LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Deployments out in the wild?

Deployments out in the wild?

Posted Dec 13, 2012 6:16 UTC (Thu) by dowdle (subscriber, #659)
Parent article: FreeIPA: centralized identity management for Linux

Anyone using FreeIPA out in the wild? If so, please report your experience, and basic configuration setup... what options are in play?

(Log in to post comments)

Deployments out in the wild?

Posted Dec 13, 2012 10:39 UTC (Thu) by janfrode (subscriber, #244) [Link]

I'm in the process of migrating into IPA (the Red Hat version), coming from a (Sun Identity Managed) LDAP/389ds directory hosting users, groups, netgroups, sudorules and distributing pam_access configs for HBAC. IPA is a perfect fit for this, and IPA provided scripts for migrating users/groups from LDAP to IPA easily, and IPA will also convert LDAP passwords to kerberos on first login. Quite nice.

We don't use NTP or DNS from IPA, as we have other systems for that. We've copied all users, groups, netgroups and created HBAC rules to replace the pam_access system we use on non-IPA servers. We haven't converted the LDAP sudo-rules to IPA yet, but that should be easy enough.

Most of our servers are running RHEL5 and RHEL6, but not many are migrated into IPA yet. Mostly because of lack of time / other priorities, but also because we've been hitting some problems with SSSD crashing on the RHEL5 clients (have a hot fix for it from RH now).

So, currently we use IPA for doing plain LDAP bind() authentication on some systems (works just the same as our old LDAP directory), full IPA clients on some RHEL6 servers, IPA is the authentication system for our RHEV installation. We're also looking into replicating between IPA and Active Directory, so that we can have the same userdatabase on both Windows and Linux servers.

I'm very much looking forward to killing the Sun Identity Managed LDAP directory, and have a complete kerberized environment with managed by IPA.

Deployments out in the wild?

Posted Dec 13, 2012 17:39 UTC (Thu) by drag (subscriber, #31333) [Link]

I <3 FreeIPA

On numerous different occasions I have attempted to setup LDAP + Kerberos systems using the older approach of using OpenLDAP, MIT Krb5, and that sort of thing. Done it semi-successfully a few times.

And it's, generally speaking, terrible. Nscd sucks, OpenLDAP requires too much configuration to get it working, no client side caching, and adding new nodes to the domain was irritating and not to mention the almost complete lack of end-user tools for routine administrative tasks like adding new users and such things.

FreeIPA solves all those problems. It 'just works' with a sane and workable configuration out of the box. It has SSSD now, which is fantastic. It has some halfway decent GUI tools for routine admin tasks. Adding nodes to the domain is a breeze. Got NFSv4 working with it very easily.

In addition the standardization around Mozilla's NSS and integration of tools to automatically generate and manage certificates promises to help resolve that mess, too. Not quite there, but standardizing the libraries and utilities helps a lot.

It's not up to par with Active Directory, but it's a _MASSIVE_ step forward.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds