[Freeipa-users] Adding FreeIPA to an existing infrastructure

Martin Basti mbasti at redhat.com
Mon Apr 11 13:02:07 UTC 2016 


On 11.04.2016 13:33, Christophe TREFOIS wrote:
> Hi Remco,
>
> I’m not an expert, but I will try to answer to the best of my knowledge.
>    
>
>> On 11 Apr 2016, at 12:02, Remco Kranenburg <remco at crunchrapps.com> wrote:
>>
>> Hi all,
>>
>> At our company, we manage several Ubuntu web servers with SSH, and we use ansible scripts to automate some tasks. The web servers are hosted by a VPS hosting provider. Until now, we have always managed the user accounts manually for each server, but this is becoming increasingly cumbersome as we grow. To centralize our identity management, I've been looking into FreeIPA, but having no prior experience with this, I am overwhelmed by complexity.
>>
>> So the first question: is FreeIPA too complex for what we are trying to accomplish? Should we be looking at a different solution? I do like some of the advanced things we can supposedly do with FreeIPA: single identity for everything (SSH on our servers, our Bitbucket accounts, our Jenkins CI server), but those are currently not hard requirements.
> I would say it’s not too complex. Once it’s installed, you can slowly dig in and it’s not so complex to use. The architecture is quite complex, but using it is quite straightforward I think.
>
> Setup at least 3 replicas so you have failover and redundancy, and then you’re good to go. We use FreeIPA to manage SSH accounts on the VMs and sudo rules as well. This can be done via PAM.
> We also integrate all our services with FreeIPA so that we can manage accounts centrally.
>
> In fact, we setup now the FreeIPA integration automatically via Foreman provisioning. It is quite magical.a
>
>> Some technical questions:
>>
>> We currently manage our TLS certificate manually with a wildcard that we install on each server every year, but we will soon be moving to the automated system provided by Letsencrypt. Does this mean we can disable the Certificate Authority system provided by FreeIPA, or is the CA also required for other things?
> I’m not sure here but I thought the CA was meant for VMs to establish trust with FreeIPA, so I think it should stay on.
CA is not mandratory part, CA-less installation is supported you have to 
provide certificates for http and directory server then. There are plans 
for integration with letsencrypt in future, but I don't know more details.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-examples.html#install-ca-less
>
>> We currently manage our DNS entries through the web interface of our hosting provider. When we introduce a new server, we simply clone a special clean 'image' server, change the hostname and add an A and AAAA record to our ISP's DNS settings. How does this interact with the FreeIPA DNS system? Should we disable it, or does it provide advantages?
IPA DNS is not mandratory part of IdM.
IPA install generates list of records that should be added to zone.

Advantages are that IPA manages its own zone, put the correct records 
there after installation and it has very nice webUI for DNS management, 
integration with SSSD allows to dynamically update A/AAAA/PTR records of 
of IPA hosts, but if you are fine with your external DNS you don't need 
install IPA DNS. (I'm not sure how networks of your provider works, if 
there is NAT and views, etc., IPA DNS does not support views and has 
issues with NAT)

Martin
>>
>> --
>> Remco
>>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list