Domain: freeipa.org
Stories and comments across the archive that link to freeipa.org.
Comments · 19
-
Re:AD?
What are you using AD for exactly? I see a lot of businesses using it for no real good reason, just because some IT person told them they really really needed it.
Anyway, you can look into http://www.freeipa.org/page/Main_Page but I've never used it and have no idea how easy it is. I suspect if you need something "easy" then you probably don't need it at all.
-
Re:What about LDAP
I am not sure about the current status of the work of the Red Hat team behind FreeIPA, that integrate Samba 4 with other FreeIPA base technologies like 389 LDAP Server (I remember Simo Sorce was working in Samba integration), there is outdated documentation about using Samba 4 alphas with 389 LDAP server backed, so there is interest in that kind of integration
-
Fedora
Fedora has components to help manage large deployments. https://fedorahosted.org/spacewalk/ It also has FreeIPA to help with a secure and scalable means of managing authentication/authorization/resources within the cluster. http://freeipa.org/page/Main_Page
-
Re:Perception is reality
I'm not aware of anyone making this available in a turnkey fashion but it CAN be done.
Anybody accustomed to managing OpenLDAP won't find it terribly difficult.
I haven't messed with it much yet, but FreeIPA seems to be aiming for that. Seems like an interesting project.
-
Re:alfresco
I would second the idea of looking into alfresco. I have not used it.
However, what it will do for you is that it will make sure that you can be using a common file system with revision control. So what would happen is that you would allow your users to network mount the alfresco filesystem across the firm. Users would read and save files to this filesystem. Anytime, it is saved, versions are created.Also, it does handle signatures with the plugin from http://www.viafirma.org/ (note, that is in spanish but works fine with google translate) http://viafirma.googlecode.com/svn/
Those saying stop working on this and hire people are thinking that you have a large firm. That is not really a great option.
What I would recommend is that you do setup single signon if you can.
The first start is to have an LDAP server.
ActiveDirectory does provide that. If you want to provide kerberos/active directory and ldap there are open source solutions.- The way to technical solution is: http://freeipa.org/page/Samba_4_Installation
- Note: some of this can be done with: http://www.vmware.com/appliances/directory/393283
- The no to technical solution might be: http://www.clearfoundation.com/Software/overview.html
-
Re:Can't Lock Linux Down
I know your reaction was knee-jerk, but just in case you didn't know, unix machines can also be configured by policy (cfengine/puppet) and single sign ons originated in the unix world (kerberos). The freeipa project http://freeipa.org/ already has a working nice kerberos+ldap solution with integrated multimaster replication and quite easy to set-up (version 1.2, if I recall correctly). Version 2 will come shortly and it will be even easier). I know, I know, first I have to see it.
You can now join linux/solaris clients to a freeipa kerberos domain in a very similar way as to how you join a window machine to a windows domain. You have delegation of tasks for junior staff and it just works. Why has it taken so long? Good question, ask the big linux players (google, ibm) why they were not interested in this. Red Hat started it and they are actively developing it right now.
It takes time, but good stuff happens eventually.
-
FreeIPA - its got Mac support
I have been watching the FreeIPA project closely because I think that it is a great Open Source setup - it puts everything in one package ala Active Directory. It is still missing a few plugins but V2 will be pretty awesome all the same.
V1 has some Mac OSX support as detailed here - http://freeipa.org/page/ConfiguringMacintoshClients
I am surprised that not many people have heard of FreeIPA in general. -
Re:Wow, lots to learn here
You've pretty much summed up many of the challenges Linux desktop distributions have to overcome to be in a fit state to pitch for a place on the desktop of most corporations. And while many of the tools to do some of these reside on isolated islands of innovation, there is no unifying management interface. A detailed description of how to do all this would probably be enough material to put in a book.
Here are some little gems you might want to check out:
You'll want to keep an eye on freeIPA. When it hits V2 it'll become very useful to you.
The CODA Filesystem is the only one I know of that provides disconnected operation for mobile computing.
And I'll throw my weight behind Nomachine NX too. Definitely the best MSTCS equivalent in the Linux space.
-
Re:Indeed it is a problem
I am surprised that noone here seems to have heard of freeipa (http://www.freeipa.org).
