[Freeipa-users] Desperate help requested.

Tue Aug 28 07:19:33 UTC 2012

> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of KodaK
> Sent: 26 August 2012 05:06
> To: freeipa-users at redhat.com
> Subject: [Freeipa-users] Desperate help requested.
> 
> I've just been informed by my boss's boss's boss that, and I 
> quote from his ridiculous email:
> 
> "we cannot use anything other than MS AD for authentication"
> 
> I've spent months of time and much effort rolling out IPA, 
> consolidating authentication across our Linux and AIX 
> machines.  To paraphrase Babbage: I am not able rightly to 
> apprehend the kind of confusion of ideas that could provoke 
> such a statement.
> 
> Regardless, I need some help.  I need some help with 
> comparisons between FreeIPA and AD, and the problems and 
> issues one might encounter when trying to authenticate Unix 
> machines against AD.
> Anything that can show IPA being superior to AD for *nix 
> authentication.  Anything at all.  We have a similar number 
> of AIX and Linux servers.  We have a week before we have a 
> meeting to discuss this, and I'd like to be armed to the 
> teeth, if at all possible.
> 
> Thanks for any help you can give.  And wish me luck.
> 
> Thanks,
> 
> --Jason
> 

I faced a similar situation recently, but my version wasn't worded so
harshly.

The line to take has already been pointed out - IPA managed sudo &
SELinux from a central point.  These concepts are entirely outwith the
capabilities of Active Directory.  You could also state the
yet-to-be-developed 'A' part of IPA for any Auditing requirements.

We also emphasised here that AD was written purely for Windows domains
and that the effort put in to allowing extra schema for Unix domains is
really not ideal.

You should state, if you have not already done so, that you plan to link
the AD and IPA domains (via a trust or a sync).  That will allay any
fears that users will have different passwords or even usernames to
access various machines.

So your boss's boss's boss can be assured that you are *authenticating*
against AD, but you should still be able to have IPA in there to manage
the idiosyncrasies of the Unix estate.

Hope this helps

Duncan

Northern Rock plc is part of the Virgin Money group of companies.

This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. 

Virgin Money Personal Financial Service Limited is authorised and regulated by the Financial Services Authority. Company no. 3072766. 

Virgin Money Unit Trust Managers Limited is authorised and regulated by the Financial Services Authority. Company no. 3000482. 

Virgin Money Cards Limited. Introducer appointed representative only of Virgin Money Personal Financial Service Limited. Company no. 4232392.

Virgin Money Management Services Limited. Company no. 3072772.

Virgin Money Holdings (UK) Limited. Company no. 3087587.

Each of the above companies is registered in England and Wales and has its registered office at Discovery House, Whiting Road, Norwich NR4 6EJ. 

Northern Rock plc. Authorised and regulated by the Financial Services Authority. Registered in England and Wales (Company no. 6952311) with its registered office at Northern Rock House, Gosforth, Newcastle upon Tyne NE3 4PL. 

The above companies use the trading name Virgin Money.