[Freeipa-users] ipa impressions and more questions

Simo Sorce ssorce at redhat.com
Wed Sep 17 15:09:14 UTC 2008 

On Wed, 2008-09-17 at 17:59 +0300, Ivan Levchenko wrote:
> On Wed, Sep 17, 2008 at 5:45 PM, Simo Sorce <ssorce at redhat.com> wrote:
> > On Wed, 2008-09-17 at 10:27 -0400, Andrew C. Dingman wrote:
> >> On Wed, 2008-09-17 at 01:56 +0300, Ivan Levchenko wrote:
> >> > HI All,
> >> >
> >> > Thanks to to SImo Sorce for his time and help with getting ipa up and
> >> > running. Everything that I have been going through the docs works
> >> > good.
> >> >
> >> > I just don't understand the what these service principals are. Now i
> >> > can understand a service principle for ssh. If we add a service
> >> > principle for ssh for a host, we allow ipa users to connect via ssh to
> >> > this host and auth. (would be great if it were more granual - as i
> >> > understand, this is for version 2).
> >> > But what is a service principle for DHCP, or snmp, or DNS???? how do those work?
> >>
> >> Mostly, they don't :)
> >>
> >> That is, most services don't need service principles. Generally
> >> speaking, DHCP, SNMP, and DNS are all unauthenticated services, and
> >> therefore have no need of service principles. DHCP is pretty much devoid
> >> of any authentication capability. SNMP has some authentication
> >> capability, but it's currently built around an SNMP-specific mechanism
> >> that doesn't play with Kerberos. Likewise, DNS has some limited
> >> authentication capability that almost nobody uses, and Kerberos support
> >> is a non-standard extension that's only even useful for a few operations
> >> that most clients never attempt.
> >
> > I agree for DHCP and SNMP (do we really have entries for those in the
> > UI?), but disagree about DNS. Kerberos can be used (and we plan to use
> > it in v2) for GSS-TSIG authenticated DNS update requests.
> >
> > Simo.
> >
> > --
> > Simo Sorce * Red Hat, Inc * New York
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> Thanks Andrew, it makes a lot more sense now!
> 
> Simo, yes, those options exist in the UI, thats why I was a bit
> confused about their purpose.
> 
> With the current state of IPA, is it possible to provide granular
> access to resources? Or is it setup for v2 ( if so, I REALLY hope
> upgrade will be an option...)

At the moment you can use pam_access and access.conf and use groups to
grant/deny access to people

> When authenticating against ldap, are there any requirements? or do I
> just have to setup my application to get what it needs from the ldap
> server?

Ideally we suggest you use kerberos for authentication, but you can use
ldap too.

> btw, OT, but could anybody reccomend some app that could automate the
> build process of rpms for i386 and x64? Its pretty tedious to do all
> of it by hand. I could of course write a perl script to hack it, but
> there probably is something that could do a better job....

We use koji for fedora, probably something using mock can help.

> Thanks for all of your help guys, with all this info, maybe I could
> help collect it, write out my experiences (and your answers) to the
> wiki to fill in the gaps in the howto part of the documentation?

Sure, any contribution is welcome.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list