[Freeipa-users] ipa impressions and more questions

Ivan Levchenko levchenko.i at gmail.com
Wed Sep 17 14:59:14 UTC 2008 

On Wed, Sep 17, 2008 at 5:45 PM, Simo Sorce <ssorce at redhat.com> wrote:
> On Wed, 2008-09-17 at 10:27 -0400, Andrew C. Dingman wrote:
>> On Wed, 2008-09-17 at 01:56 +0300, Ivan Levchenko wrote:
>> > HI All,
>> >
>> > Thanks to to SImo Sorce for his time and help with getting ipa up and
>> > running. Everything that I have been going through the docs works
>> > good.
>> >
>> > I just don't understand the what these service principals are. Now i
>> > can understand a service principle for ssh. If we add a service
>> > principle for ssh for a host, we allow ipa users to connect via ssh to
>> > this host and auth. (would be great if it were more granual - as i
>> > understand, this is for version 2).
>> > But what is a service principle for DHCP, or snmp, or DNS???? how do those work?
>>
>> Mostly, they don't :)
>>
>> That is, most services don't need service principles. Generally
>> speaking, DHCP, SNMP, and DNS are all unauthenticated services, and
>> therefore have no need of service principles. DHCP is pretty much devoid
>> of any authentication capability. SNMP has some authentication
>> capability, but it's currently built around an SNMP-specific mechanism
>> that doesn't play with Kerberos. Likewise, DNS has some limited
>> authentication capability that almost nobody uses, and Kerberos support
>> is a non-standard extension that's only even useful for a few operations
>> that most clients never attempt.
>
> I agree for DHCP and SNMP (do we really have entries for those in the
> UI?), but disagree about DNS. Kerberos can be used (and we plan to use
> it in v2) for GSS-TSIG authenticated DNS update requests.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
Thanks Andrew, it makes a lot more sense now!

Simo, yes, those options exist in the UI, thats why I was a bit
confused about their purpose.

With the current state of IPA, is it possible to provide granular
access to resources? Or is it setup for v2 ( if so, I REALLY hope
upgrade will be an option...)

When authenticating against ldap, are there any requirements? or do I
just have to setup my application to get what it needs from the ldap
server?

btw, OT, but could anybody reccomend some app that could automate the
build process of rpms for i386 and x64? Its pretty tedious to do all
of it by hand. I could of course write a perl script to hack it, but
there probably is something that could do a better job....

Thanks for all of your help guys, with all this info, maybe I could
help collect it, write out my experiences (and your answers) to the
wiki to fill in the gaps in the howto part of the documentation?

--

Best Regards,

Ivan Levchenko
levchenko.i at gmail.com

More information about the Freeipa-users mailing list