[Freeipa-users] A couple of quick questions about FreeIPA
Simo Sorce
simo at redhat.com
Thu Apr 26 17:20:57 UTC 2012
On Thu, 2012-04-26 at 12:57 -0400, Paul Robert Marino wrote:
> Hello
> I'm trying to figure out if free IPA is a good solution for my
> environment or if i should just construct a custom infrastructure with
> 389 server and i just have a couple of quick questions. I have a long
> history working with LDAPv3 and I'm currently planing a new
> infrastructure for my current employer. I've worked with OpenLDAP 389
> server and even 389 servers original incarnation when Netscape was
> still around
>
> 1) Can the Kerberos server be on an other box.
> I'm not a python programer so I haven't been able to test it my self
> but many of the Kerberos calls look like wrappers to the C libraries.
> if so than it might be possible
No.
Our install scripts support setting up the KDC only locally on the same
box for various reasons of simplicity and performance.
> 2) Can I configure it not to store the Kerberos data in the LDAP
> server. I don't like the chicken and the egg authentication conundrum
> this can cause, and I have no intention of allowing users to use
> LDAPv2 so I actually don't want the password field in the database or
> at least blocked by an ACL so it cant be used. I personally find the
> fact that applications still use this field for authentication
> appalling because it essentially turned back the clock to before
> shadow password files.
No, KDC data is in LDAP, but there is no chicken/egg issue, plus we do
not expose userPassword nor any of the krb5 keys to users (keys are
exposed to the KDC process of course).
You have to use LDAP simple binds or SASL/GSSAPI binds to authenticate
when you use IPA.
> 3) This is the most important question, there has been a lot of talk
> about fixing the issues with MIT Kerberos. Is there someplace I can
> look To see what the status of these fixes are other than pouring
> through the change logs for MIT Kerberos.
Plans for what goes in various MIT Kerberos releases are generally
available on http://k5wiki.kerberos.org/, but the changelog is the
authoritative source of info for what is fixed in current releases.
> I don't want to get in to a Kerberos holy war but most of these are
> really old bugs in MIT Kerberos that made me abandon the Idea of ever
> using the MIT server in production over a decade ago. I know exactly
> the issues that lead to the Samba group choose to code only to Heimdal
> all too well because I first remember hitting them and reporting them
> back 2001 to the Samba group via usenet.
> The big thing for me is the thread safety because this often caused
> the MIT Kerberos server to crash then Samba was running in domain mode
> on the same box, Honestly I still don't trust MIT's implementation in
> a mission critical environment,
MIT Kerberos libraries are thread safe, this has been the case for a
long while now. If you have specific questions or doubts feel free to
ask.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list