From owner-freebsd-questions@freebsd.org Sat Mar 14 17:09:52 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E7CF925EF4C for ; Sat, 14 Mar 2020 17:09:52 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from bacon.theory14.net (bacon.theory14.net [45.55.200.27]) by mx1.freebsd.org (Postfix) with ESMTP id 48fpvz2kXjz4SQZ; Sat, 14 Mar 2020 17:09:51 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from remote.theory14.net (remote.theory14.net [72.66.31.190]) by bacon.theory14.net (Postfix) with ESMTPSA id 139BC125ED0; Sat, 14 Mar 2020 13:09:50 -0400 (EDT) Received: from grackle.int.theory14.net (grackle.int.theory14.net [192.168.10.52]) by remote.theory14.net (Postfix) with ESMTPS id CD24367DA; Sat, 14 Mar 2020 13:09:49 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=theory14.net; s=mail; t=1584205789; bh=W3O38hbYlmgvcalTv2wLwHk6mbvIVQFcTyKKis5solQ=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=TL2jhipu8sEqAC3SWfTmMQGZiUs3c2yawuX3AH1gWyxsdC8sscN1eWV4Y4pi+Iqo9 FH39eLJ2aQi7TtfIa+qdHB8M58M6DHkytDHuoRdPFEZvxc38cmmGvzUiU9d7AmWxlW EwKWt1CErXuV8rggZT3ZSWnh2oaH8QbcP8U1M5z4= Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) Subject: Re: Centralized user/group/whatever management From: Chris Gordon In-Reply-To: <24173.939.499988.382240@alice.local> Date: Sat, 14 Mar 2020 13:09:49 -0400 Cc: Matthew Seaman , freebsd-questions@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <5AAC1545-4BF4-4395-9CB5-E880AE207D63@theory14.net> References: <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> <20200314055541.GF27346@admin.sibptus.ru> <41ff5211-2ec5-d027-bb12-183afc4ad397@FreeBSD.org> <24173.939.499988.382240@alice.local> To: hartzell@alerce.com X-Mailer: Apple Mail (2.3608.60.0.2.5) X-Rspamd-Queue-Id: 48fpvz2kXjz4SQZ X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=theory14.net header.s=mail header.b=TL2jhipu; dmarc=pass (policy=none) header.from=theory14.net; spf=pass (mx1.freebsd.org: domain of freebsd@theory14.net designates 45.55.200.27 as permitted sender) smtp.mailfrom=freebsd@theory14.net X-Spamd-Result: default: False [2.79 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[theory14.net:s=mail]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+mx]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_MEDIUM(0.98)[0.978,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[theory14.net:+]; DMARC_POLICY_ALLOW(-0.50)[theory14.net,none]; NEURAL_SPAM_LONG(0.96)[0.957,0]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(1.25)[ipnet: 45.55.192.0/18(4.89), asn: 14061(1.43), country: US(-0.05)]; ASN(0.00)[asn:14061, ipnet:45.55.192.0/18, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[190.31.66.72.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2020 17:09:53 -0000 On Mar 14, 2020, at 12:17 PM, George Hartzell = wrote: >=20 > Matthew Seaman writes: >> [...] >> That's where things like FreeIPA come in: it's a pre-packaged setup = with >> all the stuff you hadn't realized you needed yet already dealt with. >> [...] >=20 > What is the status of FreeIPA on FreeBSD? I don't see it on > FreshPorts. Server side or as a client? Here's an article about full client implementation (sssd and all): = https://blog.hostileadmin.com/2016/03/24/integrating-freebsd-w-freeipasssd= / I would recommend avoiding the full client "experience" -- it's really = painful for what feels like very little gain. On the server side, I would avoid FreeIPA like the plague. The 389 = directory server is at the heart of everything and is "less than great" = IMHO. Look at the bug and feature requests for the project to get an = idea. I've seen significant performance and scaling problems requiring = a lot of adjustments and client customizations to bring the platform = under control (this is at the scale of thousands of clients globally = distributed). Some of the problems probably stem back to ignorance/lack = of experience when initially setup as a pilot, but you don't know what = you don't know until you start. =20 FreeIPA is trying to be Active Directory. I've not run AD so I don't = know what problems and scaling issues one runs into with that platform, = but I'm pretty sure the time we've had to invest dealing with FreeIPA = would more than have paid for AD. If you need the type of features offered by FreeIPA, I would consider = Samba as a free choice or just buying AD if money is available. In any = case, do your testing and testing at some representative scale to really = understand what you're getting into. =20 Hope that helps. If you have more details on your environment and the = problem you're trying to solve, I'm happy to provide more commentary. Chris=