HI!
Watching the heroes talk videos at OSC I realized that your FreeIPA
installation still runs on Fedora. Hmm...
TL;DR: This is a proposal to replace FreeIPA with Æ-DIR (augmented by
PowerDNS with LDAP back-end).
I know that you're quite happy with your FreeIPA setup and thus this
proposal likely seems rather disruptive. Be assured that I won't be
upset if you just consider this to be a too crazy to even think about it.
ldapwhoami: I'm a (open)SUSE user since 20 years or so. Because I like
to stay near upstream code I'm running my own stuff with Tumbleweed and
update openSUSE packages here and there. I work with OpenLDAP since
quite a while.
First of all: Æ-DIR is not a hobby project. It's seriously used. I'm
committed to fix every bug in there ASAP.
Æ-DIR is an integrated solution for all kinds of logins based on pure
OpenLDAP. It differs from FreeIPA because its design strictly follows
need to know and least privilege principles. Furthermore it allows to
have fine-grained delegation of data maintenance.
There are some introductive presentations available each with different
focus (despite the German web page, some talks are in English):
https://www.stroeder.com/publications.html#lectures
I won't repeat the web site here, so please glance over it:
https://www.ae-dir.com/
I've already talked to Christian about it and he said that you're using
the DNS integration of FreeIPA. Well, Æ-DIR itself does not provide such
a direct integration, but I'm running a setup based on PowerDNS with
LDAP back-end myself. The authentication and authorization is integrated
with Æ-DIR as shortly described here:
https://www.ae-dir.com/apps.html#slapd-ldap
(Note that as of PowerDNS 4.0+ LDAP backend is fully supported again.)
Æ-DIR has integrated 2-factor authentication based on OATH-LDAP which
allows to enable OATH-based MFA with e.g. password and Yubikey for every
simple LDAP enabled application.
For NSS and PAM you can use the usual suspects like sssd and
nss-pam-ldapd. Note that every integrated system, no exception(!), needs
a aeHost or aeService entry with password to get appropriate read access
to Æ-DIR.
This can be a challenge if you're integrating lots of systems. So this
one of the reasons why I've developed a custom component for Æ-DIR,
called aehostd:
https://www.ae-dir.com/aehostd.html
Æ-DIR is installed with the help of an ansible role. I know that you use
SaltStack. IMHO this is not an issue because the ansible role stays away
from base configuration of the OS. So you can use your normal salt
states for base setup and after that play this ansible role.
In opposite to FreeIPA Æ-DIR deliberately does not support Kerberos. For
SSH logins I strongly prefer temporary OpenSSH certs (not X.509) and for
web-based logins there are already too many decent WebSSO systems out there.
BTW: I've read your "openSUSE:Infrastructure policy" page.
AppArmor is supported out-of-the-box.
So here's the deal how to support openSUSE project:
1. You provide installation prequisites.
(see https://www.ae-dir.com/install.html#prereq)
2. I will install Æ-DIR providers and consumers with initial data.
3. You play with it. I will help migrating systems to use Æ-DIR.
4. You provide a couple of PowerDNS servers which I will setup with LDAP
backend.
5. I will assist developing a SaltStack state for client integration
(up to now I only have ansible roles)
Well, that's all for now.
Let me know if you have further questions.
Looking forward to your feedback.
Ciao, Michael.
Hello,
the next Heroes meeting will be on Tuesday (2018-07-03) at 18:00 UTC /
20:00 CEST in #opensuse-admin
We already have several topics on
https://progress.opensuse.org/issues/36817
but if you have other things you want to discuss, please add them ;-)
Regards,
Christian Boltz
--
I've not had any luck reading the manpage and making SWAGs
(Scientific Wild Ass Guesses - Trademark -- Amdahl Corporation).
[Sid Boyce in opensuse-factory]
--
To unsubscribe, e-mail: heroes+unsubscribe(a)opensuse.org
To contact the owner, e-mail: heroes+owner(a)opensuse.org
