Managing Linux user accounts + Samba + more

Question

I have a network of about 3-6 CentOS servers, with about 5-10 users (currently, and near future). I'm looking for a solution for centralized managements of users.

My requirements from it are:

1. Linux authentication (login to servers)
2. Integration with Samba - only to expose Linux files to Windows; I don't want to use this solution to login into Windows machines
3. API to other services that need authentication, such as Redmine or Alfresco
4. Simple management

Tried OpenLDAP, but it seems too complicated for my small network. Then I've installed RedHat's IdM (=FreeIPA), which was easy to install, and very nice to administer. It's also based on LDAP, so I thought that it'd play nice with the other players.

Surprisingly, it seems that IdM/FreeIPA doesn't integrate well with Samba. Furthermore, it appears that I was mistaken, and IdM/FreeIPA doesn't expose its LDAP database to other services - they have to be Kerberized, which complicates the business...

So, the reasonable solution appears to be back to LDAP. Am I correct?

But even with LDAP, I'm not sure what's the correct approach...

1. OpenLDAP/389 Server
2. Samba3 with LDAP backend, or Samba4 with builtin LDAP
3. https://gna.org/projects/smbldap-tools/

I'm not even sure that I'm asking the right question :)

Answer 1

This is a bit tricky because of point 3. The LDAP in IPA is available just not anonymously, so you need to either kerberize the applications making queries OR give them a generic account to bind with. Most applications I've seen support this.

From the samba wiki: " Note that you cannot point Samba4 to your existing OpenLDAP server and expect things to work."

Honestly depending on the specifics of requirement 3 for such a small environment I would suggest you use Active Directory (im assuming you have it already) via sssd and as the back-end to samba. This is the easiest and most maintainable solution, assuming req 3 supports it.

Answer 2

I would choose some LDAP-based solution for the flexibility and the wide-support and for the GNU/Linux world your best bet is OpenLdap. At the beginning ldap world is a bit trivial but is quite solid.

You need:

• an OpenLdap server, maybe two (in a provider-consumer fashion) if you need an high availability architecture, with Samba schema installed

• a Samba server configured to retrieve users and groups using Openldap as backend and to expose some shares

• Smbdlap tools to manage (add, edit, delete) users and groups from command line

• a web gui for simple management (add, edit, delete) of users and groups, I suggest fusiondirectory or in alternative a local ldap client

• configurations and packages to enable ldap support in pam and nss for GNU linux login.

Around there are some quite good tutorial for this setup.

Answer 3

If you don't want to build everything from scratch, you might want to give Univention Corporate Server (UCS) a try. I work for Univention, so I know it well. It's a Debian based, enterprise level operating system that works well as domain/identity management for heterogeneous environments. There's also a free "Core Edition" that has all features you need.

Among other things, it provides:

1. authentication for clients via LDAP and/or Kerberos
2. shares via NFS and/or Samba (Samba 4 / AD also possible)
3. authentication for external services - see below for details
4. a nice web-based administration interface

As Andy pointed out, you usually don't want to expose your LDAP directory without authentication (anonymously). It's a good practice to create a special user in the LDAP directory and use this user in the third-party application to authenticate when querying the LDAP directory.

There are even articles in the Univention Wiki for Redmine and Alfresco: Cool Solution - Install Redmine and setup ldap authentication Cool Solution - Alfresco

Further information on UCS on Univention's website.

Hope, I was of help to you, Maren