HI! Watching the heroes talk videos at OSC I realized that your FreeIPA installation still runs on Fedora. Hmm... TL;DR: This is a proposal to replace FreeIPA with Æ-DIR (augmented by PowerDNS with LDAP back-end). I know that you're quite happy with your FreeIPA setup and thus this proposal likely seems rather disruptive. Be assured that I won't be upset if you just consider this to be a too crazy to even think about it. ldapwhoami: I'm a (open)SUSE user since 20 years or so. Because I like to stay near upstream code I'm running my own stuff with Tumbleweed and update openSUSE packages here and there. I work with OpenLDAP since quite a while. First of all: Æ-DIR is not a hobby project. It's seriously used. I'm committed to fix every bug in there ASAP. Æ-DIR is an integrated solution for all kinds of logins based on pure OpenLDAP. It differs from FreeIPA because its design strictly follows need to know and least privilege principles. Furthermore it allows to have fine-grained delegation of data maintenance. There are some introductive presentations available each with different focus (despite the German web page, some talks are in English): https://www.stroeder.com/publications.html#lectures I won't repeat the web site here, so please glance over it: https://www.ae-dir.com/ I've already talked to Christian about it and he said that you're using the DNS integration of FreeIPA. Well, Æ-DIR itself does not provide such a direct integration, but I'm running a setup based on PowerDNS with LDAP back-end myself. The authentication and authorization is integrated with Æ-DIR as shortly described here: https://www.ae-dir.com/apps.html#slapd-ldap (Note that as of PowerDNS 4.0+ LDAP backend is fully supported again.) Æ-DIR has integrated 2-factor authentication based on OATH-LDAP which allows to enable OATH-based MFA with e.g. password and Yubikey for every simple LDAP enabled application. For NSS and PAM you can use the usual suspects like sssd and nss-pam-ldapd. Note that every integrated system, no exception(!), needs a aeHost or aeService entry with password to get appropriate read access to Æ-DIR. This can be a challenge if you're integrating lots of systems. So this one of the reasons why I've developed a custom component for Æ-DIR, called aehostd: https://www.ae-dir.com/aehostd.html Æ-DIR is installed with the help of an ansible role. I know that you use SaltStack. IMHO this is not an issue because the ansible role stays away from base configuration of the OS. So you can use your normal salt states for base setup and after that play this ansible role. In opposite to FreeIPA Æ-DIR deliberately does not support Kerberos. For SSH logins I strongly prefer temporary OpenSSH certs (not X.509) and for web-based logins there are already too many decent WebSSO systems out there. BTW: I've read your "openSUSE:Infrastructure policy" page. AppArmor is supported out-of-the-box. So here's the deal how to support openSUSE project: 1. You provide installation prequisites. (see https://www.ae-dir.com/install.html#prereq) 2. I will install Æ-DIR providers and consumers with initial data. 3. You play with it. I will help migrating systems to use Æ-DIR. 4. You provide a couple of PowerDNS servers which I will setup with LDAP backend. 5. I will assist developing a SaltStack state for client integration (up to now I only have ansible roles) Well, that's all for now. Let me know if you have further questions. Looking forward to your feedback. Ciao, Michael.