[Freeipa-users] IPA authentication vs. authorization

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Fri Feb 14 16:32:21 UTC 2014


>If IPA is a centrally managed identity and access control system,

Since this seems to be a philosophical/generalized point, may I interject my own experience?  I view IPA as a means of managing identities, not as a means of centrally controlling access. Two reasons:

* In our organization, the CIO takes care of the 30000+ windows office clones. I manage my own collection of exceptions to the common rule, disconnected from the corporate network and with an explicit disavowal of CIO support. The fewer assumptions made about the client, the better (e.g., don't assume an OS.). Also, I don't mind sharing my solution with others stuck in the same situation, but I don't want to manage other people's machines. It's also pretty hard to envision access rules which would be common to all machines for all owners in this "domain of exceptions".
* We collaborate promiscuously. An identity solution should cast a wide net for users. As many people as possible should be using their "normal" passwords on my systems, and not be bugging me to create an account for them. But the authorization solution should not assume that remotely defined user attributes mean anything, nor should it assume all users will have a consistent set of attributes, nor should it assume the presence of semantically equivalent elements.

The upshot is: pursue centralization of authorization, but please don't get obsessed by it. There is a lot of value to a "light touch". Tools to ease the management of cross-domain trusts (AD/IPA/Just Plain Kerberos) or which serve as identity gateways (LDAP/SAML SSO) are just as valuable to me, if not more, than tools to bring a specific OS under tighter management.

Bryce





This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.





More information about the Freeipa-users mailing list