[Freeipa-users] Client Certificate

Walid walid.shaari at gmail.com
Fri Sep 19 20:03:06 UTC 2014 

Thank you all, will investigate the requirements of host keytabs, and if
there is a way around it by having it shared but secure for our context.

On 18 September 2014 23:04, Dmitri Pal <dpal at redhat.com> wrote:

>  On 09/18/2014 10:12 AM, Walid A. Shaari wrote:
>
> Hi,
>
>  we are going to have a use case of diskless HPC clients that will use
> the IPA for lookups, I was wondering if i can get rid of the state-fulness
> of the client configuration as much as possible as it is more of a cattle
> than pets use case. that is i do not need to know that the client is part
> of the domain, no need to enroll a node with a certificate. and services
> will be mostly hpc mpi and ssh, not required to have an SSL certificate for
> secure communication. is it possible to get rid of the client certificate
> and the requirements for clients to enroll? or there are other uses for the
> certificate that i am not aware of ?
>
>  regards
>
>  Walid
>
>
>  I think the main problem is making sure that the client can connect to
> IPA server.
> You can elect to not use ipa-client and just copy configuration files. The
> problem is that SSSD requires some type of the authentication to get to IPA
> as a host to do the lookups.
> So this connection must be authenticated. Since you want it to be
> stateless you do not want to manage keys or certs the only option (which I
> really do not like) is to use bind password in a file for LDAP connection.
> You would probably use the same unprivileged account for this bind. However
> when we get to 4.x you would need to adjust permissions on the server side
> to make sure that proper read permissions are granted. Having a password in
> a file is a security risk so make sure it is not leaked.
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140919/ed7e0c7f/attachment.htm>

More information about the Freeipa-users mailing list