[Freeipa-users] [Freeipa-devel] [Freeipa-interest] Announcing FreeIPA v2 Server Beta 1 Release

[JR Aquino]

On 1/4/11 1:04 AM, "Roland Kaeser" <roland.kaeser at intersoft-networks.ch>
wrote:

>>We return to this discussion once in a while...
>>....
>>Samba 4 tries to do it and still struggles after many years
>>of development. We definitely would look at Samba 4 again when we see it
>>Sufficiently ready but this is not a priority for 2011.
>
>Maybe this is the reason why freeipa has that less users and nearly no
>echo in the linux community.

I disagree Roland.  The linux community at large, is generally living in
the dark ages of authorization management.

There are no comparative comprehensive linux solutions in the community
thus far which actually address scalable authentication and authorization
from linux systems by a linux solution.

My observation of the quiet in the community is due to lack of solutions
out there.

/etc/access.conf, pam_ldap, Certify, hosts.allow are very primitive means
to control access with to linux client.

Regardless of how complex you make your authentication database, to this
day, you are still limited to: pam_ldap, access.conf, Certify,
hosts.allow... These  are very primitive means to control access with to
linux client.

With FreeIPA and SSSD, the first means of providing real RBAC/HBAC is
available to the Open Source community.

We cannot and should not attempt to explain the quiet with answers of
disinterest or lack of Microsoft support.

The fact is, there has not yet been a competent linux solution and as a
result the utilization of pure Linux environments has been stunted with
people settling for things like, /etc/passwd, /etc/access.conf, pam_ldap,
and NIS...

What you are describing is the reinventing of the wheel.  Which has
previously been answered: If the goal is to provide an alternative linux
authentication/authorization method for Microsoft Windows, then there are
already existing solutions out there: Samba4, Novell eDirectory +
Directory Services for Windows...

FreeIPA serves to facilitate some of the most basic
authentication/authorization interactions that other OS's have taken for
granted for years.
 
>
>>Samba 4 is intended to be a duplicate of AD this is how it is designed
>>and implemented.
>The problem here is that samba 4 is still alpha.
>
>>I would like to be able to use Linux as the IT backbone without having
>>to resort to Microsoft.
>This also our most implemented scenario. Only in last year we migrated a
>half a dozend companies away from microsoft and AD (on the server side).
>This year a lot of companies are already planned for migration. Specially
>with the knowledge in mind that (based on the change of microsofts
>licensing model for hosters) around 1000 companies only in switzerland
>will switch their abacus (www.abacus.ch, large erp for switzerland)
>platform to linux so its REALLY, REALLY (I cannot write how much I would
>like to accentuate this) important to have a network wide authentication
>and identity management software to build up large linux server
>environments with windows frontents.
>So, having windows clients in the network is the reality we cannot close
>our eyes to this only because its challenge to implement it.

Microsoft has designed a complete ecosystem to surround its client,
server, email, and productivity solutions.

It's not just a challenge to implement a successful means of replacing the
backend, it is directly opposed to the goals of its creator: Microsoft.

The various components within Microsoft's (and most commercial) solutions
are designed at their core to be proprietary with the effort of drawing in
consumers to more pieces of their puzzle.

It is entirely likely that it will be necessary to have both solutions in
place and working together, rather than attempting to circumvent
Microsoft's solution.

>
>>Linux is lacking a complete solution that acts as a "central
>>authentication and identity >management platform"
>I think also this is the only huge area in linux which is really missing.
> Just think about the huge potential of users and implementations if
>freeipa acts also as authentication instance for windows environments.
>Just we only (as small company with 8 persons) whould have the
>possibility for around 20 migrations this year. It just wage to dream a
>bit but from my point of view the authentication lack is the only
>remaining one which prevents the rest of the world (or even europe and
>switzerland) to massivly migrate to linux and opensource (at least on the
>server side).

While I agree that a truly unified solution which answers all clients
authentication needs is a worthwhile concept, in practice, throughout my
entire career, I've learned that the commercial design of this ecosystem
conflicts with this ambitious ideal.

I have had a great deal of experience in highly dense and distributed
(world wide) native Linux installations which service Windows Clients.

All tools are best used by their intended design.  If the only tool you
have is a Hammer, you may approach all of your problems as if they are
nails.

~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino
Information Security Specialist
Citrix Online
GCIH, CCNA