I'm looking for advice on how to centralize authentication, authorization, and logging in a completely Linux-based office environment without using Active Directory. In the past, sysadmins often managed user accounts and access control by creating local accounts, but that's not a viable solution anymore. I've come across options like Samba AD and FreeIPA, but I'm not sure whether to pursue them or if there are better alternatives available. What do you recommend?
5 Answers
Have you considered WS02 Identity? It can really cover a lot of ground in terms of Identity and Access Management, but be warned—it can get quite complicated to set up.
In a fully Linux environment, looking at either FreeIPA or Samba AD is pretty common, and each has its benefits. FreeIPA simplifies the management by bundling LDAP, Kerberos, and more into one comprehensive package. But if you need Windows compatibility, Samba AD is a better fit. Just know that you might have to use a separate tool for centralized logging like Graylog or Splunk, as those functionalities aren't typically bundled all together.
FreeIPA is essentially the open-source counterpart to Red Hat's IdM. While Active Directory might not handle logging directly, keep in mind that logging typically happens at the OS level. You need to configure your servers to generate logs. I've found tools like Wazuh to be really effective for log management since it collects searchable logs and integrates well with Elasticsearch.
Back in the day, LDAP was pretty much the only option. Now with FreeIPA and Samba really standing out as the gold standard, it’s a matter of what you need. If it’s just user and group management, pure LDAP and Kerberos could work, but FreeIPA becomes a much better option if you're planning for future needs like integrated PKI and policies.
FreeIPA paired with SSSD is a solid choice. It allows you to manage groups, define sudo policies, and issue certificates among other things. Just a heads up, the setup process can be a bit tricky, but once you get it running using something like Podman, it’s pretty smooth afterwards!
Exactly! Logging is all about how you set up your systems to capture and send logs. You can definitely use a central event server for that, but it requires a good bit of configuration.