IPA vs just LDAP for Linux boxes - looking for a comparison
There are few (~30) Linux (RHEL) boxes and I'm looking for centralized and easy managed solution, mostly for control user accounts. I'm familiar with LDAP, and I deployed a pilot of IPA ver2 from Red Hat (==FreeIPA).
I understand that in theory IPA provides "MS Windows domain"-like solution, but at a glance it's not so easy and mature product [yet]. Aside with SSO, is there any security features which are available only in IPA domain and not available when I'm using LDAP?
I'm not interesting in DNS and NTP parts of IPA domain.
First of all, I would say IPA is perfectly suited for a production environment as of now (and has been for quite a time), although you should be using the 3.x series by now.
IPA does not provide a "MS Windows AD-like" solution, rather it provides the capability to setup a trust relationship between an Active Directory and a IPA domain, which is a Kerberos REALM, actually.
With regards to some of the security features that you can use out of the box with IPA not present in a standard LDAP installation, or a LDAP-based Kerberos REALM, let's name a few:
- storing SSH keys for users
- SELinux mappings
- HBAC rules
- sudo rules
- setting password policies
- certificate (X509) handling
Related to SSO, keep in mind that the target application must support Kerberos authentication and LDAP authorization. Or be able to talk to SSSD.
Lastly, you don't need to configure NTP nor DNS if you don't want to, both are optional. However, I'd very much recommend using both, as you can always delegate NTP on a higher stratum, and setup forwarders for anything outside your realm easily.