The actual release (1.2.1) is "just" a distributed (ldap) kerberos implementation. You can easily create keytabs and redistributed to the services (host, cifs, nfs). It is nice, but not yet there (although for those who have tried setting kerberos and ldap together in unix, this is surprisingly easy to do.
In the next release (april, may this year) there will be cached credentials, group policy, dns integration, ntp integration,
...Roadmap: http://freeipa.org/page/Roadmap
-
freeIPA
This looks like its going to be a great app by the fedora folks for centrally controlling and managing machines and users.
http://freeipa.org/page/Main_Page
Summary from the page included below.
FreeIPA (so far) is an integrated solution combining
* Linux (currently Fedora)
* Fedora Directory Server
* MIT Kerberos
* NTP
* DNS
* Web and commandline provisioning and administration toolsVersion 1 will focus on
* Allowing an administrator to quickly install, setup, and administer one or more IPA servers for centralized authentication and user identity management.
Version 2 will focus on
* Adding DNS and Certificate Authority to the IPA core
* Allowing an admin to join a machine to an IPA realm
* Providing kerberos principal and cert to the joined machine
* Providing service keytabs and service certificates to services
* Managing the keytabs and certificates once provided
* Plug-in architecture for IPA extensibility. freeRADIUS as a first plugin.
* IPA Client code for managing authentication, authorization, caching, connection
* Policy. Centrally managed sudoers/netgroups, SELinux role based access
* Audit. Centrally collected audit logs from IPA servers and from IPA clients -
FreeIPA could be the answer
IMHO, you don't have any FLOSS option to achieve your needs as of now. But in the very near future FreeIPA(http://www.freeipa.org/) can fulfill most of your requirements . The current version(1.2.1) implements full centralized authentication with LDAP backend. But does not have things like group policies and selinux support. Its proposed to be there in version 2 which is due in another 2-3 months. Development of the project is very fast and is a very stable software as of now itself. See the road map for version 2, http://www.freeipa.org/page/Roadmap
-
Re:Isn't this something Unix solved decades ago?
-
FreeIPA
Sounds like you want FreeIPA, currently it only support identity management, but according to the roadmap, version 2 sould be out in april/may sometime and will support policies and auditing....
-
Fedora Directory Server/FreeIPA
I second Fedora Directory Server/Redhat Directory Server. Also, you may want to checkout FreeIPA
FDS/RDS have a very nice Java GUI to manage or you can use standard ldap command line tools.http://directory.fedoraproject.org/
http://freeipa.org/page/Main_PageFreeIPA Is what makes your Plain Jane LDAP server more AD like
-
FreeIPA or RHE-IPA
As others have suggested: once you have Windoze-clients, you can't just replace AD. You need it.
With RHE-IPA, you can (AFAIK) sync the kerberos-part of the two, so you have common passwords (which is all what matters for non-Windoze AD-clients).
The only way to replace AD and continue using Windoze clients is to get rid of Exchange and use something else and replace the desktop-management-stuff also with something else (Novell comes to mind).
However, you will not save money or work/effort... -
Re:None.
I take it you you've never heard of FreeIPA?
FreeIPA an open source project from Red Hat's Emerging Technologies Lab. It combines Kerberos, LDAP, DNS, NTP and provides a centralized webUI (CLI utils too) to manage it all. As well as simplified install packages for both the server and clients.
http://www.freeipa.org/
Or if you want commerical support, Red Hat has their subscription re-spin of the product available too.
http://www.redhat.com/promo/ipa
The next version due out this spring is planning to include things like full AD integration, centralized sudo and SELinux policy management, etc.Have a look at the roadmap on the freeipa website. -
freeIPAIf you are looking merely to replace or emulate the ldap/kerberos functionality of AD you could take a look at freeIPA , a project under active development, sponsored by Redhat and based on Redhat/Fedora Directory Server, but with an enhanced web-GUI and some additional functionality
From my experience, in a small-to-medium Linux/*BSD/OS X environment, with NFSv4 or AFS, this will work fine.
However, as other posters here suggest: if you have predominantly windows clients, for your own sanity it would be better just to use AD from the outset.
-
Re:Their problems are easily solved
http://freeipa.org/
And for what it's worth, we're using Linux on a large number of workstations without it. Google OpenLDAP, apt, yum, sudo, kickstart. I spend so much less time messing with security and policy than my Windows counterparts that it's embarrassing. -
Re:Directory Service
I came across FreeIPA today, actually. Seems promising...