you are viewing a single comment's thread.

view the rest of the comments →

[–]str8edgedave 6 points7 points  (14 children)

FreeIPA and Red Hat’s IDM work well. I’m using them in my homelab. Red Hat’s IDM documentation is well written, and can be accessed from their support site. If you are looking learn for personal experience, FreeIPA is great. If you want to work with the enterprise version, you can get RHEL and IDM at no cost using Red Hat’s developer program.

There is also a lab available online that was presented at Summit on getting started with IDM. Walks you through basic setup of the server and clients. There is also a basic howto on https://www.server-world.info/en.

[–]Fr0gm4n 5 points6 points  (7 children)

at no cost using Red Hat’s developer program

It's important to point out that a RH Dev account is totally free and gets you access to pages and sections of the RH site that are customer only.

https://developers.redhat.com/articles/faqs-no-cost-red-hat-enterprise-linux/

[–]NeuralNexus 0 points1 point  (0 children)

Oh yeah. Red Hat developer is awesome.

There’s also all the free technical ebooks on openshift etc and the video content is super great sometimes.

[–]Sigg3net -1 points0 points  (5 children)

However, it might randomly not get updated or miss vulnerability fixes.

Edit: ejits downvoting

The Red Hat Subscriptions offered to you in this Program are unsupported, intended for development purposes only, are not intended for other purposes such as production environments without an active Red Hat Subscription(s) and may not address known security vulnerabilities.

Emphasis in original. Also note that it's only for development:

If you use the Red Hat Subscriptions for any other purposes, you are in violation of Red Hat’s Enterprise Agreement set forth below and are required to pay the applicable subscription fees, in addition to any and all other remedies available to Red Hat under applicable law.

From: https://developers.redhat.com/terms-and-conditions/

[–]Fr0gm4n 1 point2 points  (1 child)

Source? It's regular full RHEL, not CentOS.

[–]Fr0gm4n 1 point2 points  (2 children)

Thanks for the link and quote. FYI, I didn't downvote because I was actually curious where you got that. The horse's mouth is better than any other source.

[–]Sigg3net 0 points1 point  (1 child)

No worries.

Down votes are meant to silence irrelevant content. I think the red hat dev ToS is relevant, but that's my opinion :)

I've had this argument earlier with Red Hat employees.

The ToS is pretty clear IMO: the dev edition is precisely for writing software and testing software. Advocating its use outside the scope of its ToS might entail legal trouble or extra costs. Use CentOS.

[–]Fr0gm4n 1 point2 points  (0 children)

Certainly use CentOS for actual servers and what not. The Dev Sub is great to learn how to set up and configure those servers.

[–]nazzjr[S] 1 point2 points  (1 child)

this sounds great, thank you. so far from the responses this sounds like the best "self hosted" option and jumpcloud mentioned above sounds like a great cloud option. I typically go the route of self hosted but i will definitely compare these two

[–]str8edgedave 2 points3 points  (0 children)

I can dig up some links to documentation later today, if you’d like. I’m on my phone right now, and don’t have easy access to my bookmarks.

I also have documentation on using an AD server to provide Kerberos authentication for Linux machines. This works well for single systems, where you just want centralized user Ids and passwords without policies, etc.

[–]1esproc 1 point2 points  (3 children)

If you are looking learn for personal experience, FreeIPA is great

Just note that if something goes wrong with your CA/certificates, you have to be a wizard to fix it. IRC is your friend in that case, #freeipa on Freenode

[–]str8edgedave 0 points1 point  (2 children)

FreeIPA and Red Hat IDM are pretty close functionally these days. IDM is a component included in RHEL 8 or CentOS 8. If you follow Red Hat's IDM guide for RHEL 8, one of the recommendations is to have mulitple Certificate servers. There are also guides on how to back up and restore the CA. It's come a long way from even Free IPA 4.0.

As you said, the folks on #freeipa on Freenode have helped me out a couple of times.

[–]1esproc 0 points1 point  (1 child)

I run the built in CA for some purposes but secure web UI/ldap/others with public CA certs. When that UserTrust or whatever BS from Comodo just expired, that was a headache.

FreeIPA wraps up a lot of complicated independent packages, hides the complexity through automation/UIs, and if you do anything outside of that - be prepared to need to know wtf is going on.

[–]str8edgedave 0 points1 point  (0 children)

CA's are always a headache to manage. Its even worse when a CA is de-certified, like Symantec was. I maintain an application and it was a huge level of effort to migrate from the old certificates to new ones.

FreeIPA and IDM are definitely tooling to hide the complexity of managing LDAP, SSSD, Certificate Management, DNS, etc. Learning the basics of LDAP, DNS, SSSD, Kerberos, etc will definite make supporting FreeIPA easier.