I am in the process of nuking my entire home network. Going to re-architect from the ground up. I am looking for an identity management solution that is Open Source and can connect to any service that reads from LDAP.
The reason behind this is that I want to make sure all wireless VLANs that have family information are as secure as possible. IoT devices can be on their own VLAN that have a bit more stringent security measures.
I want Mac, iOS, Windows, and Linux clients to connect to this network using the network logins. This solution also has to integrate with RADIUS, Nextcloud, OpenVPN-AS, and other services that use traditionally connect to LDAP
i run Samba4 as an Active Directory DC at my home and i have built these setups for some local businesses also. as far as anything talking to it is concerned, it is a windows DC. any normal service request will work with it, and things like Group Policy on windows computers will even work.
makes mapped drives and folder security super nice.
FreeIPA can establish one or two-way trust with an AD domain but last I checked it did not work with Samba AD. Also, it appeared to only apply to Kerberos so anywhere using password auth it wouldn’t work. That was a few years ago though.
I guess i dont get why someone would use AD and freeIPA. Linux and OSX and windows can all just be bound to AD. And SambaAD support LDAP and everything so other devices can auth to it.
Yeah, It seems like all the research is pointing to Samba since most of the libraries used for authorization tend to work with AD.
Unfortunately for me, the last time I used samba I did not have such a good experience. The network shares are not consistent with my implementation. However, I have seen QNAP and SYNOLOGY create file shares that work way better than windows and I am assuming they are using Samba under the hood. May be worth revisitng.
If your environment has no Windows at all, admining SambaAD is not great. I’m all for cli, but I do want some sort of GUI, at the very least for password self service.
SambaAD is administered with WINDOWS RSAT. literally it is the Active Directory Users and Computers snap in. NO CLI required at all. you admin it the same as a windows DC. it appears like a windows DC. the 12 dozens times i have said this here it is again.
NO CLI REQUIRED!
USE WINDOWS RSAT!
THE GUI IS THE SAME AS A WINDOWS DC!
if you bind a linux or osx pc, it shows up as a computer, users can log in to them as users. on linux sudoers can be configured by group. on osx, i dont know, i dont use it that much.
additional utilities that allow pre-login services for AD (third party password reset, etc) work as if it was windows AD. it is functionally, windows AD.