[Freeipa-devel] freeIPA and NIS
Simo Sorce
ssorce at redhat.com
Tue Aug 12 13:56:20 UTC 2008
On Tue, 2008-08-12 at 11:43 +0200, Angel Marin wrote:
> (sorry for the off-topic, but it might be of interest for people
> planning on moving to freeipa)
Not off topic at all, although maybe freeipa-interest might also be a
good place for good user experiences :)
> Christian Horn wrote:
> > On Tue, Aug 12, 2008 at 08:39:04AM +0200, Angel Marin wrote:
> >> Anyway once in place freeIPA+pGina+OpenAFS are working great as an AD
> >> replacement (quirks aside) :)
> >
> > Nice to learn about pGina, just from glancing over the plugins i am
> > under the impression the windows-users are authenticated with pure ldap
> > in your place now, losing singlesignon that way?
> > Or did i miss something?
>
> We do auth through a home made pGina plugin that does kerberos auth and
> ensures openafs (roaming profiles and user dirs are in the afs cell) is
> ready; looking up user info in ldap, ensuring clock is in sync and
> enabling password change are in the works. Finally kfw and openafs
> integrated logon plugin takes care of actual tickets for user session so
> there's SSO*.
>
> We've had to patch pGina too as stock one was crashing on us. Once we've
> been able to polish all the quirks (currently sometimes users are
> randomly denied access to afs cell on first login) we'll release code
> and docs somewhere :)
>
> * Biggest issue with SSO is that it'll only work with apps capable of
> talking to kfw (firefox, thunderbird, openafs-client, ...), but that's
> not a problem around here. In theory with Vista clients kfw is capable
> of writing to system ccache (enabling SSO on IE and the like) but we
> haven't tried it here.
I am eager to see your code once released please feel free to post here
the details.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list