LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

February 2013

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS February 2013

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: deploy CA to clients
From:	Natxo Asenjo <[log in to unmask]>
Reply To:	Natxo Asenjo <[log in to unmask]>
Date:	Tue, 19 Feb 2013 23:13:24 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (52 lines)

On Tue, Feb 19, 2013 at 7:29 PM, Nico Kadel-Garcia <[log in to unmask]> wrote:
> On Tue, Feb 19, 2013 at 1:13 PM, Natxo Asenjo <[log in to unmask]> wrote:
>> On Tue, Feb 19, 2013 at 3:19 PM, Nico Kadel-Garcia <[log in to unmask]> wrote:
>>
>>> SSL certicificates are associated with specific applications, so
>>> there's no surprise here. Also,some of the contents in /etc/pki are
>>> for GPG keys, not SSL certificates (such as /etc/pki/rpm-gpg). And
>>> others are for applications that probably don't need this unless
>>> you're going to a lot of work, such as "/etc/pki/dovecot". And some
>>> are the root certificates for  Mozilla designated upstream signature
>>> authorities, such as /etc/pki/java/cacerts and /etc/pki/tls/cacerts/*
>>>
>>> Unfortunately, each application handles the certificicates
>>> individually, so you really have to deal on an application by
>>> application basis with these.
>>>
>>> Which *application* are you using IPA for ? Just Kerberos
>>> authentication, or full account management, or what?
>>
>> the total package, including soon a cross realm trust with an AD infrastructure.
>>
>> I am starting to think that maybe a wildcard certificate might just be
>> easier and cheaper ...
>
> Yeah, I'm a bit concerned about IPA. It sounds like a great idea to
> integrate and harden those services, but I've done Kerberos and LDAP
> migrations. With Samba 4 out and working, I'm not sure there's a big
> market for it. And I definitely expect Samba 4 to work with SL 7. (I'm
> writing rebundling SRPM's for Samba 4.0.3 on SL 6 right now.....)

o yes there is. I had done kerberos and ldap too, but man, night and
day. It Just Works (TM); need another replica? just add a server and
run the script? It really is easy.

AD is for Windows hosts, and yes you can kind of integrate linux/other
unixes on it, but you miss out on a lot of things which are simply not
there.

With IPA I can define hostgroups that we use for HBAC, sudo rules,
autofs, etc. Those same hostgroups are also NIS netgroups, so we can
use that for: tcp wrappers, nfs, cfengine, time based access ..,
what's not to like? Right now we write cfengine policies and our techs
just add the host to a hostgroup and they know it will have software
installed and configured, access will be fixed for certain people,
configs will be distributed, in about 20 minutes kickstarting
included. It took a while (not so much), but it is really nice.

Just digressing a bit, I am a big fan of IPA ;-)

-- 
natxo

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV