[Gllug] Linux based "not Active Directory"

Daniel P. Berrange dan at berrange.com
Thu May 8 14:04:03 UTC 2008 

On Wed, May 07, 2008 at 02:08:21PM +0100, Vidar Hokstad wrote:
> On 7 May 2008, at 12:52, Daniel P. Berrange wrote:
> >
> >Take a look at our  FreeIPA project. It integrates Kerberos,  
> >FreeRadius
> >and Fedora Directory Server into one slick application with a very  
> >nice
> >web management interface & command line toolset.
> 
> 
> FreeIPA looks interesting, but when I looked at the webpage, my first  
> reaction was buzzword / "consultant speak" overload, followed by the  
> thought "but what does it actually DO?" and I can't seem to find much  
> in terms of hard facts on the site unless I go diving into the source  
> code.

There's a reasonable overview of the concepts / ideas here:

http://freeipa.org/page/IpaConcepts

> I.e. what would it actually buy me for a small to medium sized  
> installation over, say, OpenLDAP + LdapDNS + phpldapadmin for example?  
> A nicer management interface is  nice and all, but you have to have a  
> pretty large shop before things change frequently enough that it's a  
> big deal (and the same before multi-master replication becomes  
> important). From the web page I can't even tell if FreeIPA has feature  
> parity with the above combination in terms of what I could do with it.  
> I can see there are some things that FreeIPA supports that I _can't_  
> do with the above, but unfortunately none of those things matters to  
> me (if I had a larger install it would, though).

Primarily it is about providing a pre-integrated solution of the 
various apps it bundles. In particular Kerberos, LDAP and FreeRadius.
This takes the pain out of setting up & configuring all the apps to
talk to each other. So as an admin you just need to yum install the
software (or equivalent) and then run the setup script which prompts
for the name of the realm, DNS domain name and admin password. Every
thing else is then configured based on this info. For admins not already
familiar with Kerberos & LDAP administration this is a very big win
making installation order of magnitude easier. I managed to get it
up & running about 30 minutes with zero prior knowledge of Kerberos
admin. 

> More specifically, I noticed Debian-based distro's were noticeably  
> absent from the client installation docs, and the docs that are there  
> seems to say very little about what the client installation actually  
> covers (in terms of what applications will actually be able to use the  
> ipa client support). Any plans for Debian support on the client, or at  
> least some info on what needs to be in place?

The client tools are focused on making it easier to configure a machine
to use Kerberos/LDAP services for authentication, and fetching of service
principles for servers which need them.  As such the client tools are 
optional - you can still manually configure /etc/krb5.conf and similar
files if desired - its just standard kerberos & ldap after all. 

The IPA development is primary done on Fedora since most of the developers
are working for Red Hat, but the code/tools themselves should work on any 
Linux distro if the software pre-requisite versions are met. There may be 
people packaging for Debian, but you'd have to ask on the IPA mailing list
about that, since I'm not up2date on that development.

> When setting up OpenLDAP here, the biggest problems we ran into was  
> not the server, by the way, but getting all the different apps we use  
> that rely on identity and authorization to actually use PAM or the  
> LDAP server instead of a myriad of other authentication methods. That  
> included building a number of new packages and a ton of updates, and  
> assorted random breakage (our mail server suddenly decided it needed  
> an existing home directory to deliver mail to the users after we made  
> it use LDAP to check for the existence of a user account instead of  
> it's own table, for example) that took a while to sort through. That's  
> something I really hope most/all distro's put more effort into  
> improving...
> 
> I'd really like to hear more about what the actual benefits of FreeIPA  
> are, though... At the moment just getting most apps here reconfigured  
> to use LDAP is/will be a huge improvement, but anything that makes  
> managing the whole thing less painful is very attractive..

Ease of deployment & initial configuration of the server, ease of client
configuration, and consistent ongoing management are all core goals and
benefits of the IPA project. It is a young project, only at version 1.0
though so it obviously hasn't solved all the problems just yet :-) It has
been moving forward very quickly in the 6 months I've been using the 
pre-releases...

Dan.
-- 
|: http://berrange.com/     -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://freshmeat.net/~danielpb/    -o-   http://gtk-vnc.sourceforge.net :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080508/0c35c770/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list