On Wed, Feb 22, 2017 at 9:02 PM, Michael Ströder <mich...@stroeder.com>

> Iulian Roman wrote:
> > On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder <mich...@stroeder.com
> > <mailto:mich...@stroeder.com>> wrote:
> >
> >     Iulian Roman wrote:
> >     > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden <
> rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> >     > <mailto:rcrit...@redhat.com <mailto:rcrit...@redhat.com>>> wrote:
> >     >
> >     >     Iulian Roman wrote:
> >     >     > Does anybody know if the rfc2307aix schema is supported in
> IPA server
> >     >
> >     >     No, it isn't supported (it's the first I've ever heard of it).
> Looking
> >     >     at the schema I doubt it is something that would ever be fully
> supported.
> >     >
> >     > is there any possibility to extend the existing schema with
> additional
> >     > attributes/object
> >
> >     Do you really use this specific AIX schema?
> >     If yes, which attributes for which purpose?
> >
> > I do need the aixAuxAccount and aixAuxGroup object classes . they
> implement some
> > password restrictions needed for security/compliance
> Password policy is something best enforced centrally in the authentication
> server and
> password management system. So IMHO this serves as perfect example for
> proprietary
> attributes you won't need.
> How is authentication done? SSH keys, Kerberos, LDAP simple bind?


> > +  some other security related attributes.
> > Personally i do not consider them a must - they are rather some nice to
> have features  -
> > but i have to migrate an environment which does use them. And i would
> like as well to
> > make the migration as transparent as possible (therefore without
> "missing features").
> Is the existing environment also an LDAP server with this particular AIX
> schema?

no, it is a custom/legacy  solution wich does not use LDAP but local
accounts which are centrally managed.

> Or are you trying to follow a migration path to LDAP suggested by IBM docs?
no, i've adapted some freeipa document which describes the client setup for
aix (in original form it does not work and it needed some modifications) ,
but i have to admit that the documentation for integrating unix clients is
poor and incomplete . IBM does recommend  TDS, which integrates seamlessly
with both AIX and Linux clients  + other features which should help in
integrating in heterogeneous environment,  but i am not evaluating that
solution currently (i may look into it only if i cannot integrate it with
IPA in the way i want).

> Being in your position I'd first compile a list of functional and security
> requirements
> and ask then whether these requirements can be implemented with FreeIPA.
> I'm curious to
> learn whether "some other security related attributes" are still needed
> after all.
> all the password restriction policies  (minage, maxage, number of
characters in the password, history of the old passwords, number of
characters, password dictionaries , etc) , loginretries - which "locks" the
account after a number of unsuccessful logins  , hostsallow/deny login ,
all the ulimit related parameters (that can probably be  ignored)  .  It is
not a matter if they increase the security or not or if they are really
needed, but a matter of complying to some security standards agreed between
two parties  . It would be easy to keep  them in the same format  than to
change the security standard  , tooling and processes behind (bureaucracy ,
overhead and complexity of the enterprise environment makes me try to avoid
that as much as possible , especially when there are many people and
departments involved , with their own mindset and playing different

Ciao, Michael.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to