Rob Townley wrote:
Microsoft is touting "Direct Access" as a main reason to upgrade to Win2008R2 / Win7. Microsoft makes it seem like a magical feature, but could be done using existing technology. The reality is that discontinuous offline access to ActiveDirectory was not thought out well in the first place. Now that they have a solution, you have to upgrade all servers and workstations to solve a 10 year old issue.
Yes, sssd should buy us nice offline support for laptops.
WHY: The open source world is very close to having a Direct Access equivalent that is LinMacWin crossplatform and backported to older windows versions. The main item missing is centralized key management. Always on access to freeipa. Passwords are always up-to-date. Enables /home/user/ anywhere user's laptop is located. Authentication tokens are always kept up-to-date. Push updates to remote (on the other side of NATs) laptops at worker's home or hotel. It fits in well with freeipa's inventory of machines in LDAP / DNS / CA. Enables more seamless branch office and home office functionality.
Well, we don't push data around just yet. What sort of updates are you referring to?
HOW: Use existing cross platform tunneling and tap devices for LinMacWin - very well tested. Comes with tinc-vpn. tinc-vpn for the virtual IP addresses. These are secondary IP addresses all machines would have. dynamic dns port numbers stored in bind's SRV or TXT records for easy configuration. tinc-vpn keys stored in dns KEY record for key management. tinc-vpn can use IPv6 if needed. tinc-vpn for the encryption now, ipSec later? FreeIPA provides the centralized management infrastructure that tinc-vpn like solutions are missing.
Ok, so are you proposing to use tinc-vpn in conjunction with IPA? What sort of management tools would one need in order to maintain the key material, and what kind of keys are these? (e.g. SSL certs, ssh keys, gpg, etc)
cheers rob _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users