>If IPA is a centrally managed identity and access control system,

Since this seems to be a philosophical/generalized point, may I interject my 
own experience?  I view IPA as a means of managing identities, not as a means 
of centrally controlling access. Two reasons:

* In our organization, the CIO takes care of the 30000+ windows office clones. 
I manage my own collection of exceptions to the common rule, disconnected from 
the corporate network and with an explicit disavowal of CIO support. The fewer 
assumptions made about the client, the better (e.g., don't assume an OS.). 
Also, I don't mind sharing my solution with others stuck in the same situation, 
but I don't want to manage other people's machines. It's also pretty hard to 
envision access rules which would be common to all machines for all owners in 
this "domain of exceptions".
* We collaborate promiscuously. An identity solution should cast a wide net for 
users. As many people as possible should be using their "normal" passwords on 
my systems, and not be bugging me to create an account for them. But the 
authorization solution should not assume that remotely defined user attributes 
mean anything, nor should it assume all users will have a consistent set of 
attributes, nor should it assume the presence of semantically equivalent 

The upshot is: pursue centralization of authorization, but please don't get 
obsessed by it. There is a lot of value to a "light touch". Tools to ease the 
management of cross-domain trusts (AD/IPA/Just Plain Kerberos) or which serve 
as identity gateways (LDAP/SAML SSO) are just as valuable to me, if not more, 
than tools to bring a specific OS under tighter management.


This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 

Freeipa-users mailing list

Reply via email to