Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Mar 2020 08:53:09 -0400
From:      Chris Gordon <>
To:        Victor Sudakov <>
Subject:   Re: Centralized user/group/whatever management
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

> On Mar 13, 2020, at 5:19 AM, Victor Sudakov <> wrote:
> Dear Colleagues,
> Do you think there exists a modern solution for centralized =
> management compatible with FreeBSD and Linux?
> I have experience using NIS on FreeBSD for many years, but NIS is =
really very
> dated, not very secure, depends on the NIS servers being reachable all =
> time, depends on Sun RPC (portmapper, dynamic ports) and has other
> drawbacks. I know this from experience.
> Are there any modern solutions for FreeBSD hosts to have at least a =
> user/userid/group/groupid database, or maybe even more centralized =
> I've been told that Linux has FreeIPA, but I think it's not fully
> compatible with FreeBSD, and besides security/sssd wants so many
> dependencies (even MIT Kerberos as if FreeBSD's built-in Kerberos is =
> good enough).
> Any success stories?

LDAP and Kerberos are common solutions for this.  There are many ways =
you could do this, both or just one of them depending on your specific =
needs.  You could:
- Setup servers yourself.  For instance setting up OpenLDAP
- Use some "pre-integrated" solutions:
	- FreeIPA.  Underneath, this is just LDAP, Kerberos, DNS, etc.  =
You don't have to use SSSD to use FreeIPA as an auth source.  Not sure =
what "features" may or may not be there.
	- Active Directory.  Yes, you could use a Windows solution.  =
It's fundamentally LDAP, Kerberos, DNS, etc.  Note that FreeIPA is an =
attempt to re-create AD with Open Source components -- if they state =
that or not, it's what it is.
	- Samba acting as an AD server

You could also look at using signed SSH keys.  There are some articles =
about some of the hyper scale sites doing this to address the failure =
points and scalability problems you get with a centralized directory =
service.  It's on my list to read up on, but I haven't gotten to it yet.

Depending on your scale and needs, you could just keep it really simple =
and use some automation tool like Ansible, Puppet, Salt, Chef, etc to =
add/remove users across all of the machines. =20

There are lots of options with varying degrees of work.  It really =
depends on your actual requirements and resources (time, etc) to =
implement and operate.


Want to link to this message? Use this URL: <>