[Freeipa-devel] freeIPA and NIS
Angel Marin
anmar at anmar.eu.org
Tue Aug 12 09:43:14 UTC 2008
(sorry for the off-topic, but it might be of interest for people
planning on moving to freeipa)
Christian Horn wrote:
> On Tue, Aug 12, 2008 at 08:39:04AM +0200, Angel Marin wrote:
>> Anyway once in place freeIPA+pGina+OpenAFS are working great as an AD
>> replacement (quirks aside) :)
>
> Nice to learn about pGina, just from glancing over the plugins i am
> under the impression the windows-users are authenticated with pure ldap
> in your place now, losing singlesignon that way?
> Or did i miss something?
We do auth through a home made pGina plugin that does kerberos auth and
ensures openafs (roaming profiles and user dirs are in the afs cell) is
ready; looking up user info in ldap, ensuring clock is in sync and
enabling password change are in the works. Finally kfw and openafs
integrated logon plugin takes care of actual tickets for user session so
there's SSO*.
We've had to patch pGina too as stock one was crashing on us. Once we've
been able to polish all the quirks (currently sometimes users are
randomly denied access to afs cell on first login) we'll release code
and docs somewhere :)
* Biggest issue with SSO is that it'll only work with apps capable of
talking to kfw (firefox, thunderbird, openafs-client, ...), but that's
not a problem around here. In theory with Vista clients kfw is capable
of writing to system ccache (enabling SSO on IE and the like) but we
haven't tried it here.
--
Angel Marin
http://anmar.eu.org/
More information about the Freeipa-devel
mailing list