I have fds set up for user management, and have kerberos set up for authentication, but am a bit uncertain if I''m now finished, or if fds+kerberos are supposed to be better integrated. Is the normal procedure for managing users: - add user info to the directory (ldapadd) - create user principal (addprinc username) Or can the creation of user principal be automatically created from within fds when we create users there ? -jf
Jan Frode Myklebust wrote:> I have fds set up for user management, and have kerberos set > up for authentication, but am a bit uncertain if I''m now finished, > or if fds+kerberos are supposed to be better integrated. > > Is the normal procedure for managing users: > > - add user info to the directory (ldapadd) > - create user principal (addprinc username) > > Or can the creation of user principal be automatically created > from within fds when we create users there ? >freeipa.org is a project dedicated to answering this and other similar ldap+kerberos questions.> > -jf > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On 2008-06-12, Rich Megginson <rmeggins@redhat.com> wrote:>> Is the normal procedure for managing users: >> >> - add user info to the directory (ldapadd) >> - create user principal (addprinc username) >> >> Or can the creation of user principal be automatically created >> from within fds when we create users there ? >> > freeipa.org is a project dedicated to answering this and other similar > ldap+kerberos questions.That felt a bit like an "Active Directory is a solution that does what you''re trying to do, why don''t you just use that" answer.. ;-) I know about freeipa.org, have read most of the documentation and even lightly tested it. But, freeipa expects you to add/manipulate users trough a webgui, or specialized freeipa-commands. That doesn''t tell me much about what''s happening behind the scene.. Also, we already have an identity management solution deployed (Sun Identity Manager), so my question is mostly if it should just update the directory server, and have the directory server create the kerberos principals. Or if it needs to know about both resources, and keep them both in sync. -jf
Jan Frode Myklebust wrote:> On 2008-06-12, Rich Megginson <rmeggins@redhat.com> wrote: > >>> Is the normal procedure for managing users: >>> >>> - add user info to the directory (ldapadd) >>> - create user principal (addprinc username) >>> >>> Or can the creation of user principal be automatically created >>> from within fds when we create users there ? >>> >>> >> freeipa.org is a project dedicated to answering this and other similar >> ldap+kerberos questions. >> > > That felt a bit like an "Active Directory is a solution that does what > you''re trying to do, why don''t you just use that" answer.. ;-) >Well, if you are just starting out with Fedora DS + Kerberos, that would be the way to go - but since you''re not . . .> I know about freeipa.org, have read most of the documentation and even > lightly tested it. But, freeipa expects you to add/manipulate users trough > a webgui, or specialized freeipa-commands. That doesn''t tell me much > about what''s happening behind the scene.. > > Also, we already have an identity management solution deployed (Sun Identity > Manager), so my question is mostly if it should just update the directory > server, and have the directory server create the kerberos principals. Or if > it needs to know about both resources, and keep them both in sync. >. . . you have to know about both resources, and keep them both in sync. I don''t know much about Sun Identity Manager - perhaps it has tools to help you do this.> > -jf > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On 2008-06-13, Rich Megginson <rmeggins@redhat.com> wrote:>> >> That felt a bit like an "Active Directory is a solution that does what >> you''re trying to do, why don''t you just use that" answer.. ;-) >> > Well, if you are just starting out with Fedora DS + Kerberos, that would > be the way to go - but since you''re not . . .Yea, it looks like a very promising project. Unfortunately (?) we''re a bit invested in Sun Identity Manager..> . . . you have to know about both resources, and keep them both in > sync. I don''t know much about Sun Identity Manager - perhaps it has > tools to help you do this.Ok, great. Thanks. Then I think we have the directory and kerberos set up correctly. Time to integrate it with SIM. -jf