• Home
  • Blog
  • Replaced my Kerberos+LDAP setup with FreeIPA

Replaced my Kerberos+LDAP setup with FreeIPA

Vincent Danen

December 12, 2012

So I've been having to deal with some IPA-related bugs in the past little bit, which of course got me thinking that I had no idea what IPA did or how to use it (thankfully I wasn't responsible for fixing the bugs!). But as I had to deal with this issues to some degree, I got to figure out what FreeIPA was and what it did. In short, FreeIPA rocks. As many of you know, I've written quite a few articles and blog posts about using Kerberos or OpenLDAP for authentication. It's no secret that I make heavy use of Linux at home, but also of the Mac, so for me any solution needs to deal with both in a semi-reasonable way. I could do Kerberos auth on OS X easily enough, but never did have luck with LDAP. On Linux, it's a piece of cake.

I've been using Kerberos and LDAP at home for years, largely because I have to do a lot of testing of things in virtual machines, so when a new version of something comes out (new Fedora, new major version of RHEL, etc.), I spin up a new VM and install it. Using Kerberos and LDAP make the setup a breeze, and if I change my password, I'm not changing it on 20-odd systems/virtual machines.

I'm happy to say that FreeIPA exceeded my expectations, despite a bit of a rocky start (due to my not reading enough of the docs, annoyingly enough). I've now got it in place, it's doing Kerberos+LDAP on the Linux clients and also on the Macs! I have, for the first time ever (not counting OS X server 10.4 or something, and using OpenDirectory), gotten to login to an OS X system with network credentials. I've also made use of the DogTag CA and had my internal mediawiki instance (which used mod_auth_kerb for SSO authentication) also use HTTPS now with mod_nss and my shiny new IPA CA.

There's a bunch more about FreeIPA than what I've done so far. I've just scratched the surface (and even that, not entirely as I've still got a dozen or so systems/vms to switch from the old Kerberos+LDAP setup to using FreeIPA), but I'm looking forward to playing with the other things like a hopefully much easier kerberized NFSv4, storing sudo configs in the directory, auto-mounted home directories (don't care too much about that for the workstations but that will be sweet for the virtual machines), and so on. FreeIPA has a really really nice package that takes care of all this stuff and I'm kinda kicking myself that I didn't play with it sooner.

And, because of my really odd love for this sort of thing, I've written an article on my wiki: Using FreeIPA for User Authentication which goes into the whole setup and enrolment. A lot of it is covered in the upstream docs, but the upstream docs only got to OS X 10.4, so my 10.7/10.8 setup required a bit more futzing and research. While I'm "officially" calling this article done, as I spend time over the Christmas holidays playing around with it, I will no doubt be adding more info as I discover it.

Leave a Comment

Comments use MarkDown. Need help? MarkDown Cheatsheet