Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-24 Thread Michael Ströder 
Iulian Roman wrote:
> Michael Ströder  wrote:
>> Being in your position I'd first compile a list of functional and security 
>> requirements and ask then whether these requirements can be implemented with
>> FreeIPA. I'm curious to learn whether "some other security related 
>> attributes" are
>> still needed after all.
> 
> It is not a matter if they increase the security or not or if they are really 
> needed,
> but a matter of complying to some security standards agreed between two 
> parties . It
> would be easy to keep them in the same format than to change the security 
> standard ,
> tooling and processes behind (bureaucracy , overhead and complexity of the 
> enterprise
> environment makes me try to avoid that as much as possible , especially when 
> there are
> many people and departments involved , with their own mindset and playing 
> different
> politics).

Sounds like the usual IAM business - nothing special.

Still my recommendation would to go the route to list the requirements and 
implement them
in with methods native in the IAM system of your choice (here FreeIPA). This 
might look
harder in the beginning but pays off pretty soon.

Ciao, Michael.





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-23 Thread Iulian Roman 
On Wed, Feb 22, 2017 at 9:02 PM, Michael Ströder 
wrote:

> Iulian Roman wrote:
> > On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder  > > wrote:
> >
> > Iulian Roman wrote:
> > > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden <
> rcrit...@redhat.com 
> > > >> wrote:
> > >
> > > Iulian Roman wrote:
> > > > Does anybody know if the rfc2307aix schema is supported in
> IPA server
> > >
> > > No, it isn't supported (it's the first I've ever heard of it).
> Looking
> > > at the schema I doubt it is something that would ever be fully
> supported.
> > >
> > > is there any possibility to extend the existing schema with
> additional
> > > attributes/object
> >
> > Do you really use this specific AIX schema?
> > If yes, which attributes for which purpose?
> >
> > I do need the aixAuxAccount and aixAuxGroup object classes . they
> implement some
> > password restrictions needed for security/compliance
>
> Password policy is something best enforced centrally in the authentication
> server and
> password management system. So IMHO this serves as perfect example for
> proprietary
> attributes you won't need.
>
> How is authentication done? SSH keys, Kerberos, LDAP simple bind?
>

Kerberos


> > +  some other security related attributes.
> > Personally i do not consider them a must - they are rather some nice to
> have features  -
> > but i have to migrate an environment which does use them. And i would
> like as well to
> > make the migration as transparent as possible (therefore without
> "missing features").
>
> Is the existing environment also an LDAP server with this particular AIX
> schema?
>

no, it is a custom/legacy  solution wich does not use LDAP but local
accounts which are centrally managed.

> Or are you trying to follow a migration path to LDAP suggested by IBM docs?
>
>
no, i've adapted some freeipa document which describes the client setup for
aix (in original form it does not work and it needed some modifications) ,
but i have to admit that the documentation for integrating unix clients is
poor and incomplete . IBM does recommend  TDS, which integrates seamlessly
with both AIX and Linux clients  + other features which should help in
integrating in heterogeneous environment,  but i am not evaluating that
solution currently (i may look into it only if i cannot integrate it with
IPA in the way i want).


> Being in your position I'd first compile a list of functional and security
> requirements
> and ask then whether these requirements can be implemented with FreeIPA.
> I'm curious to
> learn whether "some other security related attributes" are still needed
> after all.
>
> all the password restriction policies  (minage, maxage, number of
characters in the password, history of the old passwords, number of
characters, password dictionaries , etc) , loginretries - which "locks" the
account after a number of unsuccessful logins  , hostsallow/deny login ,
all the ulimit related parameters (that can probably be  ignored)  .  It is
not a matter if they increase the security or not or if they are really
needed, but a matter of complying to some security standards agreed between
two parties  . It would be easy to keep  them in the same format  than to
change the security standard  , tooling and processes behind (bureaucracy ,
overhead and complexity of the enterprise environment makes me try to avoid
that as much as possible , especially when there are many people and
departments involved , with their own mindset and playing different
politics).



Ciao, Michael.
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-22 Thread Michael Ströder 
Iulian Roman wrote:
> On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder  > wrote:
> 
> Iulian Roman wrote:
> > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden  
> > >> wrote:
> >
> > Iulian Roman wrote:
> > > Does anybody know if the rfc2307aix schema is supported in IPA 
> server
> >
> > No, it isn't supported (it's the first I've ever heard of it). 
> Looking
> > at the schema I doubt it is something that would ever be fully 
> supported.
> >
> > is there any possibility to extend the existing schema with additional
> > attributes/object
> 
> Do you really use this specific AIX schema?
> If yes, which attributes for which purpose?
> 
> I do need the aixAuxAccount and aixAuxGroup object classes . they implement 
> some
> password restrictions needed for security/compliance

Password policy is something best enforced centrally in the authentication 
server and
password management system. So IMHO this serves as perfect example for 
proprietary
attributes you won't need.

