Hi folks,

 When evaluating migration from existing seperate LDAP/Kerberos solution to 
integrated IPA, I got confused on the purposes of Dogtag Certificate system 
inside IPA. What are the main purposes of it? or what value it brings in to 

 I can see the points of KDC and 389 Directory server parts, even NTP and DNS, 
but not for Dogtag. Frankly, I am not sure where I should put it. Say, For 
Kerberos authentication, I need only /etc/krb5.conf and /etc/krb5.keytab 
locally on client and then krb5 tools/libs will do their work happily.  Then 
why should I authenticate a machine with certificate, or certificate+keytab -- 
either way the certificate part is a MUST -- see document 
 ( at the very bottom).

A close question is: what are the main points/benefits of machine 
authentication? because of with traditional keytab based kerberos setup, the 
users, machines and services can authenticate no problem, then why we need an 
extra authentication with machine certificate as a must?

 Please help me clarify the question of why the statement 'pkinit_anchors = 
FILE:/etc/ipa/ca.crt' is put inside krb5.conf after running ipa-client-install 
script? what is its purposes?

Last problem is: after I following the steps at 
 to setup my Linux client manually, I still can not run 'ipa user-find' command 
on the client; when another same type linux client installed with 
'ipa-client-install' has no problem to run it. Does there are any difference 
between manual and automatic installations?

Sorry I got too many questions and probably more, as I read though the Redhat 
IPA document serveral times, and every time more questions pop up. :)

Thanks a lot.

Freeipa-users mailing list

Reply via email to