Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 14 Mar 2020 12:55:41 +0700
From:      Victor Sudakov <vas@sibptus.ru>
To:        freebsd-questions@freebsd.org
Subject:   Re: Centralized user/group/whatever management
Message-ID:  <20200314055541.GF27346@admin.sibptus.ru>
In-Reply-To: <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net>
References:  <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--4f28nU6agdXSinmL
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Chris Gordon wrote:
>=20
>=20
> > On Mar 13, 2020, at 5:19 AM, Victor Sudakov <vas@sibptus.ru> wrote:
> >=20
> > Dear Colleagues,
> >=20
> > Do you think there exists a modern solution for centralized user/group/=
=2E..
> > management compatible with FreeBSD and Linux?
> >=20
> > I have experience using NIS on FreeBSD for many years, but NIS is reall=
y very
> > dated, not very secure, depends on the NIS servers being reachable all =
the
> > time, depends on Sun RPC (portmapper, dynamic ports) and has other
> > drawbacks. I know this from experience.
> >=20
> > Are there any modern solutions for FreeBSD hosts to have at least a com=
mon
> > user/userid/group/groupid database, or maybe even more centralized good=
ies?
> >=20
> > I've been told that Linux has FreeIPA, but I think it's not fully
> > compatible with FreeBSD, and besides security/sssd wants so many
> > dependencies (even MIT Kerberos as if FreeBSD's built-in Kerberos is not
> > good enough).
> >=20
> > Any success stories?
>=20
> LDAP and Kerberos are common solutions for this.  There are many ways you=
 could do this, both or just one of them depending on your specific needs. =
 You could:
> - Setup servers yourself.  For instance setting up OpenLDAP
> - Use some "pre-integrated" solutions:
> 	- FreeIPA.  Underneath, this is just LDAP, Kerberos, DNS, etc.  You don'=
t have to use SSSD to use FreeIPA as an auth source.  Not sure what "featur=
es" may or may not be there.
> 	- Active Directory.  Yes, you could use a Windows solution.  It's fundam=
entally LDAP, Kerberos, DNS, etc.  Note that FreeIPA is an attempt to re-cr=
eate AD with Open Source components -- if they state that or not, it's what=
 it is.
> 	- Samba acting as an AD server

There is one missing link which was never mentioned in the thread.
What's the bridge between nsswitch framework (or some other replacement
of getpwent(), getgrent() and friends) to be used with all those LDAP
solutions mentioned above?

Kerberos is fine of course, when we have a user already. I use FreeBSD's
build-in Heimdal a lot for SSH access, SVN access (duh!) and some other
things.


> You could also look at using signed SSH keys.  There are some articles
> about some of the hyper scale sites doing this to address the failure
> points and scalability problems you get with a centralized directory
> service.  It's on my list to read up on, but I haven't gotten to it
> yet.

I did not quite understand how you can use SSH keys to create/delete users
and manage group memberships. Could you elaborate or give a link?


> Depending on your scale and needs, you could just keep it really
> simple and use some automation tool like Ansible, Puppet, Salt, Chef,
> etc to add/remove users across all of the machines. =20

The closest thing to what I want is ansible's "user" and "group"
modules, I'll certainly consider them if I don't find a solution with a
truly centralized user database with instantaneous lookups, like a
modern incarnation of NIS.

The major drawbacks with the "configuration push" approach have been
enumerated in my mail to Daniel Feenberg. Even though ansible can
parallel its jobs, the drawbacks still apply.

>=20
> There are lots of options with varying degrees of work.  It really
> depends on your actual requirements and resources (time, etc) to
> implement and operate.

I was of course interested in modern best practices and personal success
stories rather than in "you can implement this or that thing I've read
about."

If any person who replied in this thread is using a centralized user
database, please share what *you* *particularly* use and why.

I've already shared mine: I use NIS (yp*) but want to migrate from it,
for the reasons I stated in the first mail.

--=20
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

--4f28nU6agdXSinmL
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJebHHdAAoJEA2k8lmbXsY0AXYIALP5c4RbfCEIIO8UWEFCBOby
9oraDiK8ZcbiEw79SlZQT40VfVNHnXxqtrMD9xPRJMRPOd8+nJDZIclJPy/wLVQp
ozVFx92ResGrOWw3LhxsSRmP0Kp/3dv2xfvpK+sW13hfhpslS2THk0clLkooPFIH
7r25u/ytp8CwBESC9VShYp1sbMtdoiBwh9CJkncG6xLHI02SCRqNuREitrMm94lc
9Fqessz3zrbwwbvJiUSbAtKb6m8wizBs2ZJfKoji98cB7BNJHCMUtTeFj8YqtuyC
eIZacRhb0o2mMyCtFBXDWV7NPKMbqBl/t16lfMwytZPIqv2jFLNKH7jLZ6xGC9A=
=ooru
-----END PGP SIGNATURE-----

--4f28nU6agdXSinmL--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20200314055541.GF27346>