> > I really meant the client side, sorry for not being specific. I am > perfectly fine with a redhat authentication solution in the data center. > > Would it otherwise be enogh (client side) to specify the good realm in > krb5.conf for the authentication and properly configure the pam ldap > libray for the user attributes? Or am I thinking too simply? > > Hi,
This is a simple approach and will give you the functionality already provided by the existing client machines. Just configure pam and nss and you are pretty much done. This was the approach for clients we described in out freeIPA v1 documentation http://freeipa.org/docs/1.2/Client_Setup_Guide/en-US/html/ This approach, however, has some limitations. This is where SSSD comes to play. SSSD project provides several important features that simple combination of pam+nss does not have. Things like offline authentication, identity caching, support of multiple different identity sources at the same time and more... SSSD is a pluggable framework supporting multiple back ends. It will come with the set of back ends out of box. You would be able to use IPA with SSSD as authentication and identity provider via ldap+ldap or krb+ldap ro krb+ldap+ host based access control provided by IPA In all these cases you will also be able to take advantage of offline authentication and multiple identity domains. https://fedorahosted.org/sssd/ SSSD is a part of Fedora, Suse, Ubuntu etc. We are planning to look into other platforms like HP, AIX and Solaris later on. Hope this helps, Dmitri _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
