[Freeipa-users] Client Certificate
Dmitri Pal
dpal at redhat.com
Thu Sep 18 20:04:46 UTC 2014
On 09/18/2014 10:12 AM, Walid A. Shaari wrote:
> Hi,
>
> we are going to have a use case of diskless HPC clients that will use
> the IPA for lookups, I was wondering if i can get rid of the
> state-fulness of the client configuration as much as possible as it is
> more of a cattle than pets use case. that is i do not need to know
> that the client is part of the domain, no need to enroll a node with a
> certificate. and services will be mostly hpc mpi and ssh, not required
> to have an SSL certificate for secure communication. is it possible to
> get rid of the client certificate and the requirements for clients to
> enroll? or there are other uses for the certificate that i am not
> aware of ?
>
> regards
>
> Walid
>
>
I think the main problem is making sure that the client can connect to
IPA server.
You can elect to not use ipa-client and just copy configuration files.
The problem is that SSSD requires some type of the authentication to get
to IPA as a host to do the lookups.
So this connection must be authenticated. Since you want it to be
stateless you do not want to manage keys or certs the only option (which
I really do not like) is to use bind password in a file for LDAP
connection. You would probably use the same unprivileged account for
this bind. However when we get to 4.x you would need to adjust
permissions on the server side to make sure that proper read permissions
are granted. Having a password in a file is a security risk so make sure
it is not leaked.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140918/a45f1ac3/attachment.htm>
More information about the Freeipa-users
mailing list