- - Freely available without licensing hassles
- - Run on Linux servers
- - Support Linux, Mac and Windows clients
- - Use encrypted transport for credentials
- - Easily deployed and maintained
I have so far come up with two likely candidates: Zentyal and FreeIPA. The purpose of this posting is to highlight some of the features of these systems and to discuss their pros and cons.
Zentyal
Zentyal is based on Ubuntu Server LTS (currently 14.04), BIND9 and Samba4. It is intended to be a drop-in substitute for a Microsoft Windows Small Business Server. It's modular design allows it to fill any of several roles. For my purposes I used it as an Active Directory primary domain controller and CIFS file server. While it is a useful sub-set of an Active Directory server, it does not offer all the features that the Microsoft original does. On the other hand, the open source community edition is the right price (free), and there are no CALs to buy.
My testing of Zentyal was conducted on a virtual network built with Virtualbox on a Linux Mint 17 host. The clients were Mint and Debian Linux workstations using the closed-source Centrify Express client software for joining the hosts to the AD domain. The "Express" Centrify clients provide only basic AD functionality, but again the price was right (free). Centrify Express can be used freely on up to 400 clients for educational institutions (200 for government and commercial institutions). Beyond that scale, or if you need fuller functionality, the full Centrify suite would be required (not free). Centrify offers their software suites (both Express and full) for Mac and Windows too. The full Centrify suite provides full AD functionality and more.
Zentyal clients are authenticated via Kerberos, with group membership and authorization information etc. stored in LDAP, just like Microsoft. LDAP and CIFS are provided by Samba4. A Zentyal server can participate as a primary or additional AD domain controller. Server administration is handled via a web interface running on the server, so you don't need a Windows workstation to manage the server.
Update (22Aug2015):
If you wish to join a recent release Ubuntu client to Zentyal (or any Active Directory Server) then there is a working alternative to Centrify. The "realmd" package is a front-end to sssd (or winbind, reputedly) that can be used to join Ubuntu to an AD domain. There is a good "howto" by Myles Gray on his blog entitled: "Utilising Kerberos/AD auth in Ubuntu 14.04 with realmd". For Linux Mint (v17.2 Mate), I had to tweak a few things to get it working, you can see my notes here.
Pros
- - Easy set-up and management
- - Provides standard AD protocols (krb5, LDAP, AD schema, DNS SRV RRs etc.)
- - With Centrify, easy client enrollment for Linux, Mac & Windows
- - The "realmd" package makes joining a Zentyal/AD domain easy for Ubuntu & Fedora
Cons
- - Rigid organization structure
- - Limited DNS functionality
- - Can't be easily used as generic LDAP server
- - Doesn't support IPv6
- - Almost requires 3rd party SW for some Linux & Mac clients
FreeIPA
FreeIPA is an open source system for ID managment developed by Red Hat. It combines the "389 Directory Server" (LDAP), with MIT Kerberos 5, BIND 9 and Certmonger/Dogtag (certificate managment). While FreeIPA is intended to provide secure ID managment for Unix-like systems, it is capable of providing one-way Kerberos trust relationships with Active Directory domains(AD to FreeIPA). FreeIPA is included in the core repositories (both client and server packages) of the common RedHat Linux derivatives (RHEL, CentOS, Fedora). The FreeIPA client packages are also found in repositories that serve Mint. For a "Howto" on enrolling Linux Mint clients you can go here.
Unlike Zentyal, FreeIPA does not "look like" Active Directory. It does however utilize the same basic approach, using LDAP storage and Kerberos authentication. Unlike Zentyal (and AD) FreeIPA can be easily used as a generic LDAP server. This ability allows authentication by many services that may be difficult to integrate with AD or Kerberos. For Ubuntu, Mint and Debian clients, I can use bare-LDAP authentication. In the past I have used bare-LDAP to authenticate Mac OS X clients (Tiger and Leopard). By using LDAP over SSL (LDAPS), I can have secure centralized authentication without resorting to 3rd party software. I lose the single-sign-on (SSO) capability that Kerberos enables, but otherwise this is quite adequate in many situations. Beyond bare-LDAP, I was able to enroll Mint and Fedora clients in a FreeIPA/Kerberos domain. When enrolled within such a domain, client IP addresses are recorded along with SSH public host keys and host certificates (provided by certmonger/dogtag). There are no pre-built FreeIPA client package for Mac or Windows hosts. While there is documentation on how to go about manually configuring Windows and Mac hosts to enroll in FreeIPA, I consider those instructions to be too intricate and error-prone to be used by any but expert admins; Macs should readily be able to use bare-LDAP however.
Enrolling Mint clients only succeeded by *not* using sssd (the default setup used by freeipa-client) but utilizing nss-ldapd and pam-krb5 instead, plus manually adding one line to the pam session configuration file (to automatically create home directories). Once these steps were taken, everything went well and worked as expected.
