[Freeipa-users] hesitate to deploy freeipa

Fri Jun 26 10:08:08 UTC 2015

hi,

On Wed, Jun 24, 2015 at 9:06 AM, Harald Dunkel <harald.dunkel at aixigo.de>
wrote:

> Hi folks,
>
> I have a general problem with freeipa: It is *highly* complex
> and depends upon too many systems working together correctly
> (IMHO).
>
> My concern is, if there is a problem, then the usual tools
> following the Unix paradigm (do one thing and do it well)
> don't help anymore. I can speak only for my own stomach, but
> it turns upside down when I think about this.
>

my 2 cents:

any organization growing its linux/unix computer park beneath a certain
threshold will come accross the problem of synchronizing its user and group
information accross the whole computer fleet.

On top of that, organizations are increasingly feeling the need to prove
(compliance, in management terms) that the communication protocols used to
exchange information between the internal systems are secure (this is
specially true in the US because of e-commerce laws, but also in post
Snowden Europe). So you need to use tls and kerberos  in your internal
communications.

You can try and run all that using the stock software by MIT/Heimdal,
coupled to openldap and openssl, but I pretty much doubt you will get a
nicer and easier to use product than what you already can get using freely
available software thanks to the Red Hat folks. I've done it, it worked but
it was complicated for new staff and difficult to delegate because
everything was cli based (not help-desk friendly).

Is it new and daunting at first? Sure, if you have never been exposed to
ldap/kerberos/tls before this is a lot to wrap your head into the first
time. But let me assure you, the protocol knowledge you will gain by
learning this will be a big win for you as an IT professional because you
will come across those systems everywhere (and certainly not only in linux
networks but anywhere where computers are used in an enterprise networks).

Besides these points, freeipa offers so much more. Thanks to sssd you can
actually have laptops leave the network and authenticate while on the road,
for intance, putting it on par with Windows on that point. You can use OTP
and two factor authentication for vpn netwoks. You can have a central
automounter. You can have true role based access control (these users may
login using  those protocols on those hosts, but not on the others). You
have centralized sudo rules. We will soon have subordinate certificate
authorities and user certificates. People are using the native ldap
database for plenty of applications (basically, most things you can used
ldap for), tying it to their configuration management solutions using
'legacy' netgroups databases. And obviously, people are integrating it into
their Windows AD infrastructure using kerberos trusts or plain ldap
replication.

There is room for improvement. I am looking forward to using smartcard
certificates with kerberos (PKINIT) for dumping user passwords (at least
admin passwords). SAML integrations (getting there with ipsilon), kerberos
trusts between ipa realms, ..., etc.

So the question is not really why you hesitate to deploy ipa, but why you
have not deployed it yet ;-)
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150626/ca12d09c/attachment.htm>