Tone Montone on 8 Sep 2016 08:37:13 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Questions regarding LDAP and AD


Update:

I was able to get a 389 server up and running and have LDAP clients authenticate to it.  However, before I was able to have the Active Directory server sync to it, someone recommended skipping the 389 or FreeIPA server altogether and point directly to AD.  After some additional configuration on the AD side, this worked for me.

First,  ensure the times are synchronized across all systems.  i.e.  Make sure NTP and AD use the same time server.  This is more an issue with Kerberos than LDAP, but it did cause issues for me until it was resolved.

Second, install Identity Management for UNIX Components on the AD server.  This provided attributes to support Unix systems.

Third, the configuration requires a bind user on the AD side, in order for the LDAP client to logon and retrieve shadow password information; 

Overall it was fairly easy to configure and install, once I found the commands to test configurations, which  logs contained the error information I need to troubleshoot issues, debug commands, etc;  I was using SSL certificates in this configuration so some of the hurdles were SSL/TLS related. 

PROS: One centralized password management.

CONS: You may lose control over account management if your admin teams are split between operating systems.

Some additional tasks I am working on:  

1.  Use LDAP for sudoers administration.
2.  Use LDAP for ssh public key storage for logons.

Thanks to all for any and all information provided, it was an interesting journey.

Mike

On Tue, Sep 6, 2016 at 11:53 AM, Keith C. Perry <kperry@daotechnologies.com> wrote:
I wanted to circle back around to this since I think I've make some inroads into understanding the current state of affairs....

It appears there is no "clean" (i.e. a FOSS solution relatively easy to install, build and manage) Linux distro agnostic way to replace Active Directory in situations where you need to manage identities and resources for Linux clients and AD clients.  There are two major issues at play in this regard:

1) Samba 4's AD DC functionality is based on included LDAP and Kerberos functionalities which are not modular.  They MUST be used if Samba 4 is to function as a replacement for Active Directory.  Therefore, the LDAP and Kerberos services from FreeIPA can not be directly used with Samba 4.


"Please note that you do not need to install or configure a separate Kerberos KDC for Samba to work. Samba includes an AD compatible KDC, currently based on an included copy of the Heimdal project. Likewise Samba ships its own LDAP implementation for AD backends. OpenLDAP or other LDAP servers are not supported at the moment."

2) FreeIPA's focus is on Linux and other standards based environments (including other Unix systems... https://www.freeipa.org/page/ConfiguringUnixClients) and thus it is NOT a replacement for Active Directory.  FreeIPA does a good job of providing an integrated solution for identity management which can provide service authorizations via kerberos ticketing and other principals.  It does not provide the actual user service (e.g. CIFS for Windows file sharing) but it does take care of things NTP, DNS, PAM modules and other critical services needed to authenticate in an AD like manner.


What about domain trusts?

Recent versions of FreeIPA (>= v4.x.x) allow for domain trusts. By using domain trusts, it would be possible to have FreeIPA and Active Directory realms trust each other so users in either domain have access to resources seamlessly across both domains.  This does not address the issue in #1 above but is something that both projects are aware of and want to solve.  As I understand it, the biggest problem is getting MIT Kerberos to work as an embedded KDC for Samba 4.  There are various discussions on that as well as other items that need to be addressed.


Where that leaves us is:

1) If you just are managing identities for Linux servers or need a standards based directory for authorizations, FreeIPA is worth a look.  Even though it is thought of as a Red Hat product, all my testing was done on Ubuntu 16.04 LTS with the FreeIPA packages that are available (4.3.1 as of this email).  It worked as expected the only thing I had to do is manually edit the PAM configuration (literally adding 1 line) so that home directories are created for accounts that do not exist.  I did not test it but adding client servers should simply be a matter of running "ipa-client-install --mkhomedir" on a realm member server with minor tweaks, if any, for your platform (such as on Ubuntu, PAM).

2) If you need to manage identities for Linux and Windows users and you don't want an Active Directory server in the mix then your only bet for now is Samba 4 AD DC.  You have to keep in mind that you will still need other critical services like NTP, DNS, DHCP, etc.  You will probably also want some sort of GUI interface for user management (SWAT2, Webmin, GAdmin, etc... see https://www.samba.org/samba/GUI/... most of these seem to be for Samba 3).  Not an impossible job but the breadth of what you have to do manually is why projects like Zentyal are very attractive.

Once Samba 4 can use other LDAP and Kerberos services, using FreeIPA with Samba or doing a domain trust between FreeIPA and a Samba AD DC will become options.  Hopefully that is not too far away.  You may have noticed from https://www.freeipa.org/page/Windows_authentication_against_FreeIPA that supposedly Samba 4.3 is able to do cross realm trusts.  This feature is stated as incomplete and I did not have any success configuring the 4.3.9 Samba server that comes with Ubuntu 16.04 LTS to use FreeIPA 4.3.1.  This probably is because Samba 4 needs to be built differently (see https://www.freeipa.org/page/IPAv3_AD_trust#Samba).  This is also confusing because such a build also implies having Samba without AD DC capabilities (i.e. you're building at Samba 3 server with Samba 4 client, see https://lists.samba.org/archive/samba-technical/2012-May/083913.html) so I don't see how you can or would use trusts (unless its to an MS AD?).  If I am misunderstanding that, I'd enjoy hearing some feedback on how this is done.


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.


From: "Keith C. Perry" <kperry@daotechnologies.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Thursday, August 25, 2016 1:22:17 PM
Subject: Re: [PLUG] Questions regarding LDAP and AD

I'm in the middle of designing a solution for this for a client that is using Zentyal but hasn't been happy with how feature seem to have been disappearing in recent releases.  We're concerned about their strategy and getting caught off guard because of issues with MS being involved.

That said, I was looking at ApacheDS but that was a bit messy and didn't feel like it was ready for prime time.

With Fedora Server, FreeIPA supposedly can managed from Cockpit but even the UI on Fedora 24 Server is not showing the proper components.  Still, we're leaning that way because FreeIPA + Samba 4 would be a complete solution.

The problem there is that no one has confidence in Fedora Server staying stable enough for production so I'm rebuilding in Ubuntu since FreeIPA is available in 16.04 LTS.  Samba 4 of course is but Cockpit is less so.  Its also less critical but it would be nice.  I might just compile it if its not too big a deal.

Not the most fun I've ever had but there needs to be a real alternative to Zentyal.

To that end, in anyone knows someone close to the Zentyal folks.  I'd love to hear from them in regards to their future strategy and how much control or involvement does Microsoft really have.

---
KP-


On Aug 25, 2016 12:38 PM, Tone Montone <tonemontone@gmail.com> wrote:
Hello,
I have an implementation question regarding LDAP and AD. 

I am looking for advice on a path forward for managing user accounts across about 500 Unix systems, which are comprised of  a mixture of RHEL 5 and 6, and Solaris 10 and 11;  There is also some OEL, which is basically RHEL 5, and some Suse sprinkled in.  Currently, we are using local accounts, and I would like to move to a more streamlined/centralized method.

I need a solution that has a support package tied to it, as it's for a government installation and that is a mandatory requirement.  

I was thinking about using Red Hat Directory Server, which is basically 389-DS.  Having the AD server do a one-way sync to the DS, then have all the Unix systems point to the DS.  However, I read that in some instances you can have systems point directly to AD servers and get their authentication directly from the AD, so you don't need an LDAP intermediate server, but I am not sure it will work for all systems/OSes.  e.g. I read that you could use RHEL's IdM (Identity Manager) on RHEL 6, but I don't think this will work on RHEL 5.

I also thought about using LDAP for sudoers file management, as well as storing ssh public keys.

I installed 389-DS to do some testing, and I also looking at FreeIPA because it provides Kerberos, as well as Samba.

Any advice or experience anyone would like to share would be greatly appreciated.

Thanks,

Mike


I'm in the middle of designing a solution for this for a client that is using Zentyal but hasn't been happy with how feature seem to have been disappearing in recent releases.  We're concerned about their strategy and getting caught off guard because of issues with MS being involved.

That said, I was looking at ApacheDS but that was a bit messy and didn't feel like it was ready for prime time.

With Fedora Server, FreeIPA supposedly can managed from Cockpit but even the UI on Fedora 24 Server is not showing the proper components.  Still, we're leaning that way because FreeIPA + Samba 4 would be a complete solution.

The problem there is that no one has confidence in Fedora Server staying stable enough for production so I'm rebuilding in Ubuntu since FreeIPA is available in 16.04 LTS.  Samba 4 of course is but Cockpit is less so.  Its also less critical but it would be nice.  I might just compile it if its not too big a deal.

Not the most fun I've ever had but there needs to be a real alternative to Zentyal.

To that end, in anyone knows someone close to the Zentyal folks.  I'd love to hear from them in regards to their future strategy and how much control or involvement does Microsoft really have.

---
KP-


On Aug 25, 2016 12:38 PM, Tone Montone <tonemontone@gmail.com> wrote:
>
> Hello,
>
> I have an implementation question regarding LDAP and AD. 
>
> I am looking for advice on a path forward for managing user accounts across about 500 Unix systems, which are comprised of  a mixture of RHEL 5 and 6, and Solaris 10 and 11;  There is also some OEL, which is basically RHEL 5, and some Suse sprinkled in.  Currently, we are using local accounts, and I would like to move to a more streamlined/centralized method.
>
> I need a solution that has a support package tied to it, as it's for a government installation and that is a mandatory requirement.  
>
> I was thinking about using Red Hat Directory Server, which is basically 389-DS.  Having the AD server do a one-way sync to the DS, then have all the Unix systems point to the DS.  However, I read that in some instances you can have systems point directly to AD servers and get their authentication directly from the AD, so you don't need an LDAP intermediate server, but I am not sure it will work for all systems/OSes.  e.g. I read that you could use RHEL's IdM (Identity Manager) on RHEL 6, but I don't think this will work on RHEL 5.
>
> I also thought about using LDAP for sudoers file management, as well as storing ssh public keys.
>
> I installed 389-DS to do some testing, and I also looking at FreeIPA because it provides Kerberos, as well as Samba.
>
> Any advice or experience anyone would like to share would be greatly appreciated.
>
> Thanks,
>
> Mike


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug