User: Password:
Subscribe / Log in / New account

Deployments out in the wild?

Deployments out in the wild?

Posted Dec 13, 2012 10:39 UTC (Thu) by janfrode (subscriber, #244)
In reply to: Deployments out in the wild? by dowdle
Parent article: FreeIPA: centralized identity management for Linux

I'm in the process of migrating into IPA (the Red Hat version), coming from a (Sun Identity Managed) LDAP/389ds directory hosting users, groups, netgroups, sudorules and distributing pam_access configs for HBAC. IPA is a perfect fit for this, and IPA provided scripts for migrating users/groups from LDAP to IPA easily, and IPA will also convert LDAP passwords to kerberos on first login. Quite nice.

We don't use NTP or DNS from IPA, as we have other systems for that. We've copied all users, groups, netgroups and created HBAC rules to replace the pam_access system we use on non-IPA servers. We haven't converted the LDAP sudo-rules to IPA yet, but that should be easy enough.

Most of our servers are running RHEL5 and RHEL6, but not many are migrated into IPA yet. Mostly because of lack of time / other priorities, but also because we've been hitting some problems with SSSD crashing on the RHEL5 clients (have a hot fix for it from RH now).

So, currently we use IPA for doing plain LDAP bind() authentication on some systems (works just the same as our old LDAP directory), full IPA clients on some RHEL6 servers, IPA is the authentication system for our RHEV installation. We're also looking into replicating between IPA and Active Directory, so that we can have the same userdatabase on both Windows and Linux servers.

I'm very much looking forward to killing the Sun Identity Managed LDAP directory, and have a complete kerberized environment with managed by IPA.

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds