Centralized user/group/whatever management

Chris Gordon freebsd at theory14.net
Fri Mar 13 12:53:21 UTC 2020

> On Mar 13, 2020, at 5:19 AM, Victor Sudakov <vas at sibptus.ru> wrote:
> Dear Colleagues,
> Do you think there exists a modern solution for centralized user/group/...
> management compatible with FreeBSD and Linux?
> I have experience using NIS on FreeBSD for many years, but NIS is really very
> dated, not very secure, depends on the NIS servers being reachable all the
> time, depends on Sun RPC (portmapper, dynamic ports) and has other
> drawbacks. I know this from experience.
> Are there any modern solutions for FreeBSD hosts to have at least a common
> user/userid/group/groupid database, or maybe even more centralized goodies?
> I've been told that Linux has FreeIPA, but I think it's not fully
> compatible with FreeBSD, and besides security/sssd wants so many
> dependencies (even MIT Kerberos as if FreeBSD's built-in Kerberos is not
> good enough).
> Any success stories?

LDAP and Kerberos are common solutions for this.  There are many ways you could do this, both or just one of them depending on your specific needs.  You could:
- Setup servers yourself.  For instance setting up OpenLDAP
- Use some "pre-integrated" solutions:
	- FreeIPA.  Underneath, this is just LDAP, Kerberos, DNS, etc.  You don't have to use SSSD to use FreeIPA as an auth source.  Not sure what "features" may or may not be there.
	- Active Directory.  Yes, you could use a Windows solution.  It's fundamentally LDAP, Kerberos, DNS, etc.  Note that FreeIPA is an attempt to re-create AD with Open Source components -- if they state that or not, it's what it is.
	- Samba acting as an AD server

You could also look at using signed SSH keys.  There are some articles about some of the hyper scale sites doing this to address the failure points and scalability problems you get with a centralized directory service.  It's on my list to read up on, but I haven't gotten to it yet.

Depending on your scale and needs, you could just keep it really simple and use some automation tool like Ansible, Puppet, Salt, Chef, etc to add/remove users across all of the machines.  

There are lots of options with varying degrees of work.  It really depends on your actual requirements and resources (time, etc) to implement and operate.


More information about the freebsd-questions mailing list