[Gllug] Linux based "not Active Directory"

Richard Jones rich at annexia.org
Wed May 7 13:17:54 UTC 2008 

On Wed, May 07, 2008 at 02:08:21PM +0100, Vidar Hokstad wrote:
> On 7 May 2008, at 12:52, Daniel P. Berrange wrote:
> >
> >Take a look at our  FreeIPA project. It integrates Kerberos,  
> >FreeRadius
> >and Fedora Directory Server into one slick application with a very  
> >nice
> >web management interface & command line toolset.
> 
> 
> FreeIPA looks interesting, but when I looked at the webpage, my first  
> reaction was buzzword / "consultant speak" overload, followed by the  
> thought "but what does it actually DO?" and I can't seem to find much  
> in terms of hard facts on the site unless I go diving into the source  
> code.

Yeah, I loathe those sorts of sites as well, although FreeIPA.org
isn't the worst by any means.

Your best bet is probably just to install it.  In Fedora 8 or 9 it's
just a matter of doing 'yum install ipa-server', followed by
'less /usr/share/doc/ipa*/*'.

Despite what Dan said, using Kerberos isn't exactly simple (although
FreeIPA is by far the simplest I've seen).  I've long come to the
conclusion that Kerberos tries to be deliberately obscure.

> I.e. what would it actually buy me for a small to medium sized  
> installation over, say, OpenLDAP + LdapDNS + phpldapadmin for example?  

Kerberos, proper integration with SELinux, plus the addition of a
certain amount of "just working"-ness.

> More specifically, I noticed Debian-based distro's were noticeably  
> absent from the client installation docs, and the docs that are there  
> seems to say very little about what the client installation actually  
> covers (in terms of what applications will actually be able to use the  
> ipa client support). Any plans for Debian support on the client, or at  
> least some info on what needs to be in place?

We work closely with Debian when they need to package software that we
(Red Hat) write.  In this case no one's come up with a WNPP for
FreeIPA yet.  But if you want to go through the usual process then
I'll help out where I can.

> When setting up OpenLDAP here, the biggest problems we ran into was  
> not the server, by the way, but getting all the different apps we use  
> that rely on identity and authorization to actually use PAM or the  
> LDAP server instead of a myriad of other authentication methods. That  
> included building a number of new packages and a ton of updates, and  
> assorted random breakage (our mail server suddenly decided it needed  
> an existing home directory to deliver mail to the users after we made  
> it use LDAP to check for the existence of a user account instead of  
> it's own table, for example) that took a while to sort through. That's  
> something I really hope most/all distro's put more effort into  
> improving...

Yup, this is exactly what the IPA team is working on.  Their efforts
are obviously focused on Fedora/RHEL first.

Rich.

-- 
Richard Jones
Red Hat
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list