I do it all the time as long as the MIT libraries are installed it really doesn't break any thing.
Where freeIPA has an issue with it is it uses the kadmin command which is not compatible with heimdals version. Also there is no standardization of the kadmin API so that's a problem too. Finally when using LDAP as a backend it stores the principals in different keys.
None of this is insurmountable to fix with a little simple coding. One of the things I'm thinking of writing is a password quality check plugin for Heimdal which would plug into 389 server and fix the password field issues and allow 389 server to do the standard password quality checks.
I've also thought about writing a kadmin command-line proxy script which could translate the MIT version syntax into heimdals syntax because its really not that hard to do.
If you combine those two I don't see why you couldn't use Heimdal with FreeIPA.
-- Sent from my HP Pre3
On Feb 11, 2014 8:06, Tom H <[email protected]> wrote:
On Mon, Feb 10, 2014 at 6:43 PM, Paul Robert Marino <[email protected]> wrote:
>
> Most of the reason they left the AD stuff out is they are still tinkering
> with MIT Kerberos V server.
> They refuse to migrate to Heimdal the AD stuff in samba AD includes an
> embedded Heimdal Kerberos V server because the MIT version is common but
> doesn't quite cut it yet.
> I personally always use Heimdal when I create a Kerberos server because its
> more robust and plays nice with others because it complies with most of the
> RFC's. MIT Kerberos is close but its not quite there and has a lot of
> historical issues.
> Plus I love being able to host multiple Kerberos realms in a single KDC.
> Also the Heimdal Perl modules are nice too.
IIRC something else needs MIT so switching to Heimdal isn't straightforward.
Also freeipa is packaged for Fedora and is packaged as Red Hat
Identity Management in RHEL:
https://access.redhat.com/site/products/Identity_Management/
