Open source solutions for centralized management of access to resources. Technologies using eDirectory
Many believe that today a full-fledged integrated analogue of MS Active Directory, as well as Group Policy, does not yet exist in the GNU/Linux world. However, developers from all over the world are making attempts to implement similar technologies within UNIX systems. One striking example is eDirectory from Novell, the features of which we will discuss further.
Interestingly, support for Group Policies was implemented in Samba 4, after which effective tools for setting up group policies began to be developed. However, previously, most system administrators had to limit themselves to logon scripts or NT4 system policies.
What does Samba4 allow you to achieve? Many people today have gotten the hang of using this solution as AD, that is, a domain controller in conjunction with file servers based on the same solution. As a result, the User receives at least a couple of configured servers with Samba4, one of which acts as a domain controller, and the second acts as a Member Server with user files.
Today, problems associated with the maintenance and registration of network users within peer-to-peer networks are being responsibly resolved by several leading companies producing modern software. The favorites among such developers today are Microsoft with its previously mentioned Active Directory and Novell with its eDirectory, also mentioned at the beginning of this article.
The solution to the above problems in this case lies in the creation of cataloging services or a database, which allows you to save information in a fixed storage about all user accounts, and also, which can significantly facilitate the control of networks.
Consider the above and other technologies for organizing work with user networks in the context of their advantages and features.
Active Directory - technological features
In essence, AD is an ordered repository of data that provides a fairly convenient way to access information about all kinds of network objects. This also greatly helps applications and users find these objects.
AD uses a distributed name space or DNS (Domain Name System) to determine location. To work with a database, AD has a set of special software, as well as tools designed for application programming.
Even with a heterogeneous structure of systems in the network, AD allows for single sign-on through a simplified protocol related to the LDAP directory service.
This system is good because it is scalable and easy to expand. Active Directory stores its own schema, or set of sample classes of an object and its attributes, directly in the directory. Thus, the scheme implies the ability to make changes to the scheme dynamically.
An important feature of AD is its fault tolerance, as well as the presence of a distributed database. The directory service can cover several or one domain at once.
Notable is the delegation function, that is, the provision of administrative rights from the administrator to individual groups and users on trees and containers, as well as the possibility of inheritance.
The AD directory service allows you to quite simply and quickly deploy high-quality and reliable networks that can be built in accordance with a wide variety of individual requirements.
Technologies using eDirectory
Even before the advent of MS Active Directory, other methods of database management were actively used.
So it is worth noting the “Bindery” service from Novell, which is a homogeneous database. Within such a database, some records have no obvious relationship with other records. This database is primarily focused on working with the server. This means that each server in this case will be provided with a unique binder containing access rights and settings of network objects. This version of database management assumes that network resources are regarded as objects that have a direct connection with the root server directory.
The formation of the binder is based on the following components:
Properties – characteristic features for each object within the binder (internet type addresses, restrictive factors and passwords);
Objects – physical and logical components of the network that can be assigned names (file servers, user groups, users).
Infoset properties are forms of information data that are stored within a binder (numbers, tables, text, time, date, network address, etc.)
When NetWare4xx was born, Novell also introduced the world to a new directory service, eDirectory, which was originally called NDS in this version of NW. Since version 6.x, it has become known as eDirectory.
Within this service, as well as in Active Directory, a database was implemented that was built on a hierarchical principle. This makes it possible for some network objects to interact with others.
The possibility of eliminating the need for subordination to a hierarchical order is one of the significant advantages of this solution. On some areas of the tree, hemmings may be used, which, naturally, many find to be a very convenient solution.
It is also worth noting that the eDirectory server can also function on platforms that differ from NetWare.
In many ways, the capabilities of this solution coincide with similar capabilities presented in MS Active Directory. For example, through eDirectory you can perform automatic replication, as well as inheritance and delegation.
The main difficulty in the network setup process when eDirectory is installed on the network is the selection of specialists who must have the appropriate skills to work with this solution.
Philip Torchinsky: Good afternoon Today I won’t talk much about Open Solaris, although that’s usually what I talk about.
Today we will talk about how and why you can use certain alternatives to the Active Directory directory service in UNIX. Strictly speaking, these will not be exactly alternatives to AD. But I will once again voice my opinion about how the situation will develop in the future, in what direction. I’ll tell you a little about how to configure those solutions that will be popular in the future - again, in my opinion. The report includes a separate piece about Identity Manager.
As a rule, I talk about things that I set up with my own hands and about which I can tell everything. Today will be a little different. I will talk about the concept and mention what I set up myself. I've used this service quite a lot. I can tell you what it looks like from the user’s point of view, and what can be good or bad about it.
One of the main tasks of any designer of any system is to avoid a situation where we use some very powerful tool to do some fairly simple work. Although this is exactly what happens in life.
