After working with linux for years in small networks, I've started in a company that maintains large windows networks. I know you can cobble a linux host onto an Active Directory network but is there a tidy linux-y way of handling it if you didn't have to deal with Windows hosts. Purely hypothetical.
Asked
Active
Viewed 1.1k times
5 Answers
14
The closest equivalent to Active Directory for Linux is FreeIPA. FreeIPA is made by Redhat, and provides both LDAP and Kerberos based authentication to a Linux network...
FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, NTP, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.
Bear in mind, FreeIPA is largely Redhat only, and would take a good bit of work to get up-and-running on Debian/Ubuntu/whatever...
Soviero
- 4,306
- 7
- 34
- 59
-
I think you're saying Ubuntu FreeIPA server would be hard work? Setting up a Ubuntu _client_ should not be as difficult. – Not Now Sep 12 '12 at 17:04
-
i dislike the fact this is a Redhat only solution (trusting the poster on this subject, 0 experience with it), but this is definitely the closest thing to an answer to parent's question. – ItsGC Sep 12 '12 at 17:29
-
@ItsGC It is Redhat only on the IPA/Ldap server side. – Not Now Sep 12 '12 at 18:34
-
@NotNow On a client, it's easier with Redhat because there is one command that configures everything from LDAP to NTP in one step... That command does not exist on Ubuntu (AFAIK), and so you would have to do everything yourself from scratch... – Soviero Sep 12 '12 at 20:49
-
For anyone interested, there is this package in Ubuntu 12.04 LTS: http://packages.ubuntu.com/precise/freeipa-client – Soviero Sep 12 '12 at 20:56
-
I'm really surprised that the 'nix world didn't have a comprehensive solution before Microsoft, that Ubuntu don't handle corporate environments well. – Keith Loughnane Sep 17 '12 at 09:41
-
while freeipa project only supports running on redhat and fedora (redhat). It is GPL and all of the components it uses are Free Software (GPL, MIT licence, Apache licence, carnegi mellon licence), so could be got to work on any other system (though we may not be the people to do it). I would suggest running it in a container, using docker: take a redhat docker-container, and add freeipa. – ctrl-alt-delor Jan 15 '17 at 17:14
4
LDAP is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.
daemonofchaos
- 1,201
- 1
- 8
- 10
-
-
1
-
2LDAP is the answer for the question. I merely provided additional information about LDAP to further illustrate that. – daemonofchaos Sep 12 '12 at 16:04
-
It wasn't the answer, I was looking for a more practical, what hardware and software would you use answer. – Keith Loughnane Sep 17 '12 at 09:43
-
0
I have seen large networks of over a thousand Linux servers with no centralized user authentication or management. Every single server had only local accounts that all had to be maintained individually.
That makes me cringe. Something like Puppet can probably help in that department of synchronizing accounts across systems, but it won't help you join the hosts to an AD domain.
I don't believe your question is about an Active Directory equivalent for Linux, such as FreeIPA. I think your question is about integrating Linux hosts into an existing Microsoft Active Directory such that your Windows machines and Linux machines are all commingled in there in the same directory.
You already know, as you said, that the Linux hosts can be "cobbled in there." I agree with that metaphor, as it's a messy process in my opinion.
Then, there also exist professional solutions such as PowerBroker (formerly Likewise) that is install-able on your Linux hosts and makes joining them to an AD domain much more reliable. It even incorporates some group policy capabilities.
I think you're likely to see something like that in a large enterprise that wants to join its Linux machines to a Windows domain.
Ryan Ries
- 55,011
- 9
- 138
- 197
-
1Title: In a large Linux only network how would you handle Authentication and User management? In the question: Purely hypothetical. He described a real situation that sparked his wondering of an hypotetical situation. He really meant "how do i manage many unix hosts the same way you would manage many windows hosts with AD"? – ItsGC Sep 12 '12 at 17:28
-
2
-
2
-
"if you didn't have to deal with Windows hosts" Thanks anyway Ryan. I was really wondering if there was a better linux native way of managing at least the accounts and security. – Keith Loughnane Sep 17 '12 at 09:47
-
0
I would recommend OpenLDAP + Kerberos (MIT or Heimdal). It involves getting your hands a little dirtier than you would using a product like FreeIPA, but performance-wise, you can't beat OpenLDAP.
This link is really old, but it highlights some of the performance differences between OpenLDAP and 389 Directory server (included in FreeIPA):
Some Numbers: Fedora Directory Server vs OpenLDAP
Of course, I'm sure both products have improved since then. I know OpenLDAP's numbers are a lot better, especially with the new mdb memory-mapped backend.
bmaupin
- 306
- 2
- 13
-
An article so old you had to use the Wayback Machine? Well written article, but the numbers at this point would have to be considered anecdotal. – Aaron Copley Oct 05 '12 at 15:30
0
If I wasn't in a particularly security-conscious environment, I'd use NIS. It's lightweight, works on many Unices, deals well with server failure (ie, provided each client is either configured to use multiple NIS servers, or can find multiple servers by broadcast, it's robust against the failure of the currently-bound server), and has been used for years (as in, I remember configuring NIS servers in 1991) so its idiosyncrasies are pretty well understood.
MadHatter
- 78,442
- 20
- 178
- 229