Hi,
Over the last few years, I've been using a rather bone-headed solution to implement centralized authentication and roamin user profiles in Linux-based networks: a combination of NIS and NFS.
I'm aware it's not ideal in terms of security, but it's been running in our local school since 2010, and it just works. The current setup is based on Slackware Linux on both server and desktop clients.
Here's the relevant documentation (which I wrote):
http://docs.slackware.com/howtos:network_services:roaming_profiles
BTW, the first two years this solution worked perfectly with CentOS 5.x on the server and on the desktop clients.
I'm currently migrating from Slackware to CentOS, and I'm looking for a "business-grade" replacement of this more or less obsolete configuration.
I've read about various existing solutions, and I'm not quite sure in which direction to go from here: FreeIPA? 389 Directory Server? LDAP+LAM-Manager?
Here's what I want:
1. Users should be manageable through a GUI, probably a web interface, so the client can create, manage and delete them eventually.
2. Home directories should be created/deleted automagically under the hood.
3. Every user should be able to login on any machines and find his or her files and preferences.
What can you suggest? Is there some robust and well-documented solution that works more or less out of the box and doesn't make me jump through burning loops?
I'm mainly using CentOS 7, but I'll also have to use CentOS 6.x since in our school we have some older hardware that won't run 7.x.
Cheers from the sunny South of France,
Niki Kovacs
On Mon, Feb 23, 2015 at 11:22 AM, Niki Kovacs info@microlinux.fr wrote:
Hi,
Over the last few years, I've been using a rather bone-headed solution to implement centralized authentication and roamin user profiles in Linux-based networks: a combination of NIS and NFS.
I'm aware it's not ideal in terms of security, but it's been running in our local school since 2010, and it just works. The current setup is based on Slackware Linux on both server and desktop clients.
Here's the relevant documentation (which I wrote):
http://docs.slackware.com/howtos:network_services:roaming_profiles
BTW, the first two years this solution worked perfectly with CentOS 5.x on the server and on the desktop clients.
I'm currently migrating from Slackware to CentOS, and I'm looking for a "business-grade" replacement of this more or less obsolete configuration.
I've read about various existing solutions, and I'm not quite sure in which direction to go from here: FreeIPA? 389 Directory Server? LDAP+LAM-Manager?
Here's what I want:
- Users should be manageable through a GUI, probably a web interface, so
the client can create, manage and delete them eventually.
Home directories should be created/deleted automagically under the hood.
Every user should be able to login on any machines and find his or her
files and preferences.
What can you suggest? Is there some robust and well-documented solution that works more or less out of the box and doesn't make me jump through burning loops?
I'm mainly using CentOS 7, but I'll also have to use CentOS 6.x since in our school we have some older hardware that won't run 7.x.
IMHO, ldap(+kerberos) and nfsv4 with autofs should do the trick. You can tell NFSv4 to use kerberos not only to authenticate but also protect/encrypt the connection. Then, user logs in and homedir is automagically mounted.
For ldap+kerberos in centos, freeipa might do what you want. It has a web-based gui and works rather well in centos. FYI freeip uses 389 directory server instead of openldap.
Cheers from the sunny South of France,
I haven't been in that corner of the world in ages. :(
Niki Kovacs
Microlinux - Solutions informatiques 100% Linux et logiciels libres 7, place de l'église - 30730 Montpezat Web : http://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 02/23/2015 08:22 AM, Niki Kovacs wrote:
- Users should be manageable through a GUI, probably a web interface,
so the client can create, manage and delete them eventually.
FreeIPA is a good option, generally. As best I understand it, it's currently available in a Docker container for CentOS. http://seven.centos.org/2014/12/freeipa-4-1-2-and-centos/
I haven't heard about more standard packaging, but that might come along later...
- Home directories should be created/deleted automagically under the hood.
You can use pam_mkhomedir to create them, but archiving or deleting home directories would be a manual process.
- Every user should be able to login on any machines and find his or
her files and preferences.
You can continue using NFS for that.
On 02/24/2015 01:15 AM, Gordon Messmer wrote:
On 02/23/2015 08:22 AM, Niki Kovacs wrote:
- Users should be manageable through a GUI, probably a web interface,
so the client can create, manage and delete them eventually.
FreeIPA is a good option, generally. As best I understand it, it's currently available in a Docker container for CentOS. http://seven.centos.org/2014/12/freeipa-4-1-2-and-centos/
I haven't heard about more standard packaging, but that might come along later...
ipa-server is available from the base repos in both EL6 (v3.0) and EL7 (v3.3). RHEL7.1 beta ships with version 4.1. EL6 clients are fully compatible with EL7 servers and vice versa.
- Home directories should be created/deleted automagically under the
hood.
You can use pam_mkhomedir to create them, but archiving or deleting home directories would be a manual process.
You should use pam_oddjob_mkhomedir for that, it requires fewer privileges and integrates nicely with SELinux.
- Every user should be able to login on any machines and find his or
her files and preferences.
You can continue using NFS for that.
FreeIPA also supports automount/autofs.
You should check out the FreeIPA demo (v4.1): http://www.freeipa.org/page/Demo
- Jitse
+1 for freeipa. It is an extremely well integrated domain controller with a functionality similar to Microsoft Active Directory.
I would highly recommend setting up an AWS Virtual Private Cloud or something similar and practice deploying freeipa a few times with a few clients. It takes some understanding of the caveats and implimentation before you will be able to deploy it successfully in a production environment.
Good Luck!
On 24 February 2015 at 01:40, Jitse Klomp jitseklomp@gmail.com wrote:
On 02/24/2015 01:15 AM, Gordon Messmer wrote:
On 02/23/2015 08:22 AM, Niki Kovacs wrote:
- Users should be manageable through a GUI, probably a web interface,
so the client can create, manage and delete them eventually.
FreeIPA is a good option, generally. As best I understand it, it's currently available in a Docker container for CentOS. http://seven.centos.org/2014/12/freeipa-4-1-2-and-centos/
I haven't heard about more standard packaging, but that might come along later...
ipa-server is available from the base repos in both EL6 (v3.0) and EL7 (v3.3). RHEL7.1 beta ships with version 4.1. EL6 clients are fully compatible with EL7 servers and vice versa.
- Home directories should be created/deleted automagically under the
hood.
You can use pam_mkhomedir to create them, but archiving or deleting home directories would be a manual process.
You should use pam_oddjob_mkhomedir for that, it requires fewer privileges and integrates nicely with SELinux.
- Every user should be able to login on any machines and find his or
her files and preferences.
You can continue using NFS for that.
FreeIPA also supports automount/autofs.
You should check out the FreeIPA demo (v4.1): http://www.freeipa.org/page/Demo
- Jitse
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Le 24/02/2015 08:41, Andrew Holway a écrit :
+1 for freeipa. It is an extremely well integrated domain controller with a functionality similar to Microsoft Active Directory.
I want to thank everybody for their numerous and detailed answer posts to this thread. Looks like FreeIPA is the way to go. I guess I'll check it out in the weeks and months to come.
Cheers,
Niki
-
Andrew Holway -
Gordon Messmer -
Jitse Klomp -
Mauricio Tavares -
Niki Kovacs