How is authentication done? SSH keys, Kerberos, LDAP simple bind?

> +  some other security related attributes.
> Personally i do not consider them a must - they are rather some nice to have 
> features  -
> but i have to migrate an environment which does use them. And i would like as 
> well to
> make the migration as transparent as possible (therefore without "missing 
> features").

Is the existing environment also an LDAP server with this particular AIX schema?
Or are you trying to follow a migration path to LDAP suggested by IBM docs?

Being in your position I'd first compile a list of functional and security 
requirements
and ask then whether these requirements can be implemented with FreeIPA. I'm 
curious to
learn whether "some other security related attributes" are still needed after 
all.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-22 Thread Iulian Roman 
On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder 
wrote:

> Iulian Roman wrote:
> > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden  > > wrote:
> >
> > Iulian Roman wrote:
> > > Hello,
> > >
> > > Does anybody know if the rfc2307aix schema is supported in IPA
> server (i
> > > use red hat IDM version) ? If yes, is there any documentation
> available
> > > ? Was it tested ?
> >
> > No, it isn't supported (it's the first I've ever heard of it).
> Looking
> > at the schema I doubt it is something that would ever be fully
> supported.
> >
> > is there any possibility to extend the existing schema with additional
> > attributes/object
>
> Do you really use this specific AIX schema?
> If yes, which attributes for which purpose?
>
> I do need the aixAuxAccount and aixAuxGroup object classes . they
implement some password restrictions needed for security/compliance +  some
other security related attributes.
Personally i do not consider them a must - they are rather some nice to
have features  - but i have to migrate an environment which does use them.
And i would like as well to make the migration as transparent as possible
(therefore without "missing features").


> Last time I've checked this schema when integrating AIX clients my
> conclusion was that
> this schema is rather useless and proprietary bloat.
>
> Ciao, Michael.
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-22 Thread Michael Ströder 
Iulian Roman wrote:
> On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden  > wrote:
> 
> Iulian Roman wrote:
> > Hello,
> >
> > Does anybody know if the rfc2307aix schema is supported in IPA server (i
> > use red hat IDM version) ? If yes, is there any documentation available
> > ? Was it tested ?
> 
> No, it isn't supported (it's the first I've ever heard of it). Looking
> at the schema I doubt it is something that would ever be fully supported.
> 
> is there any possibility to extend the existing schema with additional 
> attributes/object

Do you really use this specific AIX schema?
If yes, which attributes for which purpose?

Last time I've checked this schema when integrating AIX clients my conclusion 
was that
this schema is rather useless and proprietary bloat.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-21 Thread Iulian Roman 
On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden  wrote:

> Iulian Roman wrote:
> > Hello,
> >
> > Does anybody know if the rfc2307aix schema is supported in IPA server (i
> > use red hat IDM version) ? If yes, is there any documentation available
> > ? Was it tested ?
>
> No, it isn't supported (it's the first I've ever heard of it). Looking
> at the schema I doubt it is something that would ever be fully supported.
>
> is there any possibility to extend the existing schema with additional
attributes/object classes ? IPA integrates seamless in the Linux
environment and it would be nice to make that possible also for the Unix
environment.
Enterprise environment is quite heterogeneous and a solution which would
facilitate the consolidation of authentication and authorization methods
is still something many companies are looking for. There are different
solutions for different platforms , with different features, but none which
can be used cross platform.  I hope IPA will try to bridge this gap in the
near future.

rob
>
> >
> > I plan for a big migration and full support of the AIX user attributes
> > is one of the prerequisites.
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-21 Thread Rob Crittenden 
Iulian Roman wrote:
> Hello,
> 
> Does anybody know if the rfc2307aix schema is supported in IPA server (i
> use red hat IDM version) ? If yes, is there any documentation available
> ? Was it tested ?

No, it isn't supported (it's the first I've ever heard of it). Looking
at the schema I doubt it is something that would ever be fully supported.

rob

> 
> I plan for a big migration and full support of the AIX user attributes
> is one of the prerequisites.


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] support for rfc2307AIX schema in IPA server

2017-02-21 Thread Iulian Roman 
Hello,

Does anybody know if the rfc2307aix schema is supported in IPA server (i
use red hat IDM version) ? If yes, is there any documentation available ?
Was it tested ?

I plan for a big migration and full support of the AIX user attributes is
one of the prerequisites.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project