[Freeipa-users] A couple of quick questions about FreeIPA

Thu Apr 26 17:19:33 UTC 2012

On Apr 26, 2012, at 9:57 AM, Paul Robert Marino wrote:

> Hello
> I'm trying to figure out if free IPA is a good solution for my
> environment or if i should just construct a custom infrastructure with
> 389 server and i just have a couple of quick questions. I have a long
> history working with LDAPv3 and I'm currently planing a new
> infrastructure for my current employer. I've worked with OpenLDAP 389
> server and even 389 servers original incarnation when Netscape was
> still around
> 
> 1) Can the Kerberos server be on an other box.
> I'm not a python programer so I haven't been able to test it my self
> but many of the Kerberos calls look like wrappers to the C libraries.
> if so than it might be possible

Currently FreeIPA integrates Kerberos directly and its not something that can be removed or setup on a seperate box AFAIK

> 2) Can I configure it not to store the Kerberos data in the LDAP
> server. I don't like the chicken  and the egg authentication conundrum
> this can cause, and I have no intention of allowing users to use
> LDAPv2 so I actually don't want the password field in the database or
> at least blocked by an ACL so it cant be used. I personally find the
> fact that applications still use this field for authentication
> appalling because it essentially turned back the clock to before
> shadow password files.

^ Same answer

> 
> 
> 3) This is the most important question, there has been a lot of talk
> about fixing the issues with MIT Kerberos. Is there someplace I can
> look To see what the status of these fixes are other than pouring
> through the change logs for MIT Kerberos.
> I don't want to get in to a Kerberos holy war but most of these are
> really old bugs in MIT Kerberos that made me abandon the Idea of ever
> using the MIT server in production over a decade ago. I know exactly
> the issues that lead to the Samba group choose to code only to Heimdal
> all too well because I first remember hitting them and reporting them
> back 2001 to the Samba group via usenet.
> The big thing for me is the thread safety because this often caused
> the MIT Kerberos server to crash then Samba was running in domain mode
> on the same box, Honestly I still don't trust MIT's implementation in
> a mission critical environment,

A great deal of things have changed since 2001, but I guess the real thing to do here is to answer a question with a question.

What specific 'bugs' are you concerned with regarding MIT Kerberos?

I maintain a very large global FreeIPA deployment with heavy Kerberos SSO, Sudo, and LDAP Usage. 

Things are quite stable.

"Keeping your head in the cloud"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino | Sr. Information Security Specialist
GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aquino at citrix.com
http://www.citrixonline.com