LOL, your problem is like my problem we have Windows trained and educated 
managers, project managers and architects....

Well, on the plus side for IPA,

Go to Centrify or Likewise as 2 examples and get a quote to authenticate 
against AD.  We got an "educational price "that made my jaw drop.  In the 
region of $600 per server and $60 per user plus 25% support per year was 
typical across all three products.


IPA which is "free" with one copy of RH.

I think you'll find it a lot cheaper.

The thing is, the above are hacks, if you want to do much with them you end up 
with their scripts on your machines all over the place and even writing your 
own. Have an issue and RH wont know where to turn.  With Likewise for instance 
you may end up getting all your support via them that can add cost and delays 
as well.  Here in NZ at least there is no real local support for these 
products, you ring an 0800 number (if you are lucky) and get told its 2am US 
time and ring back in 8 hours....bad joke.

The big thing is IPA has depth, and a great road map its not just simple 
authenticate and authorise....you can control services with detail (like ssh 
only) and sudo....big pluses. Now the likes of Centrify say they can and that's 
true, if you code yourself or pay them to do it, or there is an existing script.

Also look at the training and deployment costs of IPA v something like 
Centrify....with IPA and 4 days RH training you will probably be able to do a 
decent sized rollout....Centrify, well you might find you need a consultant or 
2 at $2k a day....

On the minus side,

IPA isnt  yet mature/stable enough, IHMO.  If our/my experiences are anything 
to go by it needs at least another 6 to 12months to work out the bugs, get the 
documentation usable and get RH support up to speed, but that will come.   NB 
anyone on 6.2 and thinking of going to 6.3 it seems the chances of serious 
outages is significant.


Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
behalf of Natxo Asenjo [natxo.ase...@gmail.com]
Sent: Tuesday, 28 August 2012 12:17 a.m.
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Desperate help requested.

On Sun, Aug 26, 2012 at 6:05 AM, KodaK 
<sako...@gmail.com<mailto:sako...@gmail.com>> wrote:
I've just been informed by my boss's boss's boss that, and I quote
from his ridiculous email:

"we cannot use anything other than MS AD for authentication"

I've spent months of time and much effort rolling out IPA,
consolidating authentication across our Linux and AIX machines.  To
paraphrase Babbage: I am not able rightly to apprehend the kind of
confusion of ideas that could provoke such a statement.

Regardless, I need some help.  I need some help with comparisons
between FreeIPA and AD, and the problems and issues one might
encounter when trying to authenticate Unix machines against AD.
Anything that can show IPA being superior to AD for *nix
authentication.  Anything at all.  We have a similar number of AIX and
Linux servers.  We have a week before we have a meeting to discuss
this, and I'd like to be armed to the teeth, if at all possible.


you need to explain to upper management why using IPA your company will save 
money. They usually understand that sort of talk.

Write a business case. In the documentation (both from RHEL and from 
freeipa.org<http://freeipa.org>) you will get plenty of useful info.

Magnify the points where AD comes short for your user case (selinux, sudo, 
automounts, service credentials management - having used ktpass.exe I was 
amazed at how nice the keytab capabilities are from ipa-, hostgroups, ssh 
public key management, ..., the list goes on and on). Explain that *that* will 
not change and how much money it will cost your business (admin hours, security 
risks, missed compliance).

Explain why the future is in the trust model in ipa v3.

Explain that Windows admins are not expected to run a Windows network without 
AD, so why are Linux/AIX admins expected to run a network without a proper 
Linux/AIX identity management solution.

I feel your pain and can understand why you are upset, but try not to take this 
all personally. In the end, it is not your network.


Freeipa-users mailing list

Reply via email to