Free IPA would be excellent topic for talk... I for one would love to hear practical experience with it.
Tomas On Thu, May 3, 2018, 8:59 AM Andrew Denton <and...@flying-snail.net> wrote: > At work we use FreeIPA for all our linux servers, it works really well. > It's nice to have a web interface for the LDAP/Kerberos/DNS/Certificate/nfs > automount stuff, and the client side setup automation (ipa-client-install > or the new realmd) is handy. > > Like you our humans actually have AD accounts that come in via trust. In > that case we still use FreeIPA to manage their shells, sudoers rules and > ssh keys. I've never had a problem with that trust breaking, my only > problem has been some weirdness with Kerberized NFS home directories not > always mounting properly. > > On Wed, May 2, 2018 at 8:25 PM Tyrell Jentink <tyr...@jentink.net> wrote: > > > I'm using FreeIPA here at home; As a product, it's really just a bunch of > > scripts and a web interface for LDAP+Kerberos+Certificate > management+Samba; > > It aims to be a complete identity management system, a product designed > to > > compete with (Or at the very least, perform an analogous set of tasks to) > > ActiveDirectory. It is completely open source, developed by Red Hat, for > > Fedora, and I use it on CentOS, but it is available for a number of other > > distros. > > > > (Full disclosure: I do happen to use ActiveDirectory to store my user > > accounts, and FreeIPA authenticates through an AD Interforest Trust, but > > that's far from a requirement, and it probably causes me more grief than > > many admins would tolerate) > > > > As for reading, I learned everything I know from their documentation: > > https://www.freeipa.org/page/Documentation > > > > > > On Wed, May 2, 2018, 20:01 Thomas Groman <tgrom.autom...@nuegia.net> > > wrote: > > > > > Do you have any book or other resource recommendations for setting > these > > > up? I already do sysadmin work, just never done centralized auth > before. > > > > > > > > > On 05/02/2018 07:53 PM, Tomas Kuchta wrote: > > > > The easiest is to pick LDAP or NIS, both work very well on Linux. > With > > or > > > > without Kerberos for local small setup. > > > > > > > > NIS with NFS for file sharing would be probably the simplest setup, > but > > > you > > > > will eventually wish you had LDAP for integration with various other > > > > services. > > > > > > > > LDAP + Kerberos + NFS is probably the most common and extensible > > > solution. > > > > You will absolutely need local DNS and NTP to get it going, but it is > > > well > > > > integrated extensible solution. > > > > > > > > Another option would be to uses Samba - it combines LDAP + Kerberos, > so > > > it > > > > has less moving parts and can accept Windows hosts without much > > headache, > > > > compared to LDAP and Kerberos. > > > > > > > > For both solution, you might need some enterprise admin to help > setting > > > it > > > > up. If well and simply setup, it is not difficult to maintain and > > manage. > > > > IMHO > > > > > > > > Tomas > > > > > > > > On Wed, May 2, 2018, 5:36 PM Smith, Cathy <cathy.sm...@pnnl.gov> > > wrote: > > > > > > > >> There used to be dns, ldap, kerberos, nis. These are open source > > > >> protocols and not restricted to Microsoft. > > > >> > > > >> > > > >> -- > > > >> Cathy L. Smith > > > >> IT Engineer > > > >> > > > >> Pacific Northwest National Laboratory > > > >> Operated by Battelle for the > > > >> U.S. Department of Energy > > > >> > > > >> Phone: 509.375.2687 > > > >> Fax: 509.375.4399 > > > >> Email: cathy.sm...@pnnl.gov > > > >> > > > >> > > > >> > > > >> -----Original Message----- > > > >> From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] > On > > > >> Behalf Of Thomas Groman > > > >> Sent: Wednesday, May 02, 2018 5:16 PM > > > >> To: plug@pdxlinux.org > > > >> Subject: [PLUG] Linux centralized authentication > > > >> > > > >> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized > > > >> authentication? Using native protocols not some sort of strange > > > Microsoft > > > >> AD mesh thing. > > > >> I wanted to build a hacker-space for a school and since it would be > > > >> starting from scratch there's no reason to get locked in to a > > Microsoft > > > >> product from the start. Also the Microsoft's protocols are not open > > > source > > > >> and hard to debug. They never really work well with UNIX like > > operating > > > >> systems requiring id/group mapping and such. > > > >> _______________________________________________ > > > >> PLUG mailing list > > > >> PLUG@pdxlinux.org > > > >> http://lists.pdxlinux.org/mailman/listinfo/plug > > > >> _______________________________________________ > > > >> PLUG mailing list > > > >> PLUG@pdxlinux.org > > > >> http://lists.pdxlinux.org/mailman/listinfo/plug > > > >> > > > > _______________________________________________ > > > > PLUG mailing list > > > > PLUG@pdxlinux.org > > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > > > _______________________________________________ > > > PLUG mailing list > > > PLUG@pdxlinux.org > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > > _______________________________________________ > > PLUG mailing list > > PLUG@pdxlinux.org > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > _______________________________________________ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
