Centralized user/group/whatever management

Victor Sudakov vas at sibptus.ru
Sat Mar 14 05:55:43 UTC 2020

Chris Gordon wrote:
> > On Mar 13, 2020, at 5:19 AM, Victor Sudakov <vas at sibptus.ru> wrote:
> > 
> > Dear Colleagues,
> > 
> > Do you think there exists a modern solution for centralized user/group/...
> > management compatible with FreeBSD and Linux?
> > 
> > I have experience using NIS on FreeBSD for many years, but NIS is really very
> > dated, not very secure, depends on the NIS servers being reachable all the
> > time, depends on Sun RPC (portmapper, dynamic ports) and has other
> > drawbacks. I know this from experience.
> > 
> > Are there any modern solutions for FreeBSD hosts to have at least a common
> > user/userid/group/groupid database, or maybe even more centralized goodies?
> > 
> > I've been told that Linux has FreeIPA, but I think it's not fully
> > compatible with FreeBSD, and besides security/sssd wants so many
> > dependencies (even MIT Kerberos as if FreeBSD's built-in Kerberos is not
> > good enough).
> > 
> > Any success stories?
> LDAP and Kerberos are common solutions for this.  There are many ways you could do this, both or just one of them depending on your specific needs.  You could:
> - Setup servers yourself.  For instance setting up OpenLDAP
> - Use some "pre-integrated" solutions:
> 	- FreeIPA.  Underneath, this is just LDAP, Kerberos, DNS, etc.  You don't have to use SSSD to use FreeIPA as an auth source.  Not sure what "features" may or may not be there.
> 	- Active Directory.  Yes, you could use a Windows solution.  It's fundamentally LDAP, Kerberos, DNS, etc.  Note that FreeIPA is an attempt to re-create AD with Open Source components -- if they state that or not, it's what it is.
> 	- Samba acting as an AD server

There is one missing link which was never mentioned in the thread.
What's the bridge between nsswitch framework (or some other replacement
of getpwent(), getgrent() and friends) to be used with all those LDAP
solutions mentioned above?

Kerberos is fine of course, when we have a user already. I use FreeBSD's
build-in Heimdal a lot for SSH access, SVN access (duh!) and some other

> You could also look at using signed SSH keys.  There are some articles
> about some of the hyper scale sites doing this to address the failure
> points and scalability problems you get with a centralized directory
> service.  It's on my list to read up on, but I haven't gotten to it
> yet.

I did not quite understand how you can use SSH keys to create/delete users
and manage group memberships. Could you elaborate or give a link?

> Depending on your scale and needs, you could just keep it really
> simple and use some automation tool like Ansible, Puppet, Salt, Chef,
> etc to add/remove users across all of the machines.  

The closest thing to what I want is ansible's "user" and "group"
modules, I'll certainly consider them if I don't find a solution with a
truly centralized user database with instantaneous lookups, like a
modern incarnation of NIS.

The major drawbacks with the "configuration push" approach have been
enumerated in my mail to Daniel Feenberg. Even though ansible can
parallel its jobs, the drawbacks still apply.

> There are lots of options with varying degrees of work.  It really
> depends on your actual requirements and resources (time, etc) to
> implement and operate.

I was of course interested in modern best practices and personal success
stories rather than in "you can implement this or that thing I've read

If any person who replied in this thread is using a centralized user
database, please share what *you* *particularly* use and why.

I've already shared mine: I use NIS (yp*) but want to migrate from it,
for the reasons I stated in the first mail.

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20200314/47a8ee00/attachment.sig>

More information about the freebsd-questions mailing list