>If IPA is a centrally managed identity and access control system,
Since this seems to be a philosophical/generalized point, may I interject my
own experience? I view IPA as a means of managing identities, not as a means
of centrally controlling access. Two reasons:
* In our organization, the CIO takes care of the 30000+ windows office clones.
I manage my own collection of exceptions to the common rule, disconnected from
the corporate network and with an explicit disavowal of CIO support. The fewer
assumptions made about the client, the better (e.g., don't assume an OS.).
Also, I don't mind sharing my solution with others stuck in the same situation,
but I don't want to manage other people's machines. It's also pretty hard to
envision access rules which would be common to all machines for all owners in
this "domain of exceptions".
* We collaborate promiscuously. An identity solution should cast a wide net for
users. As many people as possible should be using their "normal" passwords on
my systems, and not be bugging me to create an account for them. But the
authorization solution should not assume that remotely defined user attributes
mean anything, nor should it assume all users will have a consistent set of
attributes, nor should it assume the presence of semantically equivalent
The upshot is: pursue centralization of authorization, but please don't get
obsessed by it. There is a lot of value to a "light touch". Tools to ease the
management of cross-domain trusts (AD/IPA/Just Plain Kerberos) or which serve
as identity gateways (LDAP/SAML SSO) are just as valuable to me, if not more,
than tools to bring a specific OS under tighter management.
This electronic message contains information generated by the USDA solely for
the intended recipients. Any unauthorized interception of this message or the
use or disclosure of the information it contains may violate the law and
subject the violator to civil or criminal penalties. If you believe you have
received this message in error, please notify the sender and delete the email
Freeipa-users mailing list