[Freeipa-users] hesitate to deploy freeipa

Simo Sorce simo at redhat.com
Thu Jun 25 15:47:25 UTC 2015 

On Thu, 2015-06-25 at 15:33 +0000, Craig White wrote:
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Harald Dunkel
> Sent: Wednesday, June 24, 2015 12:07 AM
> To: freeipa-users
> Subject: [Freeipa-users] hesitate to deploy freeipa
> 
> Hi folks,
> 
> I have a general problem with freeipa: It is *highly* complex and
> depends upon too many systems working together correctly (IMHO).
> 
> My concern is, if there is a problem, then the usual tools following
> the Unix paradigm (do one thing and do it well) don't help anymore. I
> can speak only for my own stomach, but it turns upside down when I
> think about this.
> 
> 
> Your thoughts on this?
> ----
> Well, it's a good thing that you don't use XWindows.
> 
> You already have a humble opinion on something that you aren't using
> yet? Seriously?
> 
> It's clearly not for you, thanks for playing.
> 
> Craig
> 

Craig,
it is a legitimate question to ask, there is no need to make snarky
remarks.

Harald,
the reason I (and others) started this project many years ago is that
trying to set up all components myself was boring and highly error
prone, and you would always end up with a bag of parts that had a lot of
mismatches, and some functionality was always missing or poor or
incomplete, due to the imperfect integration.

Yes, the whole project is complex, but not because we like complexity,
it is complex because the problem space is complex and we are bound to
use existing protocols, which sometimes add in complexity, and we want
to offer useful features to admins, so they can think about managing
stuff and not about the plumbing all the time.

The best option is to study the individual components and how they are
integrated, just like you (presumably) studied how a Unix/Linus OS is
put together and operates. An OS is not simpler in anyway, but you
probably do not see the complexity as menacing anymore because you are
familiar with how it works.

The same familiarity can be attained with FreeIPA, all the components
are available, the configuration directives are mostly where you expect
them to be, and all the glue code is in the FreeIPA repositories if you
want to go deep into the minutiae, and understand the nuanced
integration for some of the plumbing. It can be studied and understood.

I would say that time would be better invested in learning how FreeIPA
works rather than trying to build your own and be the only one that
knows (or forgets) how things were put together ad hoc. Collaborating on
a project means you are not alone and can share experiences, ask for
help and in general get up to speed with various parts of the
infrastructure as you need it, not being forced to know everything like
a pro before even starting.

This is my humble opinion.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list