On Mon, 2011-10-03 at 10:03 +0200, Ondrej Valousek wrote: > Just wondering why would anyone want to sync freeIPA and AD - both can > serve Linux systems fine, so if I already have AD, I no longer require > IPA. > My 2 cents...
AD can serve Linux systems with a very limited definition of "fine". All support in Active Directory for POSIX compliance is an afterthought to Microsoft. It exists solely to try and migrate customers from UNIX to Windows, and really isn't designed for the purpose. One of the major problems with using AD for Linux support is that it violates the LDAP and Kerberos standards in several key places, meaning that the experience on Linux is significantly degraded from that of Windows machines. For example, in order to support very large group memberships (>1000 members), Active Directory requires the use of a special LDAP control to retrieve the members list a page at a time in several LDAP communications. The way it does this is expressly violating the LDAP protocol standard, which means that without rewriting all clients on Linux to break the standard in the same way, Linux and UNIX machines are capable of only seeing the first thousand members of a group. Another problem with Active Directory is its limited support for LDAP authentication. AD expects that all of its clients are Windows machines, and therefore capable of using Kerberos and/or NTLM for all authentication. However, some applications (especially Linux-powered web applications) can only authenticate using LDAP simple bind authentication. While AD does have some support for this, LDAP auth breaks completely in the case of expired users (it has no support for a password-change grace period with LDAP authentication). Yet further, in many environments, there are two very different organizations in the IT departments: one group that manages Windows systems and one that manages Linux/UNIX systems. By having FreeIPA be capable of acting as a bridge between the two (either by the current mechanism of user-syncing or by the forthcoming FreeIPA v3 mechanism of Kerberos trusted realms), it allows IT departments to continue to hire staff that knows one system well. It's very hard to find people with a deep knowledge of both systems; people tend to specialize. It's much better to let your Linux admins work on the Linux machines, rather than trying to force your MCSEs to learn the intricacies of a LAMP setup.
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-users