0

I'm running a small LAN for 5 users with some basic services, e.g., NFSv4 mounts and SOGo groupware. Because it seemed to be a good and easy to implement idea, authentication is a combination of Kerberos (with LDAP backend) and authoritative user data (home directory, shell, etc.) in OpenLDAP. With just 5 users, using an LDAP browser and the command line kadmin tool to add a new user account was very simple. Now the environment is growing and includes not-so-techsavvy users; tasks like limited account validity now occur more often.

Before it grows to be a major pain, I thought I'd look for best practices for the combination of LDAP + Kerberos for user management. Except - I haven't found any! I can't imagine people either using scripts or adopting Active Directory (specifically in a pure Unix environment)? Isn't there a way to manage users in this scenario with a tool similar to useradd/userdel/usermod?

Technaton
  • 101
  • 2
  • Companies up to 10 people usually don't care much about SSO across systems. Then the major solution is Active Directory (the linux alternative is probably FreeIPA). If the company is planning to grow to tens of employees, I would seriously consider active directory even in a Linux only environment. It's widely adopted and much easier to setup and find help for, in fact every tool and commercial software has to support AD because that's simply the norm across all companies. By the way linux-only is an euphemism because any company will find itself having both linux and windows. – user5994461 Apr 26 '20 at 21:42

2 Answers2

0

I indeed consider setting up an Active Directory - though in a pure *nix environment the best choice for that would be a samba AD : https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Another option would like (ab))using a configuration management tool that works with a desired state ( CF Engine, Chef, Puppet) and define user through that and fall back to key based user auth.

discondor
  • 139
  • 3
0

FreeIPA is one of the popular solutions to build a Kerberos +LDAP environment.

FreeIPA https://www.freeipa.org/page/Main_Page

As the name says, it's free, open source and sponsored by RedHat.

kofemann
  • 4,308
  • 1
  • 21
  • 27