Centralized user/group/whatever management

Chris Gordon freebsd at theory14.net
Sat Mar 14 17:09:53 UTC 2020

On Mar 14, 2020, at 12:17 PM, George Hartzell <hartzell at alerce.com> wrote:
> Matthew Seaman writes:
>> [...]
>> That's where things like FreeIPA come in: it's a pre-packaged setup with
>> all the stuff you hadn't realized you needed yet already dealt with.
>> [...]
> What is the status of FreeIPA on FreeBSD?  I don't see it on
> FreshPorts.

Server side or as a client?

Here's an article about full client implementation (sssd and all):


I would recommend avoiding the full client "experience" -- it's really painful for what feels like very little gain.

On the server side, I would avoid FreeIPA like the plague.  The 389 directory server is at the heart of everything and is "less than great" IMHO.  Look at the bug and feature requests for the project to get an idea.  I've seen significant performance and scaling problems requiring a lot of adjustments and client customizations to bring the platform under control (this is at the scale of thousands of clients globally distributed).  Some of the problems probably stem back to ignorance/lack of experience when initially setup as a pilot, but you don't know what you don't know until you start.  

FreeIPA is trying to be Active Directory.  I've not run AD so I don't know what problems and scaling issues one runs into with that platform, but I'm pretty sure the time we've had to invest dealing with FreeIPA would more than have paid for AD.

If you need the type of features offered by FreeIPA, I would consider Samba as a free choice or just buying AD if money is available.  In any case, do your testing and testing at some representative scale to really understand what you're getting into.  

Hope that helps.  If you have more details on your environment and the problem you're trying to solve, I'm happy to provide more commentary.


More information about the freebsd-questions mailing list