Rob Townley wrote:
Microsoft is touting "Direct Access" as a main reason to upgrade to
Win2008R2 / Win7.
Microsoft makes it seem like a magical feature, but could be done
using existing technology.
The reality is that discontinuous offline access to ActiveDirectory
was not thought out well in the first place.
Now that they have a solution, you have to upgrade all servers and
workstations to solve a 10 year old issue.


Yes, sssd should buy us nice offline support for laptops.

WHY:
The open source world is very close to having a Direct Access
equivalent that is LinMacWin crossplatform and backported to older
windows versions.  The main item missing is centralized key management.
Always on access to freeipa.
Passwords are always up-to-date.
Enables /home/user/ anywhere user's laptop is located.
Authentication tokens are always kept up-to-date.
Push updates to remote (on the other side of NATs) laptops at worker's
home or hotel.
It fits in well with freeipa's inventory of machines in LDAP / DNS / CA.
Enables more seamless branch office and home office functionality.

Well, we don't push data around just yet. What sort of updates are you referring to?

HOW:
Use existing cross platform tunneling and tap devices for LinMacWin -
very well tested.  Comes with tinc-vpn.
tinc-vpn for the virtual IP addresses.  These are secondary IP
addresses all machines would have.
dynamic dns port numbers stored in bind's SRV or TXT records for easy
configuration.
tinc-vpn keys stored in dns KEY record for key management.
tinc-vpn can use IPv6 if needed.
tinc-vpn for the encryption now, ipSec later?


FreeIPA provides the centralized management infrastructure that
tinc-vpn like solutions are missing.

Ok, so are you proposing to use tinc-vpn in conjunction with IPA? What sort of management tools would one need in order to maintain the key material, and what kind of keys are these? (e.g. SSL certs, ssh keys, gpg, etc)

cheers

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to