[Freeipa-users] support for rfc2307AIX schema in IPA server

[Iulian Roman]

On Wed, Feb 22, 2017 at 9:02 PM, Michael Ströder <michael at stroeder.com>
wrote:

> Iulian Roman wrote:
> > On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder <michael at stroeder.com
> > <mailto:michael at stroeder.com>> wrote:
> >
> >     Iulian Roman wrote:
> >     > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden <
> rcritten at redhat.com <mailto:rcritten at redhat.com>
> >     > <mailto:rcritten at redhat.com <mailto:rcritten at redhat.com>>> wrote:
> >     >
> >     >     Iulian Roman wrote:
> >     >     > Does anybody know if the rfc2307aix schema is supported in
> IPA server
> >     >
> >     >     No, it isn't supported (it's the first I've ever heard of it).
> Looking
> >     >     at the schema I doubt it is something that would ever be fully
> supported.
> >     >
> >     > is there any possibility to extend the existing schema with
> additional
> >     > attributes/object
> >
> >     Do you really use this specific AIX schema?
> >     If yes, which attributes for which purpose?
> >
> > I do need the aixAuxAccount and aixAuxGroup object classes . they
> implement some
> > password restrictions needed for security/compliance
>
> Password policy is something best enforced centrally in the authentication
> server and
> password management system. So IMHO this serves as perfect example for
> proprietary
> attributes you won't need.
>
> How is authentication done? SSH keys, Kerberos, LDAP simple bind?
>

Kerberos


> > +  some other security related attributes.
> > Personally i do not consider them a must - they are rather some nice to
> have features  -
> > but i have to migrate an environment which does use them. And i would
> like as well to
> > make the migration as transparent as possible (therefore without
> "missing features").
>
> Is the existing environment also an LDAP server with this particular AIX
> schema?
>

no, it is a custom/legacy  solution wich does not use LDAP but local
accounts which are centrally managed.

> Or are you trying to follow a migration path to LDAP suggested by IBM docs?
>
>
no, i've adapted some freeipa document which describes the client setup for
aix (in original form it does not work and it needed some modifications) ,
but i have to admit that the documentation for integrating unix clients is
poor and incomplete . IBM does recommend  TDS, which integrates seamlessly
with both AIX and Linux clients  + other features which should help in
integrating in heterogeneous environment,  but i am not evaluating that
solution currently (i may look into it only if i cannot integrate it with
IPA in the way i want).


> Being in your position I'd first compile a list of functional and security
> requirements
> and ask then whether these requirements can be implemented with FreeIPA.
> I'm curious to
> learn whether "some other security related attributes" are still needed
> after all.
>
> all the password restriction policies  (minage, maxage, number of
characters in the password, history of the old passwords, number of
characters, password dictionaries , etc) , loginretries - which "locks" the
account after a number of unsuccessful logins  , hostsallow/deny login ,
all the ulimit related parameters (that can probably be  ignored)  .  It is
not a matter if they increase the security or not or if they are really
needed, but a matter of complying to some security standards agreed between
two parties  . It would be easy to keep  them in the same format  than to
change the security standard  , tooling and processes behind (bureaucracy ,
overhead and complexity of the enterprise environment makes me try to avoid
that as much as possible , especially when there are many people and
departments involved , with their own mindset and playing different
politics).



Ciao, Michael.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170223/2f7dc0f1/attachment.htm>