[Freeipa-users] Client Certificate

[Dmitri Pal]

On 09/23/2014 03:55 PM, Walid wrote:
> Yes Dmitri these two hints would definitely help, the servers are not 
> 4.x yet though.

The first one is available in FreeIPA 3.3 which ships with RHEL7.

>
> On 19 September 2014 23:14, Dmitri Pal <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>     On 09/19/2014 04:03 PM, Walid wrote:
>>     Thank you all, will investigate the requirements of host keytabs,
>>     and if there is a way around it by having it shared but secure
>>     for our context.
>
>     Couple hints.
>
>     1. If you have a keytab stashed and the system was rebuilt you can
>     now rerun ipa-client-install using this keytab to get a new one
>     and configure the client system. It can run and then die but if
>     you store the keytab after running ipa-client-install you would be
>     able to revive it next time
>     2. In 4.1 you will be able to retrieve same keytab using
>     ipa-getkeytab command. It is implemented to allow clusters that
>     have to share the same key but it might be applicable to your use
>     case too.
>
>     Thanks
>     Dmitri
>
>
>>
>>     On 18 September 2014 23:04, Dmitri Pal <dpal at redhat.com
>>     <mailto:dpal at redhat.com>> wrote:
>>
>>         On 09/18/2014 10:12 AM, Walid A. Shaari wrote:
>>>         Hi,
>>>
>>>         we are going to have a use case of diskless HPC clients that
>>>         will use the IPA for lookups, I was wondering if i can get
>>>         rid of the state-fulness of the client configuration as much
>>>         as possible as it is more of a cattle than pets use case.
>>>         that is i do not need to know that the client is part of the
>>>         domain, no need to enroll a node with a certificate. and
>>>         services will be mostly hpc mpi and ssh, not required to
>>>         have an SSL certificate for secure communication. is it
>>>         possible to get rid of the client certificate and the
>>>         requirements for clients to enroll? or there are other uses
>>>         for the certificate that i am not aware of ?
>>>
>>>         regards
>>>
>>>         Walid
>>>
>>>
>>         I think the main problem is making sure that the client can
>>         connect to IPA server.
>>         You can elect to not use ipa-client and just copy
>>         configuration files. The problem is that SSSD requires some
>>         type of the authentication to get to IPA as a host to do the
>>         lookups.
>>         So this connection must be authenticated. Since you want it
>>         to be stateless you do not want to manage keys or certs the
>>         only option (which I really do not like) is to use bind
>>         password in a file for LDAP connection. You would probably
>>         use the same unprivileged account for this bind. However when
>>         we get to 4.x you would need to adjust permissions on the
>>         server side to make sure that proper read permissions are
>>         granted. Having a password in a file is a security risk so
>>         make sure it is not leaked.
>>
>>         -- 
>>         Thank you,
>>         Dmitri Pal
>>
>>         Sr. Engineering Manager IdM portfolio
>>         Red Hat, Inc.
>>
>>
>>         --
>>         Manage your subscription for the Freeipa-users mailing list:
>>         https://www.redhat.com/mailman/listinfo/freeipa-users
>>         Go To http://freeipa.org for more info on the project
>>
>>
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140923/249913a1/attachment.htm>