[Freeipa-users] Client Certificate

[Dmitri Pal]

On 09/19/2014 04:03 PM, Walid wrote:
> Thank you all, will investigate the requirements of host keytabs, and 
> if there is a way around it by having it shared but secure for our 
> context.

Couple hints.

1. If you have a keytab stashed and the system was rebuilt you can now 
rerun ipa-client-install using this keytab to get a new one and 
configure the client system. It can run and then die but if you store 
the keytab after running ipa-client-install you would be able to revive 
it next time
2. In 4.1 you will be able to retrieve same keytab using ipa-getkeytab 
command. It is implemented to allow clusters that have to share the same 
key but it might be applicable to your use case too.

Thanks
Dmitri

>
> On 18 September 2014 23:04, Dmitri Pal <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>     On 09/18/2014 10:12 AM, Walid A. Shaari wrote:
>>     Hi,
>>
>>     we are going to have a use case of diskless HPC clients that will
>>     use the IPA for lookups, I was wondering if i can get rid of the
>>     state-fulness of the client configuration as much as possible as
>>     it is more of a cattle than pets use case. that is i do not need
>>     to know that the client is part of the domain, no need to enroll
>>     a node with a certificate. and services will be mostly hpc mpi
>>     and ssh, not required to have an SSL certificate for secure
>>     communication. is it possible to get rid of the client
>>     certificate and the requirements for clients to enroll? or there
>>     are other uses for the certificate that i am not aware of ?
>>
>>     regards
>>
>>     Walid
>>
>>
>     I think the main problem is making sure that the client can
>     connect to IPA server.
>     You can elect to not use ipa-client and just copy configuration
>     files. The problem is that SSSD requires some type of the
>     authentication to get to IPA as a host to do the lookups.
>     So this connection must be authenticated. Since you want it to be
>     stateless you do not want to manage keys or certs the only option
>     (which I really do not like) is to use bind password in a file for
>     LDAP connection. You would probably use the same unprivileged
>     account for this bind. However when we get to 4.x you would need
>     to adjust permissions on the server side to make sure that proper
>     read permissions are granted. Having a password in a file is a
>     security risk so make sure it is not leaked.
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go To http://freeipa.org for more info on the project
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140919/fc6edebd/attachment.htm>