The distribution lock-in does concern me. As well as it's all-in-one monolithic style. The web interface does look nice though. Right now compatibility with Windows is not something i am concerned with all all. More so compatibility with other UNIX like operating systems such as the BSDs. I am thinking it might be worth taking the time and writing out a custom configuration versus having a lot of automated scripts such as in FreeIPA. I have never used FreeIPA before but looking at what it offers from It's website does not look like what i am after. Cathy's recommendation of plain LDAP/DNS/Kerberos seems more appealing. I heard MIT has done something like this. They are calling it Project Athena.
On 05/02/2018 08:25 PM, Tyrell Jentink wrote: > I'm using FreeIPA here at home; As a product, it's really just a bunch of > scripts and a web interface for LDAP+Kerberos+Certificate management+Samba; > It aims to be a complete identity management system, a product designed to > compete with (Or at the very least, perform an analogous set of tasks to) > ActiveDirectory. It is completely open source, developed by Red Hat, for > Fedora, and I use it on CentOS, but it is available for a number of other > distros. > > (Full disclosure: I do happen to use ActiveDirectory to store my user > accounts, and FreeIPA authenticates through an AD Interforest Trust, but > that's far from a requirement, and it probably causes me more grief than > many admins would tolerate) > > As for reading, I learned everything I know from their documentation: > https://www.freeipa.org/page/Documentation > > > On Wed, May 2, 2018, 20:01 Thomas Groman <tgrom.autom...@nuegia.net> wrote: > >> Do you have any book or other resource recommendations for setting these >> up? I already do sysadmin work, just never done centralized auth before. >> >> >> On 05/02/2018 07:53 PM, Tomas Kuchta wrote: >>> The easiest is to pick LDAP or NIS, both work very well on Linux. With or >>> without Kerberos for local small setup. >>> >>> NIS with NFS for file sharing would be probably the simplest setup, but >> you >>> will eventually wish you had LDAP for integration with various other >>> services. >>> >>> LDAP + Kerberos + NFS is probably the most common and extensible >> solution. >>> You will absolutely need local DNS and NTP to get it going, but it is >> well >>> integrated extensible solution. >>> >>> Another option would be to uses Samba - it combines LDAP + Kerberos, so >> it >>> has less moving parts and can accept Windows hosts without much headache, >>> compared to LDAP and Kerberos. >>> >>> For both solution, you might need some enterprise admin to help setting >> it >>> up. If well and simply setup, it is not difficult to maintain and manage. >>> IMHO >>> >>> Tomas >>> >>> On Wed, May 2, 2018, 5:36 PM Smith, Cathy <cathy.sm...@pnnl.gov> wrote: >>> >>>> There used to be dns, ldap, kerberos, nis. These are open source >>>> protocols and not restricted to Microsoft. >>>> >>>> >>>> -- >>>> Cathy L. Smith >>>> IT Engineer >>>> >>>> Pacific Northwest National Laboratory >>>> Operated by Battelle for the >>>> U.S. Department of Energy >>>> >>>> Phone: 509.375.2687 >>>> Fax: 509.375.4399 >>>> Email: cathy.sm...@pnnl.gov >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: plug-boun...@pdxlinux.org [mailto:plug-boun...@pdxlinux.org] On >>>> Behalf Of Thomas Groman >>>> Sent: Wednesday, May 02, 2018 5:16 PM >>>> To: plug@pdxlinux.org >>>> Subject: [PLUG] Linux centralized authentication >>>> >>>> Has anyone ever made a 100% UNIX/BSD/Linux network with centralized >>>> authentication? Using native protocols not some sort of strange >> Microsoft >>>> AD mesh thing. >>>> I wanted to build a hacker-space for a school and since it would be >>>> starting from scratch there's no reason to get locked in to a Microsoft >>>> product from the start. Also the Microsoft's protocols are not open >> source >>>> and hard to debug. They never really work well with UNIX like operating >>>> systems requiring id/group mapping and such. >>>> _______________________________________________ >>>> PLUG mailing list >>>> PLUG@pdxlinux.org >>>> http://lists.pdxlinux.org/mailman/listinfo/plug >>>> _______________________________________________ >>>> PLUG mailing list >>>> PLUG@pdxlinux.org >>>> http://lists.pdxlinux.org/mailman/listinfo/plug >>>> >>> _______________________________________________ >>> PLUG mailing list >>> PLUG@pdxlinux.org >>> http://lists.pdxlinux.org/mailman/listinfo/plug >> _______________________________________________ >> PLUG mailing list >> PLUG@pdxlinux.org >> http://lists.pdxlinux.org/mailman/listinfo/plug >> > _______________________________________________ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug _______________________________________________ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