Surely many of you have seen a set of primitive texts, for example, in Microsoft Word or OpenOffice Writer. In principle, these texts are worthy of being typed in a text terminal, in Notepad or any equivalent. But these texts are so lucky that they are typed in very powerful editors.
I actually think about this often. Since we are here with people who make a difference in this world, I hope that together we can bring the situation to a state where our clients, our employees, and everyone associated with us will spend less time and resources on performing simple actions using complex means.
Now I would like to take my hat off to the developers of Microsoft Corporation. My colleagues and I agreed that, overall, Active Directory is a good thing. It's good that this solution exists, you can actually use it. Another thing is that the Active Directory directory service is often used in places where without it it would be no worse.
What's good about Active Directory? What can it be used for?
First of all, Active Directory is suitable for managing users (groups, user roles, and so on). Strictly speaking, the Active Directory solution is directly related to this, but is not a means of ensuring this. The Active Directory directory service allows you to access the network from different computers and provides the functionality of roaming profiles.
These profiles became my headache for 2 years. I was the head of the IT department of a company where all offices across the country used these same roaming profiles. They could be 2 or 3 gigabytes in size and miraculously stretch from the St. Petersburg office to the Moscow office, because the employee came here on a business trip and decided to work.
This is just a typical example of ineffective use of a good concept, in which it turns out to be terribly inconvenient.
In addition, Active Directory is naturally used to control access, since it says who can go where. Active Directory is also quite widely used in systems where the network is heterogeneous. In this case, we configure access through PAM, authentication, access through Active Directory to some resources that are physically located on computers that are in no way connected with Active Directory. For example, we have a server running Linux on which we need to distribute some files. Naturally, you can use Active Directory for web authentication.
There is one more thing that I will not dwell on in detail today. I’ll just say that this is done using Active Directory. I can guess how to implement this for UNIX applications on UNIX systems, but this has nothing to do with the topic of the report.
These are so-called group policies and, in particular, application management, in which we can configure the “behavior” of specific applications differently for different groups or users.
This thing in the functionality that I will talk about today has not been implemented in any way, as far as I know. This must be done either by other means, or by adding something else to the existing means.
In general, what are computers used for (whether UNIX or not)? There are many goals, but for each group of tasks there is the most convenient protocol. We have the SSH protocol - it was invented for my fellow system administrators. It is clear that ordinary people hardly need it.
The FTP and HTTP protocols are needed by almost everyone who has ever uploaded anything to hosting.
Naturally, everyone needs mail. When, for example, I install some new system on my computer or launch a LiveCD and don’t see working mail there, it already annoys me. Although five years ago I would not have been surprised by this. A mobile phone that cannot read e-mail is just some kind of disgrace. Although, as a rule, we don’t expect this from a home phone.
Another functionality that, as a rule, is required in any company where the number of people is more than two. This is the ability to use the same working environment on different computers. This is required everywhere - from such textbook options as a group of operators sitting in a bank or in a call center (the latter can be up to 400 people in a row), and ending with less common options - such as a university administration, where employees move from one body to another. All these people need to have one desktop environment on any computer.
I will now tell you about the means to ensure this working environment. This part of the report has nothing to do with Active Directory analogues. Rather, this is a kind of solution that allows you to implement what is often done using Active Directory, but does not heavily load the system. This is a very simple solution. Most likely, many of you have already used it, or at least seen it, or even sold it - I don’t know.
There is such an old thing as a terminal. They existed even before 1969. In 1969, when UNIX was invented, terminals already existed. Unsurprisingly, everything works quite well from terminals. A modern version of the terminal is what, for example, the Sun company called Sun Ray. Now it is still called Sun Ray, but is produced by Oracle.
The hardware consists of an X-Terminal with an Internet port and a USB port. There are also audio outputs and inputs. You can connect headphones, listen to your favorite music, you can turn on a flash drive - everything will work great. Plus, it can also read smart cards, so you can do authentication using smart cards.
Besides Sun Ray, there is another product (I don’t remember its name) that is part of the Virtual Desktop Infrastructure family.
This is such a virtual Sun Ray. When you come to your boss and say: “Listen, this is the case, Petr Petrovich, we should transfer our technical support group to the terminals, because instead of quickly answering questions, they play “Klondike” on what they have it stands there". Or: “We’re tired of fixing their power supplies because they break down every week because we can’t fix the air conditioner.”
This, naturally, does not make Pyotr Petrovich too happy, because the equipment needs to be changed, the equipment seems to have been purchased recently... The computer must last for five years until it is written off, otherwise it’s not good for accounting.
You can use virtual Sun Rays instead of technology. Install virtual workstations. The solution will work on the existing system and “pretend” that it is like a terminal.
