On Wed, Feb 22, 2017 at 9:02 PM, Michael Ströder <[email protected]> wrote:
> Iulian Roman wrote: > > On Wed, Feb 22, 2017 at 6:03 PM, Michael Ströder <[email protected] > > <mailto:[email protected]>> wrote: > > > > Iulian Roman wrote: > > > On Tue, Feb 21, 2017 at 4:31 PM, Rob Crittenden < > [email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > Iulian Roman wrote: > > > > Does anybody know if the rfc2307aix schema is supported in > IPA server > > > > > > No, it isn't supported (it's the first I've ever heard of it). > Looking > > > at the schema I doubt it is something that would ever be fully > supported. > > > > > > is there any possibility to extend the existing schema with > additional > > > attributes/object > > > > Do you really use this specific AIX schema? > > If yes, which attributes for which purpose? > > > > I do need the aixAuxAccount and aixAuxGroup object classes . they > implement some > > password restrictions needed for security/compliance > > Password policy is something best enforced centrally in the authentication > server and > password management system. So IMHO this serves as perfect example for > proprietary > attributes you won't need. > > How is authentication done? SSH keys, Kerberos, LDAP simple bind? > Kerberos > > + some other security related attributes. > > Personally i do not consider them a must - they are rather some nice to > have features - > > but i have to migrate an environment which does use them. And i would > like as well to > > make the migration as transparent as possible (therefore without > "missing features"). > > Is the existing environment also an LDAP server with this particular AIX > schema? > no, it is a custom/legacy solution wich does not use LDAP but local accounts which are centrally managed. > Or are you trying to follow a migration path to LDAP suggested by IBM docs? > > no, i've adapted some freeipa document which describes the client setup for aix (in original form it does not work and it needed some modifications) , but i have to admit that the documentation for integrating unix clients is poor and incomplete . IBM does recommend TDS, which integrates seamlessly with both AIX and Linux clients + other features which should help in integrating in heterogeneous environment, but i am not evaluating that solution currently (i may look into it only if i cannot integrate it with IPA in the way i want). > Being in your position I'd first compile a list of functional and security > requirements > and ask then whether these requirements can be implemented with FreeIPA. > I'm curious to > learn whether "some other security related attributes" are still needed > after all. > > all the password restriction policies (minage, maxage, number of characters in the password, history of the old passwords, number of characters, password dictionaries , etc) , loginretries - which "locks" the account after a number of unsuccessful logins , hostsallow/deny login , all the ulimit related parameters (that can probably be ignored) . It is not a matter if they increase the security or not or if they are really needed, but a matter of complying to some security standards agreed between two parties . It would be easy to keep them in the same format than to change the security standard , tooling and processes behind (bureaucracy , overhead and complexity of the enterprise environment makes me try to avoid that as much as possible , especially when there are many people and departments involved , with their own mindset and playing different politics). Ciao, Michael. > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
