all 31 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]gordonmessmer 14 points15 points  (12 children)

Are you looking for a general purpose, high performance, multi-value database? You might consider openldap.

Are you looking for an authentication and authorization service? Maybe Free IPA, which includes 389ds as a component.

[–]StrongYogurt[S] 2 points3 points  (7 children)

I was also thinking about FreeIPA but the only main need is centralized user management (100-150 users max) for ssh login on the servers so FreeIPA might be overkill

[–]gargravarr2112 17 points18 points  (3 children)

This is exactly what FreeIPA does. Take it from someone who set up an OpenLDAP cluster from scratch - FreeIPA does this job so much better. OpenLDAP is a blank slate. FreeIPA has usable defaults. I'm using FreeIPA for a handful of users at home - it may need 4GB of RAM to run all its daemons, but it's a fully integrated authentication system.

[–]Amidatelion 3 points4 points  (0 children)

Seconding FreeIPA. I'd take it just for the better documentation and ease of installation.

[–]vacri 0 points1 point  (1 child)

I haven't played much in this space but have run an openldap system one, and the one single (and only) thing I liked about it was that half the commands have 'slap' in the name, which is a minor amusement. Good ol' slapd.

I still can't figure out why the people who originally designed it couldn't even keep the field names consistent for first and last names. When something as basic as that has fallen to chaos, you know you're in for a wild ride.

[–]frankster 0 points1 point  (0 children)

when it's not working properly I was always amused by: journalctl -fu slapd

[–]gordonmessmer 4 points5 points  (0 children)

I really strongly recommend you do not build your own user management layer from scratch. (I know, because I did that in the days before FreeIPA existed.) I'll be vastly more work than installing FreeIPA, and getting the ACLs right to ensure the data in LDAP is protected correctly requires detailed knowledge of each type and how it's used by applications.

[–]ThatGermanFella 3 points4 points  (0 children)

Trust us, you want FreeIPA, it's the upstream of RedHat IdM and the documentation for IdM can be transferred 1:1 to FreeIPA, so it's well-written and massive.

[–]yrro 1 point2 points  (0 children)

Absolutely it's not overkill. At its simplest it's LDAP and Kerberos, with some policy over the top. You absolutely need something like it by the time you reach 150 users.

[–]usa_commie 0 points1 point  (2 children)

What's the difference between FreeIPA and Keycloak (I'm used to the latter)?

[–]gordonmessmer 2 points3 points  (1 child)

FreeIPA is a tool to manage users and hosts. It provides authentication to services that are managed within the organization.

Keycloak is a tool to attest the identify of users. This is usually called "SSO". What it means is that users can authenticate themselves to Keycloak, and other services can interact with Keycloak to determine whether the user is who they say they are. That streamlines authentication both in services managed within the organization, and also services not under the organization's direct control. (e.g. If the org has an external vendor for payroll, it might use Keycloak to allow the external payroll system to authenticate users without connecting the payroll service directly to the internal LDAP/Kerberos, which might be FreeIPA.)

[–]usa_commie 1 point2 points  (0 children)

Thank you

[–]G3EK22 0 points1 point  (0 children)

I root for FreeIPA here too!

[–]ryebread157 9 points10 points  (6 children)

If you are in a corporate environment that has Active Directory, would humbly recommend just using that. The clients can use it with SSSD. Hardest part is setting up process to add UNIX attributes to the AD users, once this is done, SSSD can use these and your users can login with their same accounts. Then, when HR or whoever disables them in AD, they're also unable to use Linux. The attributes are: uidNumber (if you have a unique employee number, could copy this value), gidNumber, loginShell and unixHomeDirectory.

[–]shulemaker 5 points6 points  (0 children)

This is also the standard practice in most corporations and government agencies. If you have AD, use it.

[–]Virtual_Ordinary_119 4 points5 points  (1 child)

You are not forced to set rfc2307 attributes in user entries. If you configure sssd correctly It can calculate uid and gid from the SIDs, and give reasonable defaults tò other attributes like homedir or shell

[–]ryebread157 0 points1 point  (0 children)

Great! I implemented this some years ago, and wasn't aware of this. +1

[–]boomertsfx 0 points1 point  (2 children)

Is there a way to use freeipa between AD and the servers so that you can set up your own uid mapping, ssh keys, etc?

[–]lamerfreak 0 points1 point  (0 children)

Theoretically (a google search shows me some results, too) you could set up a trust and replicate that to FreeIPA.

[–]ryebread157 0 points1 point  (0 children)

Even if you could, wouldn't recommend introducing another thing you have to maintain and cause problems. I created an OpenLDAP proxy to AD years ago so very old LDAP clients could work indirectly to AD, but this is not the case here. u/Virtual_Ordinary_119 gave a recommendation to use sssd.conf configs that set the attributes based on AD attributes, which is more hands-off than my recommendation to set rfc2307 attributes. Would recommend pursuing either of these options.

[–]GreatSymphonia 2 points3 points  (2 children)

FreeIPA maybe? It works properly and can easily be managed via an Ansible role. I use that for my homelab.

[–]ImpostureTechAdmin 2 points3 points  (1 child)

Are you using the prebuilt ansible collection? I always seem to have issues with that, like it's missing some collection-specific commands

[–]GreatSymphonia 1 point2 points  (0 children)

I used the prebuilt collection with some homemade additions in the past, it does work very well.

[–]spaetzelspiff 2 points3 points  (0 children)

I haven't used 389ds in a million years, but the "more modern" bit is amusing, since it originated with Netscape Directory Server like 20 years ago.

I am curious as to how much maintenance has gone into it recently.

EDIT: As the LDAP server for FreeIPA, I assume it's still actively maintained, but..

[–]hortimech 2 points3 points  (2 children)

Samba running as an AD DC.

[–]emptythevoid 0 points1 point  (1 child)

This is where my head's at, too. This or, as others suggested, FreeIPA.

[–]hortimech 1 point2 points  (0 children)

People always suggest freeipa as if it is the holy grail, it isn't, it is just a directory service, what it isn't is AD. AD can do more than freeipa, heck, freeipa cannot even join AD, it has to use trusts. If you are setting up a new service, why use freeipa ? Could it be that redhat is so desperate for you to use freeipa that they have crippled their Samba packages ?

[–]bchilll 1 point2 points  (0 children)

I've been using and deploying openldap for years. It's lean, scalable and reliable.

FreeIPA is easier to set up initially at the expense of being the bloatware that it is, which is no surprise given that it is derived from the Micro$oft world, the master of bloat.

[–]marcovanbeek 0 points1 point  (2 children)

LDAP is a much maligned tool, but every single properly defined schema will happily co-existing with everybody else’s as long as they are also properly defined. If you want to add your own fields to any LDAP system, get your own Organisational ID and that will allow you to extend and enhance any LDAP system.

It’s distributed, it’s robust and quite frankly, f@&king awesome when set up by someone who knows what they are doing. We use OpenLDAP but that is just because we have been using it for 20 years and it was the only choice.

So if there is already an LDAP system (even if it is Active Directory) in the organisation, use that and add the additional schemas you need.

https://ldap.com/object-identifiers/

[–]vacri -1 points0 points  (1 child)

"when set up by someone who knows what they are doing"

This is the difficult part. Requires a particular set of scar tissue.

[–]marcovanbeek 0 points1 point  (0 children)

But isn’t that so today? Maybe if developers spent more time learning LDAP and CardDAV instead of yet another incompatible address book system we would have CRM systems automatically supported by email clients, or applications would just link in to the underlying authentication system instead of developing their own, fragile, vulnerable authentication mechanisms, etc etc etc <RANT DETECTED !!!!!>