[Freeipa-users] Desperate help requested.

Steven Jones Steven.Jones at vuw.ac.nz
Mon Aug 27 21:06:24 UTC 2012 

Hi,

LOL, your problem is like my problem we have Windows trained and educated managers, project managers and architects....

Well, on the plus side for IPA,

Go to Centrify or Likewise as 2 examples and get a quote to authenticate against AD.  We got an "educational price "that made my jaw drop.  In the region of $600 per server and $60 per user plus 25% support per year was typical across all three products.

v

IPA which is "free" with one copy of RH.

I think you'll find it a lot cheaper.

The thing is, the above are hacks, if you want to do much with them you end up with their scripts on your machines all over the place and even writing your own. Have an issue and RH wont know where to turn.  With Likewise for instance you may end up getting all your support via them that can add cost and delays as well.  Here in NZ at least there is no real local support for these products, you ring an 0800 number (if you are lucky) and get told its 2am US time and ring back in 8 hours....bad joke.

The big thing is IPA has depth, and a great road map its not just simple authenticate and authorise....you can control services with detail (like ssh only) and sudo....big pluses. Now the likes of Centrify say they can and that's true, if you code yourself or pay them to do it, or there is an existing script.

Also look at the training and deployment costs of IPA v something like Centrify....with IPA and 4 days RH training you will probably be able to do a decent sized rollout....Centrify, well you might find you need a consultant or 2 at $2k a day....

On the minus side,

IPA isnt  yet mature/stable enough, IHMO.  If our/my experiences are anything to go by it needs at least another 6 to 12months to work out the bugs, get the documentation usable and get RH support up to speed, but that will come.   NB anyone on 6.2 and thinking of going to 6.3 it seems the chances of serious outages is significant.



regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Natxo Asenjo [natxo.asenjo at gmail.com]
Sent: Tuesday, 28 August 2012 12:17 a.m.
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Desperate help requested.

On Sun, Aug 26, 2012 at 6:05 AM, KodaK <sakodak at gmail.com<mailto:sakodak at gmail.com>> wrote:
I've just been informed by my boss's boss's boss that, and I quote
from his ridiculous email:

"we cannot use anything other than MS AD for authentication"

I've spent months of time and much effort rolling out IPA,
consolidating authentication across our Linux and AIX machines.  To
paraphrase Babbage: I am not able rightly to apprehend the kind of
confusion of ideas that could provoke such a statement.

Regardless, I need some help.  I need some help with comparisons
between FreeIPA and AD, and the problems and issues one might
encounter when trying to authenticate Unix machines against AD.
Anything that can show IPA being superior to AD for *nix
authentication.  Anything at all.  We have a similar number of AIX and
Linux servers.  We have a week before we have a meeting to discuss
this, and I'd like to be armed to the teeth, if at all possible.

hi,

you need to explain to upper management why using IPA your company will save money. They usually understand that sort of talk.

Write a business case. In the documentation (both from RHEL and from freeipa.org<http://freeipa.org>) you will get plenty of useful info.

Magnify the points where AD comes short for your user case (selinux, sudo, automounts, service credentials management - having used ktpass.exe I was amazed at how nice the keytab capabilities are from ipa-, hostgroups, ssh public key management, ..., the list goes on and on). Explain that *that* will not change and how much money it will cost your business (admin hours, security risks, missed compliance).

Explain why the future is in the trust model in ipa v3.

Explain that Windows admins are not expected to run a Windows network without AD, so why are Linux/AIX admins expected to run a network without a proper Linux/AIX identity management solution.

I feel your pain and can understand why you are upset, but try not to take this all personally. In the end, it is not your network.

Regards,

Natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120827/bfc81f8d/attachment.htm>

More information about the Freeipa-users mailing list