Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 14 Mar 2020 13:09:49 -0400
From:      Chris Gordon <freebsd@theory14.net>
To:        hartzell@alerce.com
Cc:        Matthew Seaman <matthew@FreeBSD.org>, freebsd-questions@freebsd.org
Subject:   Re: Centralized user/group/whatever management
Message-ID:  <5AAC1545-4BF4-4395-9CB5-E880AE207D63@theory14.net>
In-Reply-To: <24173.939.499988.382240@alice.local>
References:  <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> <20200314055541.GF27346@admin.sibptus.ru> <41ff5211-2ec5-d027-bb12-183afc4ad397@FreeBSD.org> <24173.939.499988.382240@alice.local>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Mar 14, 2020, at 12:17 PM, George Hartzell <hartzell@alerce.com> =
wrote:
>=20
> Matthew Seaman writes:
>> [...]
>> That's where things like FreeIPA come in: it's a pre-packaged setup =
with
>> all the stuff you hadn't realized you needed yet already dealt with.
>> [...]
>=20
> What is the status of FreeIPA on FreeBSD?  I don't see it on
> FreshPorts.

Server side or as a client?

Here's an article about full client implementation (sssd and all):

=
https://blog.hostileadmin.com/2016/03/24/integrating-freebsd-w-freeipasssd=
/

I would recommend avoiding the full client "experience" -- it's really =
painful for what feels like very little gain.


On the server side, I would avoid FreeIPA like the plague.  The 389 =
directory server is at the heart of everything and is "less than great" =
IMHO.  Look at the bug and feature requests for the project to get an =
idea.  I've seen significant performance and scaling problems requiring =
a lot of adjustments and client customizations to bring the platform =
under control (this is at the scale of thousands of clients globally =
distributed).  Some of the problems probably stem back to ignorance/lack =
of experience when initially setup as a pilot, but you don't know what =
you don't know until you start. =20

FreeIPA is trying to be Active Directory.  I've not run AD so I don't =
know what problems and scaling issues one runs into with that platform, =
but I'm pretty sure the time we've had to invest dealing with FreeIPA =
would more than have paid for AD.

If you need the type of features offered by FreeIPA, I would consider =
Samba as a free choice or just buying AD if money is available.  In any =
case, do your testing and testing at some representative scale to really =
understand what you're getting into. =20

Hope that helps.  If you have more details on your environment and the =
problem you're trying to solve, I'm happy to provide more commentary.

Chris=



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?5AAC1545-4BF4-4395-9CB5-E880AE207D63>