I ran into a "hiccup" when attempting to enroll Fedora v21 (newly released while I was testing) with my CentOS v7 FreeIPA server. The FreeIPA version on CentOS 7 was v3.3.3, while the FreeIPA client version supplied with Fedora v21 was the newer v4.1.2. Enrollment completed, but several key pieces of information did not end up recorded on the server: DNS info, SSH host public keys, and host certificates. Authentication and authorization worked fine. This result combined with a reading of the FreeIPA FAQ leads me to believe that currently, FreeIPA client and servers should be in the same major release version (v3 or v4 but not mixed) for full functionality. I was able to enroll Fedora v20 in FreeIPA without any suprises (used the v3.3.5 client), and even upgrade it to Fedora v21 (via FedUp) without incident. So only the enrollment process seems to be affected by these differing software versions.
The CentOS/FreeIPA server that I used does not provide an integrated CIFS file service. Adding the schema and functions to integrate Samba4 are beyond my brief. File service options would be limited to SSH and NFS (the latter can be Kerberized NFS4). This is unfortunate, because neither of these protocols can be used (for mounted file systems) by newer Macs without 3rd party add-ons.
FreeIPA is managed via a web interface. This management interface is more full-featured than that of Zentyal. The BIND 9 server is more flexibly managed; I believe it could be used as a primary DNS server for small to medium enterprises, though I used it only within a sub-domain for testing.
Pros
- - Easy set-up and management
- - Can be used as generic LDAP server
- - Easy enrollment for Ubuntu/Mint and RedHat/Fedora derivatives
- - Supports both IPv4 and IPv6
- - Flexible DNS functionality
Cons
- - No integrated CIFS file service
- - No pre-built Windows or Mac clients
- - Enrollment of Ubuntu/Mint client requires minor tweaking
- - Client - Server enrollment is version sensitive
Conclusions
Both FreeIPA and Zentyal are usable and useful. If you are dealing with mostly Linux clients I would use FreeIPA, with Kerberos (full enrollment) or without (as a bare-LDAP server). If you have some Macs, you could still use FreeIPA as a generic LDAP server, but the lack of CIFS file service will be limiting. If you have primarily Windows and/or Macs, then probably Zentyal along with Centrify client software would be the better choice.
FreeIPA's better performance as a generic LDAP server may make it easier to integrate with GADS (Google Apps Directory Service), although with passwords stored in Kerberos it means that while the accounts can be synced, passwords would have to be managed externally (true for AD and Zentyal as well).
Personally I like the "feel" of FreeIPA better than Zentyal. FreeIPA feels less restricted than Zentyal. The simplicity of the Zentyal management interface comes with the cost of less flexibility.
These two solutions have different target use cases: FreeIPA could manage a fleet of Linux virtual machines in the cloud, while Zentyal is a drop-in for a small business (or school) with Windows workstations. Both solutions are under active development and are bound to become better with time.
While both FreeIPA and Zentyal are useful solutions for central ID management, neither of them quite replaces the basic functionality of my old CentOS-5/OpenLDAP/Samba3 system, which provided authentication and CIFS file service for Linux, Mac and Windows clients (via Samba NT-style domain configuration), but also could be used as a generic LDAP server for use with Squid proxies, web and RADIUS servers etc. While the old system didn't provide Kerberos, and the single-sign-on it provides, it was still quite useful, reasonably secure and didn't require a third-party client on any of the three platforms.
Update (15 June 2016)
I have received some tips that will allow Mint users to install FreeIPA just like Ubuntu and utilize sssd rather than rely only on LDAP. This information came from Brendon Bonner:
"Reading https://sites.google.com/site/easylinuxtipsproject/mint-cinnamon-first
1.2.1. Mint deviates from the Ubuntu way, where the so-called "recommended" packages are concerned. When you install software yourself, Ubuntu installs the recommended packages by default, but Mint does not.
This has two important disadvantages: in Mint, the features of the applications that you install yourself, can be needlessly crippled. And some how-to's for Ubuntu, don't work in Mint. All this for the sake of saving some disk space...
You can make things right like this:
Menu button - Administration - Synaptic Package Manager
Settings - Preferences - tab General
Section Marking Changes: tick: Consider recommended packages as dependencies
Click Apply
Click OK.
Furthermore, you need to change the setting "false" into "true", in the settings file /etc/apt/apt.conf.d/00recommends. That's easiest to do in the following way:
Menu - Accessories - Terminal
Copy/paste the following command line into the terminal, for example by a right-click with your mouse (this is one line!):
sudo sed -i 's/false/true/g' /etc/apt/apt.conf.d/00recommends
Press Enter. When prompted, type your password. Your password will remain entirely invisible, not even dots will show, this is normal.
Press Enter again."
Links
- - FreeIPA http://www.freeipa.org/
- - Zentyal http://www.zentyal.org/server/
- - Centrify Express http://www.centrify.com/express/centrify-express-overview.asp
- - Realmd http://www.freedesktop.org/software/realmd/
No comments:
Post a Comment