On Apr 26, 2012, at 9:57 AM, Paul Robert Marino wrote: > Hello > I'm trying to figure out if free IPA is a good solution for my > environment or if i should just construct a custom infrastructure with > 389 server and i just have a couple of quick questions. I have a long > history working with LDAPv3 and I'm currently planing a new > infrastructure for my current employer. I've worked with OpenLDAP 389 > server and even 389 servers original incarnation when Netscape was > still around > > 1) Can the Kerberos server be on an other box. > I'm not a python programer so I haven't been able to test it my self > but many of the Kerberos calls look like wrappers to the C libraries. > if so than it might be possible
Currently FreeIPA integrates Kerberos directly and its not something that can be removed or setup on a seperate box AFAIK > 2) Can I configure it not to store the Kerberos data in the LDAP > server. I don't like the chicken and the egg authentication conundrum > this can cause, and I have no intention of allowing users to use > LDAPv2 so I actually don't want the password field in the database or > at least blocked by an ACL so it cant be used. I personally find the > fact that applications still use this field for authentication > appalling because it essentially turned back the clock to before > shadow password files. ^ Same answer > > > 3) This is the most important question, there has been a lot of talk > about fixing the issues with MIT Kerberos. Is there someplace I can > look To see what the status of these fixes are other than pouring > through the change logs for MIT Kerberos. > I don't want to get in to a Kerberos holy war but most of these are > really old bugs in MIT Kerberos that made me abandon the Idea of ever > using the MIT server in production over a decade ago. I know exactly > the issues that lead to the Samba group choose to code only to Heimdal > all too well because I first remember hitting them and reporting them > back 2001 to the Samba group via usenet. > The big thing for me is the thread safety because this often caused > the MIT Kerberos server to crash then Samba was running in domain mode > on the same box, Honestly I still don't trust MIT's implementation in > a mission critical environment, A great deal of things have changed since 2001, but I guess the real thing to do here is to answer a question with a question. What specific 'bugs' are you concerned with regarding MIT Kerberos? I maintain a very large global FreeIPA deployment with heavy Kerberos SSO, Sudo, and LDAP Usage. Things are quite stable. "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117 T: +1 805.690.3478 [email protected] http://www.citrixonline.com _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
