[Freeipa-users] freeIPA or just SSSD?

Mark Heslin mheslin at redhat.com
Mon Sep 14 16:38:00 UTC 2015 

Hi Tyler,

Some comments below...I'm sure others will chime in :-)

On 09/14/2015 10:33 AM, Milam, Tyler S wrote:
>
> My organization is evaluating new methods of user account provisioning 
> in Linux. What advantages does freeIPA offer over just SSSD?
>

Just to be clear, SS
SD is the client that can work directly to an existing AD domain, or 
indirectly to an AD domain via IdM/FreeIPA and a cross-realm Kerberos trust.
When you configure an IdM/FreeIPA client, SSSD is configured (via 
ipa-client-install or realmd). In short:

       SSSD -> AD (Direct AD Integration)
       SSSD -> IdM/FreeIPA (standard configuration)
       SSSD -> IdM/FreeIPA <--- cross-realm Kerberos trust ---> AD 
(Indirect AD integration)

In general, Direct AD integration is recommended for small environments 
with few Linux clients.
For larger numbers of clients, indirect AD integration is preferred as 
it will give you more control, granularity
to manage users, hosts, services, certs, keytabs, etc.

There are some details that come into play - particularly around which 
versions of RHEL (or non-RHEL) you're clients are on.
Attached is a tech brief we put out for Summit that can help.


> Some background – we use Active Directory for everything but have a 
> small linux footprint (25 servers). However, many services are going 
> to be migrated from AIX to Linux, and this will increase the number of 
> Linux servers to well over 100.
>
> I’ve been testing FreeIPA 4.1.0, but having a hard time determining if 
> sssd by itself is ‘enough’ or if the additional complexity of setting 
> up FreeIPA with a new DNS zone and a 2-way trust with active directory 
> can be justified.
>
> Thanks,
>
> Tyler
>
>
>

-- 

Mark Heslin
Principal Technical Program Manager - EPM Team
Red Hat Inc.
office: +1 978-392-3125
mobile: +1 603-930-6880

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150914/d3aeed8a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AD_Client_Integration_Options-2015-06-23.pdf
Type: application/pdf
Size: 313206 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150914/d3aeed8a/attachment.pdf>

More information about the Freeipa-users mailing list