I'm trying to figure out if free IPA is a good solution for my
environment or if i should just construct a custom infrastructure with
389 server and i just have a couple of quick questions. I have a long
history working with LDAPv3 and I'm currently planing a new
infrastructure for my current employer. I've worked with OpenLDAP 389
server and even 389 servers original incarnation when Netscape was
1) Can the Kerberos server be on an other box.
I'm not a python programer so I haven't been able to test it my self
but many of the Kerberos calls look like wrappers to the C libraries.
if so than it might be possible
2) Can I configure it not to store the Kerberos data in the LDAP
server. I don't like the chicken and the egg authentication conundrum
this can cause, and I have no intention of allowing users to use
LDAPv2 so I actually don't want the password field in the database or
at least blocked by an ACL so it cant be used. I personally find the
fact that applications still use this field for authentication
appalling because it essentially turned back the clock to before
shadow password files.
3) This is the most important question, there has been a lot of talk
about fixing the issues with MIT Kerberos. Is there someplace I can
look To see what the status of these fixes are other than pouring
through the change logs for MIT Kerberos.
I don't want to get in to a Kerberos holy war but most of these are
really old bugs in MIT Kerberos that made me abandon the Idea of ever
using the MIT server in production over a decade ago. I know exactly
the issues that lead to the Samba group choose to code only to Heimdal
all too well because I first remember hitting them and reporting them
back 2001 to the Samba group via usenet.
The big thing for me is the thread safety because this often caused
the MIT Kerberos server to crash then Samba was running in domain mode
on the same box, Honestly I still don't trust MIT's implementation in
a mission critical environment,
Freeipa-users mailing list