[Freeipa-users] Question on AD to freeipa sync

Steven Jones Steven.Jones at vuw.ac.nz
Mon Oct 3 20:53:37 UTC 2011 

exactly.........

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com]
Sent: Tuesday, 4 October 2011 1:07 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Question on AD to freeipa sync

On Mon, 2011-10-03 at 10:03 +0200, Ondrej Valousek wrote:
> Just wondering why would anyone want to sync freeIPA and AD - both can
> serve Linux systems fine, so if I already have AD, I no longer require
> IPA.
> My 2 cents...


AD can serve Linux systems with a very limited definition of "fine". All
support in Active Directory for POSIX compliance is an afterthought to
Microsoft. It exists solely to try and migrate customers from UNIX to
Windows, and really isn't designed for the purpose.

One of the major problems with using AD for Linux support is that it
violates the LDAP and Kerberos standards in several key places, meaning
that the experience on Linux is significantly degraded from that of
Windows machines. For example, in order to support very large group
memberships (>1000 members), Active Directory requires the use of a
special LDAP control to retrieve the members list a page at a time in
several LDAP communications. The way it does this is expressly violating
the LDAP protocol standard, which means that without rewriting all
clients on Linux to break the standard in the same way, Linux and UNIX
machines are capable of only seeing the first thousand members of a
group.

Another problem with Active Directory is its limited support for LDAP
authentication. AD expects that all of its clients are Windows machines,
and therefore capable of using Kerberos and/or NTLM for all
authentication. However, some applications (especially Linux-powered web
applications) can only authenticate using LDAP simple bind
authentication. While AD does have some support for this, LDAP auth
breaks completely in the case of expired users (it has no support for a
password-change grace period with LDAP authentication).

Yet further, in many environments, there are two very different
organizations in the IT departments: one group that manages Windows
systems and one that manages Linux/UNIX systems. By having FreeIPA be
capable of acting as a bridge between the two (either by the current
mechanism of user-syncing or by the forthcoming FreeIPA v3 mechanism of
Kerberos trusted realms), it allows IT departments to continue to hire
staff that knows one system well. It's very hard to find people with a
deep knowledge of both systems; people tend to specialize. It's much
better to let your Linux admins work on the Linux machines, rather than
trying to force your MCSEs to learn the intricacies of a LAMP setup.

More information about the Freeipa-users mailing list