, but getting all the different apps we use  
that rely on identity and authorization to actually use PAM or the  
LDAP server instead of a myriad of other authentication methods. That  
included building a number of new packages and a ton of updates, and  
assorted random breakage (our mail server suddenly decided it needed  
an existing home directory to deliver mail to the users after we made  
it use LDAP to check for the existence of a user account instead of  
it's own table, for example) that took a while to sort through. That's  
something I really hope most/all distro's put more effort into  
improving...

I'd really like to hear more about what the actual benefits of FreeIPA  
are, though... At the moment just getting most apps here reconfigured  
to use LDAP is/will be a huge improvement, but anything that makes  
managing the whole thing less painful is very attractive..

Vidar

-- 
Vidar Hokstad
Technical Director
Aardvark Media Limited
Mobile: 0795 867 7857
Direct Dial: 020 7183 2740

2 Fulham Business Exchange
The Boulevard
Imperial Wharf
London
SW6 2TL




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080507/b7d1acbe/attachment.html>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list