Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Mar 2020 08:53:09 -0400
From:      Chris Gordon <freebsd@theory14.net>
To:        Victor Sudakov <vas@sibptus.ru>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Centralized user/group/whatever management
Message-ID:  <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net>
In-Reply-To: <20200313091923.GA98495@admin.sibptus.ru>
References:  <20200313091923.GA98495@admin.sibptus.ru>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help


> On Mar 13, 2020, at 5:19 AM, Victor Sudakov <vas@sibptus.ru> wrote:
>=20
> Dear Colleagues,
>=20
> Do you think there exists a modern solution for centralized =
user/group/...
> management compatible with FreeBSD and Linux?
>=20
> I have experience using NIS on FreeBSD for many years, but NIS is =
really very
> dated, not very secure, depends on the NIS servers being reachable all =
the
> time, depends on Sun RPC (portmapper, dynamic ports) and has other
> drawbacks. I know this from experience.
>=20
> Are there any modern solutions for FreeBSD hosts to have at least a =
common
> user/userid/group/groupid database, or maybe even more centralized =
goodies?
>=20
> I've been told that Linux has FreeIPA, but I think it's not fully
> compatible with FreeBSD, and besides security/sssd wants so many
> dependencies (even MIT Kerberos as if FreeBSD's built-in Kerberos is =
not
> good enough).
>=20
> Any success stories?

LDAP and Kerberos are common solutions for this.  There are many ways =
you could do this, both or just one of them depending on your specific =
needs.  You could:
- Setup servers yourself.  For instance setting up OpenLDAP
- Use some "pre-integrated" solutions:
	- FreeIPA.  Underneath, this is just LDAP, Kerberos, DNS, etc.  =
You don't have to use SSSD to use FreeIPA as an auth source.  Not sure =
what "features" may or may not be there.
	- Active Directory.  Yes, you could use a Windows solution.  =
It's fundamentally LDAP, Kerberos, DNS, etc.  Note that FreeIPA is an =
attempt to re-create AD with Open Source components -- if they state =
that or not, it's what it is.
	- Samba acting as an AD server

You could also look at using signed SSH keys.  There are some articles =
about some of the hyper scale sites doing this to address the failure =
points and scalability problems you get with a centralized directory =
service.  It's on my list to read up on, but I haven't gotten to it yet.

Depending on your scale and needs, you could just keep it really simple =
and use some automation tool like Ansible, Puppet, Salt, Chef, etc to =
add/remove users across all of the machines. =20

There are lots of options with varying degrees of work.  It really =
depends on your actual requirements and resources (time, etc) to =
implement and operate.

Chris=



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE>