On numerous different occasions I have attempted to setup LDAP + Kerberos systems using the older approach of using OpenLDAP, MIT Krb5, and that sort of thing. Done it semi-successfully a few times.
And it's, generally speaking, terrible. Nscd sucks, OpenLDAP requires too much configuration to get it working, no client side caching, and adding new nodes to the domain was irritating and not to mention the almost complete lack of end-user tools for routine administrative tasks like adding new users and such things.
FreeIPA solves all those problems. It 'just works' with a sane and workable configuration out of the box. It has SSSD now, which is fantastic. It has some halfway decent GUI tools for routine admin tasks. Adding nodes to the domain is a breeze. Got NFSv4 working with it very easily.
In addition the standardization around Mozilla's NSS and integration of tools to automatically generate and manage certificates promises to help resolve that mess, too. Not quite there, but standardizing the libraries and utilities helps a lot.
It's not up to par with Active Directory, but it's a _MASSIVE_ step forward.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds