[CentOS] FreeIPA

Wed Apr 8 22:44:20 UTC 2009
Rainer Duffner <rainer at ultra-secure.de>

Am 08.04.2009 um 19:30 schrieb Les Mikesell:

> Robert Moskowitz wrote:
>>
>>> I've been watching the discussion and read the RHEL docs about IPA  
>>> and
>>> thought "At Last" something that brings together all the bits for  
>>> the
>>> little guy. Now it appears the RH is going to drop the ball.
>>> I have tried OpenLDAP and currently have a CentOS-DS running but am
>>> missing the bits that glue it all together. The actual core services
>>> (LDAP (either variant) Kerberos PAM samba etc) are simple enough to
>>> install on CentOS but the stuff that makes it "just work" is very
>>> difficult for me to get my head around and thus I've never actually
>>> got a setup working well enough to risk on my clients.
>>
>> I have started with SME:  http://wiki.contribs.org/Main_Page
>>
>> This is a good NT Domain + equiv on Centos 4.7 and they have Centos  
>> 5.2
>> (I hope now 5.3) in beta.
>>
>> I have not looked enough into their roadmap to see what is being done
>> with LDAP...
>>
>> Another effort on Fedora is Amahi.org.  This is more a home product  
>> with
>> a WorkGroup orientation.  The inclusion of home apps like streaming
>> music makes it very attractive.
>>
>> SME is a well organized effort, originally back? by Mitel.  Amahi
>> started as a one-man effort (though the one man behind it has  
>> impressive
>> credentials) and has developed a 'plugin' community.
>>
>> Craig well knows the efforts of a couple of k12 guys to get some  
>> SAMBA
>> integration together (http://majen.net/smbldap/).  This seems to have
>> stagnated.
>>
>> I am hoping that SME continues to evolve.  Their VoIP version is the
>> perfect place to get serious with LDAP.
>
> Has anyone looked at the version of ClarkConnect now in beta?  This is
> similar to SME but perhaps a more modern approach (and with separate
> free/commercial versions...).  The blurb claims that the initial setup
> provides LDAP authentication for easy expansion.  That's something  
> I've
> thought every Linux distro should have had for years, but I don't know
> if it actually works.



Maybe I understood that wrong, but the point about Free/RHEL-IPA is/ 
was that it doesn't use LDAP for authentication. It uses Kerberos for  
that.
There are - as far as I understood - no passwords in LDAP.

FreeIPA isn't really intended as a Samba-replacement, but as a NIS- 
replacement.
If you're like me and have possibly hundrets of unix-servers to  
maintain, being able to provide a sane, centralized login-management  
for them would be not great, it would be a revolution ;-)

It's AD for Unix done right. Or mostly - I've only played briefly with  
it (lack of time).

IMO, if you have Windows-Clients, you need a Windows-Server, earlier  
or later (and AD, or buy into the Novell-stack...).
Stuff like IPA will eventually help you to keep the Unix- and Windows- 
world synchronized without foisting anything on any of them that they  
weren't really intended to do.



Rainer