
Hi, Has anyone successfully deployed OpenLDAP/IPA or even 389 DS for central auth in a very mixed unix environment? With Host based access control? Redhats new IPA 2.0 product on paper looks brilliant, I just keep finding bugs and it's feeling just too new to deploy commerically at the moment (happy to be proven wrong). My needs; - Central Auth - Host based access control (e.g. user "John" from group "accounts" can't log into "development servers". - Caching for Client logins on laptops. I figure SSSD will be useful here? - Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco) Client OS's involved; - Solaris 9/10 - Fedora 15/16 - Centos 5/6 cya Craig

Craig T <luv@noboost.org> wrote:
Redhats new IPA 2.0 product on paper looks brilliant, I just keep finding bugs and it's feeling just too new to deploy commerically at the moment
Is version 1.x more reliable? I have no idea either way; it's just the first question that comes to mind, unless of course 1.x lacks features that you need.

Christ, I've been in a corporate environment too long. I was about to top post. On Mon, 19 Dec 2011, Craig T wrote:
Hi,
Has anyone successfully deployed OpenLDAP/IPA or even 389 DS for central auth in a very mixed unix environment? With Host based access control?
Redhats new IPA 2.0 product on paper looks brilliant, I just keep finding bugs and it's feeling just too new to deploy commerically at the moment (happy to be proven wrong).
My needs; - Central Auth - Host based access control (e.g. user "John" from group "accounts" can't log into "development servers".
Um, yes, the BoM uses openldap for its unix clients. Unix being HP-UX and rhel4,5,6 (and one or two solaris machines). Host based control in our case being host attributes attached to each user saying which hosts they could connect to.
- Caching for Client logins on laptops. I figure SSSD will be useful here?
I dunno - we don't use that, but there is some caching involved - in that I occasionally have to run "nscd -i passwd" when I run out of patience for a particular user to be admitted to a machine after I screw something up. Unfortunately, what I can't tell you about how it is set up, is much else other than "it works" and "rhel6 was more complicated, and I don't know the details, other than we ended up symlinking 3 different client config files onto the 1 file, otherwise people were being allowed into machines they weren't granted access to" (/etc/pam_ldap.conf /etc/ldap.conf /etc/openldap/ldap.conf). If you want specific snippets from specific files in our config, ask away - I don't really know what I'm doing when it comes to ldap, but I don't think I can see much confidential in there. I have no idea how the database was set up and how you go about adding host attributes in the first place. HTH, HAND!
- Encryption (This looks pretty straight forward in the OpenLDAP 2.4 doco)
Client OS's involved; - Solaris 9/10 - Fedora 15/16 - Centos 5/6
-- Tim Connors
participants (3)
-
Craig T
-
Jason White
-
Tim Connors