Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
Deployments out in the wild?
Posted Dec 13, 2012 10:39 UTC (Thu) by janfrode (subscriber, #244)
We don't use NTP or DNS from IPA, as we have other systems for that. We've copied all users, groups, netgroups and created HBAC rules to replace the pam_access system we use on non-IPA servers. We haven't converted the LDAP sudo-rules to IPA yet, but that should be easy enough.
Most of our servers are running RHEL5 and RHEL6, but not many are migrated into IPA yet. Mostly because of lack of time / other priorities, but also because we've been hitting some problems with SSSD crashing on the RHEL5 clients (have a hot fix for it from RH now).
So, currently we use IPA for doing plain LDAP bind() authentication on some systems (works just the same as our old LDAP directory), full IPA clients on some RHEL6 servers, IPA is the authentication system for our RHEV installation. We're also looking into replicating between IPA and Active Directory, so that we can have the same userdatabase on both Windows and Linux servers.
I'm very much looking forward to killing the Sun Identity Managed LDAP directory, and have a complete kerberized environment with managed by IPA.
Posted Dec 13, 2012 17:39 UTC (Thu) by drag (subscriber, #31333)
On numerous different occasions I have attempted to setup LDAP + Kerberos systems using the older approach of using OpenLDAP, MIT Krb5, and that sort of thing. Done it semi-successfully a few times.
And it's, generally speaking, terrible. Nscd sucks, OpenLDAP requires too much configuration to get it working, no client side caching, and adding new nodes to the domain was irritating and not to mention the almost complete lack of end-user tools for routine administrative tasks like adding new users and such things.
FreeIPA solves all those problems. It 'just works' with a sane and workable configuration out of the box. It has SSSD now, which is fantastic. It has some halfway decent GUI tools for routine admin tasks. Adding nodes to the domain is a breeze. Got NFSv4 working with it very easily.
In addition the standardization around Mozilla's NSS and integration of tools to automatically generate and manage certificates promises to help resolve that mess, too. Not quite there, but standardizing the libraries and utilities helps a lot.
It's not up to par with Active Directory, but it's a _MASSIVE_ step forward.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds