Yes, thank you for the references to the Red Hat identity management system.
Of course it is based on LDAP, but also it requires use of Kerberos
(which we do not have fun with in the AFS/Kerberos environement at CERN),
and "recommended practice" is to have it take over the DNS and NTP services.
To me this looks like software designed to manage central IT at IBM
(complete with a full staff of professional sysadmins).
Too heavy weight (in the number of software components and
in the number of books to read) for running small clusters of 5-10 machines managed
by non-dedicated non-sysadmin non-IT people.
K.O.
On Wed, Jan 07, 2015 at 02:39:18PM +0100, David Sommerseth wrote:
>
>
> On 07/01/15 02:38, Konstantin Olchanski wrote:
> > On Wed, Jan 07, 2015 at 01:10:19AM +0100, David Sommerseth wrote:
> >>
> >> I dare you to try out FreeIPA.
> >>
> >
> > (private reply)
> >
> > That's LDAP again. The quick start guide looks simple enough, but only
> > because it does not include the instructions for converting autofs maps
> > into LDAP and does not include instructions for setting up a distributed
> > system with multiple servers for redundancy.
>
> Importing autofs maps:
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/configuring-maps.html#importing-maps>
>
>
> Setting up IPA replication:
>
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/installing-replica.html>
>
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/creating-the-replica.html>
>
> With SSSD running on the clients, it will access available IPA servers,
> based on DNS lookups. Important information from the IPA server is also
> cached by the local SSSD, which ensures you can access the system even
> though there are connectivity issues.
>
> > To me it all looks like a lot of learning and a lot of doing just to have
> > something we already have with NIS.
>
> If you already have NIS running, the short-term benefit probably won't
> be that big. However, moving towards IPA gives far more advanced
> possibilities than what NIS can provide, and in a more secure way than
> what the NIS protocol can provide. Which can be more beneficial in a
> more long-term perspective.
>
> > And then the DAQ systems we build are used by Physics PhDs who can barely
> > understand autofs and NIS, forget about kerberos, LDAP or anything complicated
> > at all.
>
> I took RHEL/SL/CentOS/Fedora as a starting point. I don't know anything
> about DAQ and that wasn't even mentioned in the discussion thread until now.
>
> Anyhow, much of the IPA admin interface stuff simplifies much of it
> through a far more user friendly webUI for normal day-to-day tasks. And
> you don't really need to understand the technical details that much to
> grasp the webUI. So I would say that IPA helps you to do correct
> configurations more easily and quicker. Once things have been setup,
> users mostly don't need to care much at all and the admins can have
> better control in an easier way. So I still encourage you to take it
> for a test-drive, to see what it can do.
>
> But I agree, when you have a running NIS setup, looking at IPA is more a
> long-term project than something you need to do right now.
>
>
> David S.
--
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada
|
