[Freeipa-users] Client Certificate
Walid
walid.shaari at gmail.com
Tue Sep 23 19:55:43 UTC 2014
Yes Dmitri these two hints would definitely help, the servers are not 4.x
yet though.
On 19 September 2014 23:14, Dmitri Pal <dpal at redhat.com> wrote:
> On 09/19/2014 04:03 PM, Walid wrote:
>
> Thank you all, will investigate the requirements of host keytabs, and if
> there is a way around it by having it shared but secure for our context.
>
>
> Couple hints.
>
> 1. If you have a keytab stashed and the system was rebuilt you can now
> rerun ipa-client-install using this keytab to get a new one and configure
> the client system. It can run and then die but if you store the keytab
> after running ipa-client-install you would be able to revive it next time
> 2. In 4.1 you will be able to retrieve same keytab using ipa-getkeytab
> command. It is implemented to allow clusters that have to share the same
> key but it might be applicable to your use case too.
>
> Thanks
> Dmitri
>
>
>
> On 18 September 2014 23:04, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 09/18/2014 10:12 AM, Walid A. Shaari wrote:
>>
>> Hi,
>>
>> we are going to have a use case of diskless HPC clients that will use
>> the IPA for lookups, I was wondering if i can get rid of the state-fulness
>> of the client configuration as much as possible as it is more of a cattle
>> than pets use case. that is i do not need to know that the client is part
>> of the domain, no need to enroll a node with a certificate. and services
>> will be mostly hpc mpi and ssh, not required to have an SSL certificate for
>> secure communication. is it possible to get rid of the client certificate
>> and the requirements for clients to enroll? or there are other uses for the
>> certificate that i am not aware of ?
>>
>> regards
>>
>> Walid
>>
>>
>> I think the main problem is making sure that the client can connect to
>> IPA server.
>> You can elect to not use ipa-client and just copy configuration files.
>> The problem is that SSSD requires some type of the authentication to get to
>> IPA as a host to do the lookups.
>> So this connection must be authenticated. Since you want it to be
>> stateless you do not want to manage keys or certs the only option (which I
>> really do not like) is to use bind password in a file for LDAP connection.
>> You would probably use the same unprivileged account for this bind. However
>> when we get to 4.x you would need to adjust permissions on the server side
>> to make sure that proper read permissions are granted. Having a password in
>> a file is a security risk so make sure it is not leaked.
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140923/2ddba402/attachment.htm>
More information about the Freeipa-users
mailing list