> I really meant the client side, sorry for not being specific. I am
> perfectly fine with a redhat authentication solution in the data  center.
> Would it otherwise be enogh (client side) to specify the good realm in
> krb5.conf for the authentication and properly configure the pam ldap
> libray for the user attributes? Or am I thinking too simply?

This is a simple approach and will give you the functionality already
provided by the existing client machines.
Just configure pam and nss and you are pretty much done. This was the
approach for clients we described in out freeIPA v1 documentation

This approach, however, has some limitations.
This is where SSSD comes to play.
SSSD project provides several important features that simple combination
of pam+nss does not have.
Things like offline authentication, identity caching, support of
multiple different identity sources at the same time and more...
SSSD is a pluggable framework supporting multiple back ends. It will
come with the set of back ends out of box.
You would be able to use IPA with SSSD as authentication and identity
provider via ldap+ldap or krb+ldap ro krb+ldap+ host based access
control provided by IPA
In all these cases you will also be able to take advantage of offline
authentication and multiple identity domains.

SSSD is a part of Fedora, Suse, Ubuntu etc.
We are planning to look into other platforms like HP, AIX and Solaris
later on.

Hope this helps,

Freeipa-users mailing list

Reply via email to