Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Mar 2020 23:40:57 +0700
From:      Victor Sudakov <vas@sibptus.ru>
To:        freebsd-questions@freebsd.org
Subject:   Re: Centralized user/group/whatever management
Message-ID:  <20200315164057.GB74628@admin.sibptus.ru>
In-Reply-To: <5B2796E0-14E3-4CD2-AC05-5A83EE2C0300@theory14.net>
References:  <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> <20200314055541.GF27346@admin.sibptus.ru> <5B2796E0-14E3-4CD2-AC05-5A83EE2C0300@theory14.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--LpQ9ahxlCli8rRTG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Chris Gordon wrote:
>=20
>=20
> >> LDAP and Kerberos are common solutions for this.  There are many ways =
you could do this, both or just one of them depending on your specific need=
s.  You could:
> >> - Setup servers yourself.  For instance setting up OpenLDAP
> >> - Use some "pre-integrated" solutions:
> >> 	- FreeIPA.  Underneath, this is just LDAP, Kerberos, DNS, etc.  You d=
on't have to use SSSD to use FreeIPA as an auth source.  Not sure what "fea=
tures" may or may not be there.
> >> 	- Active Directory.  Yes, you could use a Windows solution.  It's fun=
damentally LDAP, Kerberos, DNS, etc.  Note that FreeIPA is an attempt to re=
-create AD with Open Source components -- if they state that or not, it's w=
hat it is.
> >> 	- Samba acting as an AD server
> >=20
> > There is one missing link which was never mentioned in the thread.
> > What's the bridge between nsswitch framework (or some other replacement
> > of getpwent(), getgrent() and friends) to be used with all those LDAP
> > solutions mentioned above?
> >=20
> > Kerberos is fine of course, when we have a user already. I use FreeBSD's
> > build-in Heimdal a lot for SSH access, SVN access (duh!) and some other
> > things.
>=20
> https://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/index.html
>=20
> If the above doesn't cover sufficiently for you, a quick search of the
> web with your favorite search engine will turn up many different
> articles, tutorials and discussions.  I just put in "freebsd ldap
> client" into Google and found the above.

Thanks, a useful article. Matthew Seaman also mentioned
net/nss-pam-ldapd in this context, because it's supposed to be better
than security/pam_ldap+net/nss_ldap. But the idea is clear now.

>=20
> > You could also look at using signed SSH keys.  There are some articles
> >> about some of the hyper scale sites doing this to address the failure
> >> points and scalability problems you get with a centralized directory
> >> service.  It's on my list to read up on, but I haven't gotten to it
> >> yet.
> >=20
> > I did not quite understand how you can use SSH keys to create/delete us=
ers
> > and manage group memberships. Could you elaborate or give a link?
>=20
> Like I said, I haven't read the details of how this works.  "signed
> ssh keys" in Google gives a link to an article from Facebook
> engineering on the subject:
> https://engineering.fb.com/security/scalable-and-secure-access-with-ssh/.
> From what I recall when I heard about this, a similar solution is used
> and discussed by a number of other hyper-scale companies.  As I've not
> had time to research this myself, I'll leave it as an exercise to the
> reader.

I've perused the article, it's useful in its own way. I've been looking
for a good example of using SSH certificates *with* *authorization*,
that is exactly it. For the bastion hosts however the author says they
use LDAP and/or Kerberos, and later they access the internal hosts as
the local "root" users (provided a person is authorized to by the SSH
CA).

[dd]
> > I was of course interested in modern best practices and personal success
> > stories rather than in "you can implement this or that thing I've read
> > about."
> >=20
> > If any person who replied in this thread is using a centralized user
> > database, please share what *you* *particularly* use and why.
> >=20
> > I've already shared mine: I use NIS (yp*) but want to migrate from it,
> > for the reasons I stated in the first mail.
>=20

[dd]


>=20
> Now maybe I'm overreaching in what you want.  If you just want to hear
> about specific cases of implementations from those that have them,

Kind of, yes. That was my intention from the start.

> then please disregard my entire email. =20

Disregarding your entire email would be unwise because you gave at least
to useful links :-)

>=20
> I hope that helps some.

It did, thank you.

--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--LpQ9ahxlCli8rRTG
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJeblqZAAoJEA2k8lmbXsY0fbMH/Rkbhy/MbIQnpImQUpk1s0k4
BCQQj9nf1wihH9/vIIrc/AwynvgMHR1sgS6pqH9/VZC59+txti01OihPR5u23bFH
Nyy2We+TC7tvzjNIdkxorn1OW61CJDtI2tuewXYlsbKC1AJlekarbxJ9uL/GoQ/i
ejbCs6EvnaM21KSzfFi1UvWAogMgaa5dKCabpfDyD0IDyG3BEzheqO+1NTJ2RBtX
URNgcwjQnVnBvYMUw08dBCLlV6KjuKEyDbadIMIzlyX87/hLYrDlI5Gqu4vGFasp
7Jij5ZX9qjOEXP+dlxGB79h78gQgXRxQ9kd5cqvDVbBaXHPYvvt/ar04fVRMD9g=
=0OCm
-----END PGP SIGNATURE-----

--LpQ9ahxlCli8rRTG--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20200315164057.GB74628>