Wanted thoughts/ideas - open source alternative to active directory for identity and access management

I know this has been talked about everywhere for ages, but I wanted to get some fresh input from these forums since members here have so much in common in terms of infrastructure and software with mine and my clients deployments.

I would like to find a free and open source on premise solution for identity and access management. Essentially to recreate MS Active Directory functionality with just the following capabilities:
User Account Management (with groups)
Computer/Device account management
DNS and Netbios integration
SSO with respect to using different devices on the same network.

I know that OpenLDAP will handle some of these, but I don’t know if it will handle all of them.
Functionality I want will include:

  • automatic registration of authenticated devices/users with local domain and updated DNS (like when a domain user logs into a windows domain and joins a computer to the domain - that computer is added to the directory, as well as it’s name added to the local dns so that it can be found in the directory as well as in the local dns as: machine_name.local_domain.local
  • network wide users and acl’s so that access can be managed on any device such that the acl’s will be aquired from the LDAP/Identity management server and authenticated there.
  • sso once authenticated against the central server.

Thanks in advance for your thoughts and ideas :slight_smile:

Keith Waldron

It has been a long (maybe really long) time since I looked at it, but Univention Corporate Server looked good. See https://www.univention.com/products/ucs/

1 Like

Thanks for that, I had seen them before and am glad to see they have a core version. It might do the trick. Is anyone here running any AD alternatives?

Will FreeIPA provide all these requirement?

1 Like

Zentyal will provide some of this, but I think SSO is going to be the problem. https://zentyal.com/ They have a community version that I have running at home, but haven’t really used any features but DHCP (yet).

To save a little poking around, in order to use GPO you will need a windows computer running the RSAT tools, you won’t be able to manage Group Policy on the Zentyal server itself. But it says it supports GPO. Again not a feature I have used yet.

UCS looks interesting, I see the “Core” version is free an might be worth more investigation. I certainly wouldn’t mind shifting my work domain over to something else.

1 Like

Thanks for the suggestions!

I will review the three suggested here, they were all on my radar, so I am hoping one will fit the bill.

I am working on my new lab network and storage. I have Truenas running well on a 6 drive z2 and will build out the XCP-NG server now - then the migration. I plan to setup whichever LDAP/IA server on the XCP-NG hypervisor.

Keep you posted!

Keith

Hi Keith,
I second Greg. I had recently deployed a Zentyal Community Edition with functional requirement similar to yours. Have also integrated it with freenas and it’s working pretty well.
Had tried UCS on a VM before but faced some issues during installation that prevented completion of the configuration stage. Maybe it was a case with my VM. So haven’t dived deep into UCS yet.
And as for sso, services using kerberos tickets should work as pseudo-sso I guess. I’m still learning about active directory and it associated services, apologies if I made some mistakes.

Chinmay

1 Like