<p dir="ltr">I don't use Debian anywhere to test. Once I get caught up on current projects, I'll set up an Ubuntu VM for IPA testing as that is the other distro used internally. </p>
<div class="gmail_quote">On Aug 22, 2014 8:24 AM, "JD" <<a href="mailto:jdp@algoloma.com">jdp@algoloma.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Sounds like NIS/NIS+.<br>
<br>
I looked a few months ago and the debian port of freeIPA seemed stalled over the<br>
50+ different languages used in the 100+ tiny tools that make up the offering. A<br>
few of the key tools didn't work on Debian. I'm exaggerating a little, but not<br>
much. Have things changed?<br>
<br>
<br>
On 08/22/2014 07:59 AM, Jim Kinney wrote:<br>
> Bite the bullet and look at freeIPA. It's designed to run AD out of the<br>
> workplace.<br>
> The clincher for me was the hostgroup. All users are in a primary group and<br>
> as many secondary groups as needed. Hosts are also in groups or not. User<br>
> groups of the proper type can access host groups as allowed. This can also<br>
> setup sudo capabilities by user, user group, host and host group. So a<br>
> script that runs as root that does a particular needed task can be deployed<br>
> to all systems but only accessed by allowed users on allowed hosts. Time<br>
> controls exist as well.<br>
><br>
> Backups of freeIPA are a bit unnerving. They basically don't exist other<br>
> than turn down the service and copy all files. What is used is the multi<br>
> master replication.<br>
><br>
> I have 2 primary masters that are department wide. There's a new group in a<br>
> remote location that has their own big server. It's a secondary master.<br>
> Masters run DNS as well as user with. So the clients in that group use that<br>
> as their primary DNS and the others as secondary. If network is flaky, they<br>
> have only a single switch between client and server. And the server stays<br>
> synchronized with the larger group.<br>
> A really nice feature if freeIPA is it can hold ssh pub keys for users. SSh<br>
> and Pam knows to check the LDAP for pub keys on login. For users, no more<br>
> key migration. If you're allowed on that machine, it just works. For<br>
> admins, if a user must be locked out, just dumping their key and locking<br>
> the account to disabled handles it.<br>
><br>
> Yes, it's run/funded by RedHat now. Debian supports it but I found some<br>
> blockers in Ubuntu (10 I think. Not tried 12). I don't know if SUSE has a<br>
> pam/ssh compatible or not.<br>
> It works. It works very well. Active support community with developers on<br>
> the mailing list who help.<br>
><br>
> Added bonus is dogtag is used for CA and cert management. This can provide<br>
> user certs for authenticated access to internal websites.<br>
> On Aug 22, 2014 6:58 AM, "JD" <<a href="mailto:jdp@algoloma.com">jdp@algoloma.com</a>> wrote:<br>
><br>
>> On 08/22/2014 12:19 AM, Jeff Hubbs wrote:<br>
>>> On 8/21/14, 11:43 PM, JD wrote:<br>
>>>> NIS if you don't care about security.<br>
>>>><br>
>>>> LDAP if you do. FreeIPA is the RH answer for this - I'm jealous.<br>
>>> Agree re LDAP; if you're syncing passwd/group/sudoers files, you're<br>
>> Doing It<br>
>>> Wrong (tm). I long advocated avoiding "X's LDAP solution" (for values<br>
>> of X to<br>
>>> include Red Hat and Microsoft) so you are motivated to keep things<br>
>> simple and<br>
>>> manageable and don't wind up in abandonwareland or experience<br>
>>> embrace/extend/extinguish.<br>
>>><br>
>><br>
>> So - if not puppet/ansible - then how should we be managing sudoers?<br>
>> Teach me Obiwan.<br>
>><br>
>> Please don't say eTrust. ;)<br>
>> _______________________________________________<br>
>> Ale mailing list<br>
>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>><br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL: <<a href="http://mail.ale.org/pipermail/ale/attachments/20140822/7f67a92b/attachment.html" target="_blank">http://mail.ale.org/pipermail/ale/attachments/20140822/7f67a92b/attachment.html</a>><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
<br>
--<br>
JD Pflugrath<br>
Value | Results<br>
Direct: +001.678.685.8882<br>
Ofc: <a href="tel:1.866.963.2546" value="+18669632546">1.866.963.2546</a><br>
Managing Director<br>
Algoloma Systems, LLC<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>