Date: Fri, 13 Mar 2020 08:53:09 -0400 From: Chris Gordon <freebsd@theory14.net> To: Victor Sudakov <vas@sibptus.ru> Cc: freebsd-questions@freebsd.org Subject: Re: Centralized user/group/whatever management Message-ID: <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> In-Reply-To: <20200313091923.GA98495@admin.sibptus.ru> References: <20200313091923.GA98495@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Mar 13, 2020, at 5:19 AM, Victor Sudakov <vas@sibptus.ru> wrote: >=20 > Dear Colleagues, >=20 > Do you think there exists a modern solution for centralized = user/group/... > management compatible with FreeBSD and Linux? >=20 > I have experience using NIS on FreeBSD for many years, but NIS is = really very > dated, not very secure, depends on the NIS servers being reachable all = the > time, depends on Sun RPC (portmapper, dynamic ports) and has other > drawbacks. I know this from experience. >=20 > Are there any modern solutions for FreeBSD hosts to have at least a = common > user/userid/group/groupid database, or maybe even more centralized = goodies? >=20 > I've been told that Linux has FreeIPA, but I think it's not fully > compatible with FreeBSD, and besides security/sssd wants so many > dependencies (even MIT Kerberos as if FreeBSD's built-in Kerberos is = not > good enough). >=20 > Any success stories? LDAP and Kerberos are common solutions for this. There are many ways = you could do this, both or just one of them depending on your specific = needs. You could: - Setup servers yourself. For instance setting up OpenLDAP - Use some "pre-integrated" solutions: - FreeIPA. Underneath, this is just LDAP, Kerberos, DNS, etc. = You don't have to use SSSD to use FreeIPA as an auth source. Not sure = what "features" may or may not be there. - Active Directory. Yes, you could use a Windows solution. = It's fundamentally LDAP, Kerberos, DNS, etc. Note that FreeIPA is an = attempt to re-create AD with Open Source components -- if they state = that or not, it's what it is. - Samba acting as an AD server You could also look at using signed SSH keys. There are some articles = about some of the hyper scale sites doing this to address the failure = points and scalability problems you get with a centralized directory = service. It's on my list to read up on, but I haven't gotten to it yet. Depending on your scale and needs, you could just keep it really simple = and use some automation tool like Ansible, Puppet, Salt, Chef, etc to = add/remove users across all of the machines. =20 There are lots of options with varying degrees of work. It really = depends on your actual requirements and resources (time, etc) to = implement and operate. Chris=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE>