[Freeipa-users] What are the main purposes of Dogtag certificate system inside IPA

hshhs caca cao2dan at yahoo.com
Thu Apr 26 20:51:01 UTC 2012 

Hi folks,

 When evaluating migration from existing seperate LDAP/Kerberos solution to integrated IPA, I got confused on the purposes of Dogtag Certificate system inside IPA. What are the main purposes of it? or what value it brings in to IPA? 

 I can see the points of KDC and 389 Directory server parts, even NTP and DNS, but not for Dogtag. Frankly, I am not sure where I should put it. Say, For Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab locally on client and then krb5 tools/libs will do their work happily.  Then why should I authenticate a machine with certificate, or certificate+keytab -- either way the certificate part is a MUST -- see document http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html ( at the very bottom).

A close question is: what are the main points/benefits of machine authentication? because of with traditional keytab based kerberos setup, the users, machines and services can authenticate no problem, then why we need an extra authentication with machine certificate as a must?

 Please help me clarify the question of why the statement 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install script? what is its purposes?

Last problem is: after I following the steps at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html to setup my Linux client manually, I still can not run 'ipa user-find' command on the client; when another same type linux client installed with 'ipa-client-install' has no problem to run it. Does there are any difference between manual and automatic installations?

Sorry I got too many questions and probably more, as I read though the Redhat IPA document serveral times, and every time more questions pop up. :)

Thanks a lot.

--Robinson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120426/724f54fe/attachment.htm>

More information about the Freeipa-users mailing list