[Freeipa-devel] freeIPA and NIS
Angel Marin
anmar at anmar.eu.org
Tue Aug 12 11:44:50 UTC 2008
Christian Horn wrote:
> On Tue, Aug 12, 2008 at 11:43:14AM +0200, Angel Marin wrote:
>> * Biggest issue with SSO is that it'll only work with apps capable of
>> talking to kfw (firefox, thunderbird, openafs-client, ...), but that's
>> not a problem around here. In theory with Vista clients kfw is capable
>> of writing to system ccache (enabling SSO on IE and the like) but we
>> haven't tried it here.
>
> I did look into running an AD-domain and having it crosstrusting the
> kerberosrealm, corporations do not lose the microsoft-support that way
> (what if $stuff happens!) and authentication also from IE works, see
> http://fluxcoil.net/files/sso_crossrealm_kerberos.htm .
> Having no AD server around like in your solution ofcourse feels
> much more convienient.
> Samba4 should be able to play that role in future.
We evaluated a cross-realm scenario, but though it was 'easier' to not
remove AD, in our case being able to decommission the hardware of the
aging AD deployment was part of the motivation to take the freeipa route
:) Now we have each of the components lying in xen guests that can
easily be upgraded/cloned/replaced/moved around.
While at it, it would be great if freeipa scripts allowed to install
each of the components (kdc, ldap server, web UI) independently in
different hosts :)
--
Angel Marin
http://anmar.eu.org/
More information about the Freeipa-devel
mailing list