On 04/26/2012 04:51 PM, hshhs caca wrote:
> Hi folks,
>  When evaluating migration from existing seperate LDAP/Kerberos
> solution to integrated IPA, I got confused on the purposes of Dogtag
> Certificate system inside IPA. What are the main purposes of it? or
> what value it brings in to IPA?
>  I can see the points of KDC and 389 Directory server parts, even NTP
> and DNS, but not for Dogtag. Frankly, I am not sure where I should put
> it. Say, For Kerberos authentication, I need only /etc/krb5.conf and
> /etc/krb5.keytab locally on client and then krb5 tools/libs will do
> their work happily.  Then why should I authenticate a machine with
> certificate, or certificate+keytab -- either way the certificate part
> is a MUST -- see document
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/hosts.html
> ( at the very bottom).
> A close question is: what are the main points/benefits of machine
> authentication? because of with traditional keytab based kerberos
> setup, the users, machines and services can authenticate no problem,
> then why we need an extra authentication with machine certificate as a
> must?
>  Please help me clarify the question of why the statement
> 'pkinit_anchors = FILE:/etc/ipa/ca.crt' is put inside krb5.conf after
> running ipa-client-install script? what is its purposes?
> Last problem is: after I following the steps at
> http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/linux-manual.html
> to setup my Linux client manually, I still can not run 'ipa user-find'
> command on the client; when another same type linux client installed
> with 'ipa-client-install' has no problem to run it. Does there are any
> difference between manual and automatic installations?
> Sorry I got too many questions and probably more, as I read though the
> Redhat IPA document serveral times, and every time more questions pop
> up. :)
> Thanks a lot.

Let us teake one a time.
Dogtag is the certificate system.
Web services and many other servers use certificates for SSL/TLS
peer-to-peer confidentiality and authentication.
The certificates needs to be issued so IPA can issue certs for those
services in your environment.
There is a client component called certmonger. Certmonger can track the
expiration of the certs and connects to IPA automatically to acquire a
new cert.
There will be more certificate related features over time. They would
include support of pkinit, issuance and management of the user
certificates and many others.
Some of the work started but not complete, this why you might notice
pkinit_anchors = FILE:/etc/ipa/ca.crt in the config file.

Hope it clarifies things.

What is the reason for manually configuring the client?

> --Robinson
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to