I know this has been talked about everywhere for ages, but I wanted to get some fresh input from these forums since members here have so much in common in terms of infrastructure and software with mine and my clients deployments.
I would like to find a free and open source on premise solution for identity and access management. Essentially to recreate MS Active Directory functionality with just the following capabilities:
User Account Management (with groups)
Computer/Device account management
DNS and Netbios integration
SSO with respect to using different devices on the same network.
I know that OpenLDAP will handle some of these, but I don’t know if it will handle all of them.
Functionality I want will include:
automatic registration of authenticated devices/users with local domain and updated DNS (like when a domain user logs into a windows domain and joins a computer to the domain - that computer is added to the directory, as well as it’s name added to the local dns so that it can be found in the directory as well as in the local dns as: machine_name.local_domain.local
network wide users and acl’s so that access can be managed on any device such that the acl’s will be aquired from the LDAP/Identity management server and authenticated there.
sso once authenticated against the central server.
Thanks for that, I had seen them before and am glad to see they have a core version. It might do the trick. Is anyone here running any AD alternatives?
Zentyal will provide some of this, but I think SSO is going to be the problem. https://zentyal.com/ They have a community version that I have running at home, but haven’t really used any features but DHCP (yet).
To save a little poking around, in order to use GPO you will need a windows computer running the RSAT tools, you won’t be able to manage Group Policy on the Zentyal server itself. But it says it supports GPO. Again not a feature I have used yet.
UCS looks interesting, I see the “Core” version is free an might be worth more investigation. I certainly wouldn’t mind shifting my work domain over to something else.
I will review the three suggested here, they were all on my radar, so I am hoping one will fit the bill.
I am working on my new lab network and storage. I have Truenas running well on a 6 drive z2 and will build out the XCP-NG server now - then the migration. I plan to setup whichever LDAP/IA server on the XCP-NG hypervisor.
Hi Keith,
I second Greg. I had recently deployed a Zentyal Community Edition with functional requirement similar to yours. Have also integrated it with freenas and it’s working pretty well.
Had tried UCS on a VM before but faced some issues during installation that prevented completion of the configuration stage. Maybe it was a case with my VM. So haven’t dived deep into UCS yet.
And as for sso, services using kerberos tickets should work as pseudo-sso I guess. I’m still learning about active directory and it associated services, apologies if I made some mistakes.
Update: Now that I have XCP-NG and TrueNas up and running I have installed both Zentyal and UCS - Univention server. Both installed fairly well, although the Zentyal install process was more polished than UCS, both setup and configuration are solid and initial functionality appears to provide most of what I need. Neither system appear to be able to maintain dynamic DNS records for DHCP assigned hosts, but this could be because I did not provision either to be my DHCP server - I use pfSense for that and I don’t plan on changing that. (note- this architecture worked with pfSense doing DHCP and my Windows Domain controllers updating dynamic workstation hostnames and IP addresses, and maybe it will work with UCS and Zentyal once I figure them out).
I’ll update progress once I get a chance to evaluate the two deployments - but it appears these options are viable for small Domains without MS Active Directory.
Thank you, I haven’t had a chance to get back to this but I’m very interested in your continuing journey down this path. I foresee a time when Microsoft cuts off local servers to most contracts, and I’m sure if it saves a single $1, I’ll be pushed into that boat. My licensing comes through the overall college license so I’m kind of stuck with what they do, and they seem to want to push everything into the cloud. That works fine, until it doesn’t. And that doesn’t seems to hit us at least once a year. We have at least two ISP, but it all flows in on the same fiber plant. That fiber carrier goes down, and we are cut off. Can’t even log into the workstations when this happens. I’m guessing that we don’t have any read only directory servers on premises because that really shouldn’t happen.
It takes a bit of know-how, but Samba running on just about any Linux distro can be setup to emulate a Windows domain controller. I’ve run this in the past and it’s pretty slick. You can even use the Windows RSAT tools to manage it. Though I don’t know that you would get the DHCP and DNS integration as you would with a Windows domain controller. Because these alternatives are niche I think most people would agree with me in saying “try these alternatives at your own risk because if it breaks you may be on your own without much in the way of help/support”. Worth looking into if nothing else.
That’s great, I will certainly set one of these up to test. There is a solid demand with many of my clients for a centralized but modest AD/LDAP type management system and one or several of these options will be quite useful. I have never agreed with Microsoft that integrating DHCP and DNS is good architecture - at least in terms of being federated within a Microsoft only platform - I have always managed to keep them separate despite the extra effort required to do so.
Do you need to manage windows clients, linux, or both? RedHat has a product called FreeIPA that is the “active directory” of linux. It can join trusts and AD forests nicely but does not manage windows clients. FreeIPA scales very well, has the right infrastructure, and solves a lot of problems. Take a day or so to really read the documentation to get a good idea of the project.
Most of my clients run Windows and/or Mac, with some Linux running usually as servers or appliances. I will certainly check out the offering from Red Hat, I hadn’t heard of it. So far, my testing with Univention Server and Zentyal have proved to be quite solid. Univention seems to provide most of the features, and does have stand alone domain management included which meets my criteria, it is lightweight and simple and still allows a fair bit of granular control of the various components.
