18

There are few (~30) Linux (RHEL) boxes and I'm looking for centralized and easy managed solution, mostly for control user accounts. I'm familiar with LDAP, and I deployed a pilot of IPA ver2 from Red Hat (==FreeIPA).

I understand that in theory IPA provides "MS Windows domain"-like solution, but at a glance it's not so easy and mature product [yet]. Aside with SSO, is there any security features which are available only in IPA domain and not available when I'm using LDAP?

I'm not interesting in DNS and NTP parts of IPA domain.

slm
  • 7,355
  • 16
  • 54
  • 72
Vitaly Karasik DevOps
  • 469
  • 2
  • 4
  • 20

1 Answers1

21

First of all, I would say IPA is perfectly suited for a production environment as of now (and has been for quite a time), although you should be using the 3.x series by now.

IPA does not provide a "MS Windows AD-like" solution, rather it provides the capability to setup a trust relationship between an Active Directory and a IPA domain, which is a Kerberos REALM, actually.

With regards to some of the security features that you can use out of the box with IPA not present in a standard LDAP installation, or a LDAP-based Kerberos REALM, let's name a few:

  • storing SSH keys for users
  • SELinux mappings
  • HBAC rules
  • sudo rules
  • setting password policies
  • certificate (X509) handling

Related to SSO, keep in mind that the target application must support Kerberos authentication and LDAP authorization. Or be able to talk to SSSD.

Lastly, you don't need to configure NTP nor DNS if you don't want to, both are optional. However, I'd very much recommend using both, as you can always delegate NTP on a higher stratum, and setup forwarders for anything outside your realm easily.

dawud
  • 14,918
  • 3
  • 41
  • 61
  • 1
    Thank you, this list and your explanation are really useful! - does IPA3 officially released for RHEL? - I'll re-check - for some reason I was sure that password policy can be easily deployed with LDAP [IMHO, even just with old-school *nix tools] – Vitaly Karasik DevOps Jun 16 '13 at 17:05
  • 1
    @Vitaly Yes, IPA 3.0 is included in Red Hat 6.4. Be sure to check [the upgrade notes](https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/upgrading.html) before just blindly upgrading. – Michael Hampton Jul 09 '13 at 03:13
  • *"keep in mind that the target application must support Kerberos authentication and LDAP authorization"* - What about LDAP **authentication**? [GitLab](https://gitlab.com/gitlab-org/gitlab-ce/blob/master/doc/integration/ldap.md), for example only supports LDAP. – Jonathon Reinhart Aug 12 '15 at 03:37
  • You can still use freeIPA for that. The distinction between authentication and authorization is done by Gitlab. – dawud Aug 12 '15 at 06:47