[Freeipa-users] FreeIPA questions

SR esoptron at cox.net
Mon May 9 21:27:18 UTC 2011 

Thanks for the feedback, Steven!

The main issue we had with Macs tied directly to AD was 100% CPU 
utilization caused by the DirectoryService. I currently have my Mac tied 
to Open Directory as well as AD. This is working well with one 
exception: Logins (or even unlocking the screen) can take several 
minutes when disconnected from the network. This has been a known issue 
with Macs for quite some time, their forums have tons of complaints 
about it, yet Apple seems uninterested in working on the problem.

We have a bunch of ESXi boxes and I certainly have no problem using 
that. In fact, I'm trying to test FreeIPA on an ESXi box already. :-)

Based on past experience with dependency nightmares as well as your 
advice, I won't bother with RPMs.

I checked yesterday and there is still no CentOS 6. So, it sounds like 
RHEL is really the best way to go. I think there is an eval, so I will 
grab that to try.

Thanks again!

--Steve

Steven Jones wrote:
> Hi,
>
> IMHO.
>  
> I wouldnt use fedora as a base for a business use....its not very stable or more importantly long lived.  Ive done a proof of concept on F14, F14 is fine for that, unless f15 is out?  to take a good look at yes....
>
> You should be able to get the macs to authenticate to AD directly....we do, I can ask the Mac guy how its done if that's a help, but its probably out there on google.
>
> Distro - there is only RHEL that I can see at present and its a tech preview....bare in mind that this is a redhat sponsored project....so its highly Red Hat centric.   Centos, Im 99% sure there isnt a centos 6 yet (I looked last week) so Im not aware there is an alternative.
>
> I would suggest you need at least 2 RHEL instances to give redundancy and the extra add on channel(s) so that's some licencing....I think RHEL licences are cheaper if they are virtualised guests though (we use VMware's ESXi) so ask a sales person the cheapest way....we pay per student so I dont know the commercial costs/licences fine points.   ESXi is available as a free option...I run it at home....11 guests per Dell 390.....way cool for a second hand $400 workstation....
>
> I have not used 1.0, though I have installed a old version a while back for a look, but I like IPA2.0 a lot.....its great web interface, easy to use unlike most ldap interfaces...the best Ive seen by far, almost unusual for Red Hat as their web gui's dont impress me.....
>
> There are a lot of dependencies for IPA so doing it via the rpms is a nightmare, I tried yesterday off the cd and it was a waste of 3 hours, the interdependencies made it impossible....
>
> I went and kickstarted the guest again and put ipa-server in the script and it installed fine....but if you dont have the 6.1 beta dvd that isnt an option.....really yum is it.
>
> For the repo problem I'd suggest checking your DNS and firewall, I had a lot of grief from both because our anal security ppl had stopped outward bound dns queries and didnt tell anyone, took me 2+ hours to figure that out .....so then they blocked outward http because servers "didnt need to do that" another 1+hour wasted......the security guy was lucky he is way bigger than me..I was so p*ssed....  ;]
>
> regards
>
>
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of SR [esoptron at cox.net]
> Sent: Tuesday, 10 May 2011 7:36 a.m.
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] FreeIPA questions
>
> I'm new to FreeIPA and this list so please forgive me for the n00b
> questions. I have what I think is a pretty straight-forward use for
> FreeIPA. We have an Active Directory environment with a few hundred
> users. We are starting to increase our number of Macs and need a
> directory solution. There are some issues with Macs in AD which Apple
> doesn't seem interested in addressing. Open Directory would be nice if
> we only had Macs but it doesn't allow for syncing accounts to AD, so it
> won't work for us.
>
> Based on what I've read about FreeIPA, it seems like it would be a good
> fit for us.
>
> The problem I'm having is that I can't seem to even get FreeIPA
> installed. I've tried using Fedora 10 with all the latest updates. I've
> tried adding different .repo files I've found on the various FreeIPA
> pages, but none of them seem to be working for me.
>
> So, my questions are:
>
> 1) What is the best distro for running FreeIPA. I'd rather not purchase
> RHEL, so it sounds like Fedora is the way to go. I just finished
> downloading Fedora 14 and will give that a try unless someone recommends
> something else.
>
> 2) Is version 2 highly recommended over version 1 or does version 1 have
> sufficient features to use it in a production environment? Essentially,
> we have about 30 current Macs users (and growing) that we want to create
> accounts for in FreeIPA and have sync'd to AD (or vice versa). The users
> will need the ability to change their passwords.
>
> 3) What is the best way to install FreeIPA? I'm having problems with yum
> (see errors below) so I was wondering if there was another way, e.g., RPMs.
>
> # yum install freeipa-server
> Loaded plugins: refresh-packagekit
> Could not retrieve mirrorlist
> http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-10&arch=x86_64
> error was [Errno 4] IOError: <urlopen error (101, 'Network is
> unreachable')>
> http://archive.fedoraproject.org/pub/archive/fedora/linux/releases/10/Everything/x86_64/os/repodata/repomd.xml:
> [Errno 4] IOError: <urlopen error (-2, 'Name or service not known')>
> Trying other mirror.
> fedora   | 2.8kB  00:00
> updates   | 3.4kB  00:00
> Setting up Install Process
> No package freeipa-server available.
> Nothing to do
>
> Thanks!
>
> --Steve
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>

More information about the Freeipa-users mailing list