On Tue, Feb 19, 2013 at 7:29 PM, Nico Kadel-Garcia <nka...@gmail.com> wrote: > On Tue, Feb 19, 2013 at 1:13 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote: >> On Tue, Feb 19, 2013 at 3:19 PM, Nico Kadel-Garcia <nka...@gmail.com> wrote: >> >>> SSL certicificates are associated with specific applications, so >>> there's no surprise here. Also,some of the contents in /etc/pki are >>> for GPG keys, not SSL certificates (such as /etc/pki/rpm-gpg). And >>> others are for applications that probably don't need this unless >>> you're going to a lot of work, such as "/etc/pki/dovecot". And some >>> are the root certificates for Mozilla designated upstream signature >>> authorities, such as /etc/pki/java/cacerts and /etc/pki/tls/cacerts/* >>> >>> Unfortunately, each application handles the certificicates >>> individually, so you really have to deal on an application by >>> application basis with these. >>> >>> Which *application* are you using IPA for ? Just Kerberos >>> authentication, or full account management, or what? >> >> the total package, including soon a cross realm trust with an AD >> infrastructure. >> >> I am starting to think that maybe a wildcard certificate might just be >> easier and cheaper ... > > Yeah, I'm a bit concerned about IPA. It sounds like a great idea to > integrate and harden those services, but I've done Kerberos and LDAP > migrations. With Samba 4 out and working, I'm not sure there's a big > market for it. And I definitely expect Samba 4 to work with SL 7. (I'm > writing rebundling SRPM's for Samba 4.0.3 on SL 6 right now.....)
o yes there is. I had done kerberos and ldap too, but man, night and day. It Just Works (TM); need another replica? just add a server and run the script? It really is easy. AD is for Windows hosts, and yes you can kind of integrate linux/other unixes on it, but you miss out on a lot of things which are simply not there. With IPA I can define hostgroups that we use for HBAC, sudo rules, autofs, etc. Those same hostgroups are also NIS netgroups, so we can use that for: tcp wrappers, nfs, cfengine, time based access .., what's not to like? Right now we write cfengine policies and our techs just add the host to a hostgroup and they know it will have software installed and configured, access will be fixed for certain people, configs will be distributed, in about 20 minutes kickstarting included. It took a while (not so much), but it is really nice. Just digressing a bit, I am a big fan of IPA ;-) -- natxo