We're done with terminals. Now let's see how it works and why we might need a system that is, in a sense, an analogue of Active Directory. I emphasize once again that it is not a strict functional analogue.
Application Servers
Glassfish is a standard application server, which, generally speaking, is similar to Tomcat, but, unlike it, it can also play the role of not only a web container, but also a JB container (which is Enterprise Java...). By the way, what was previously called simply Glassfish is now called Oracle Glassfish Server.
For example, it can run on Oracle Solaris. It works for me in Open Solaris.
This application server allows you to deploy a wide variety of web applications, including Liferay. I won’t talk much about him today. For those of you who don't yet know it exists, my advice is to pay attention. This is cool stuff. I imagine that in the fairly near future there will be significantly more of this than there is now.
I think that after some time - within a year or two - Java hosting will probably appear in Russia (they already exist abroad). Liferay is a fairly convenient platform for making any kind of website. In principle, I made a website on Liferay - simple, 5 pages, with content, with pictures, with minimal design - in about half an hour.
There is also an implementation of the same portal called WebSpace. It's based on roughly the same code, but was made inside Sun. Liferay is a community product that has little connection to Sun - Sun put very little money or effort into its creation.
This was an example application server.
Now let's see what's behind the application server. Behind the application server is what allows us to authenticate to that application server, and also allows that server and the applications running on it to determine our access rights to different objects.
These are Identity Manager, Directory Server and Access Manager. In principle, there may be more components that provide authentication and access control to certain web resources, but this is the most interesting.
To make it convenient for people, it is quite natural to provide centralized access, to combine web resources logically (as a rule) or organizationally, financially. It is necessary that people have the opportunity to go to one web resource and automatically gain access to all others. To do this, they came up with a well-known thing called single sign-on technology (SSO, Single Sign On). Once you have logged in, everything then works. You don't have to log in anymore.
This is similar to what we are used to, for example, in Windows Client and Windows Server systems, when we “log in” once and then go through all the files.
A reasonable question arises: how often do we need to “walk” through files? From the practice of the group where I have been working for the last 3 years (even more), I see that in fact, “walking” through files and storing files in folders is often not required. I have my own laptop, which has everything I need. Everything that our groups share among themselves lies on the common wiki.
There are different options for implementing a wiki. This could be a free engine called TWiki. There are many more solutions that work in the same way. There are many free hosting sites where you can, for example, host some projects - where the wiki is provided free of charge as a project management element.
This is a pretty popular thing. Therefore, in particular, when you are thinking about what kind of infrastructure to build in your company, the option is when you do not have a file server, but have a certain web resource where everyone uploads files and takes them from there too (in accordance with their assigned authorities) , is a pretty logical scheme. Moreover, the topic of transferring resources to the web is being raised more and more.
By the way, I had a big request to the developers of 1C products: we urgently need to come up with such a thing called web-based accounting. I miss her terribly.
Replica:- Eat. Philip Torchinsky:— Is it really web-based? Am I missing something? How long has it been there? Replica:- It has already appeared. Philip Torchinsky:- Great. Thank you very much! Apparently I missed something in the last few months and didn't see it. Six months ago, in my opinion, it didn’t exist yet. Has already. Great. Thank you for the good news!Now let's return to single sign-on technology. It is convenient to make sure that there are two options for the client to access the single sign-on server.
The first option is when we access a certain web resource, for example, running on the same Glassfish. It is simply a Java application that provides single sign-on (authentication and follow-up). It turns to PAM, which “pulls” information from the usual authentication sources.
It’s good if there is a reverse option: we contact PAM, and he contacts the single sign-on server and manages to ask him something.
The second option, unfortunately, has not yet been implemented - at least I have not seen its implementation. The first option has been implemented, I even tried it. I will try to explain how to implement it.
In February of this year, ForgeRock decided that it would "forge" the OpenSSO project because Oracle, as you know, officially completed its purchase of Sun in February.
From ForgeRock’s point of view, it would be interesting to pull the OpenSSO code of the project from the repository and then do something with it (as the license allows). Great. So far, there is no evidence that Oracle will do anything bad with OpenSSO. Moreover, there is evidence that he will be fine.
Why do I recommend downloading OpenAM, which is the same assembly, only from ForgeRock? Because the ForgeRock website has the best description of how to install it. I saw the best description of how to install OpenSSO there.
Now you need to install Glassfish. In Open Solaris, when unpacking, you need to check the “install Glassfish” checkbox - it will be installed. You can simply download Glassfish and run the installer.
Next you need to start the daemon amunixd, and the system can already be used. OpenSSO will work through PAM. You don't know if you need this - maybe you need something else. But if you need everything to work through PAM, then this is done as I described.
I told you how to install Glassfish correctly and quickly in OpenSolaris. More precisely, how to put it is clear. More interesting is how to set up a domain.
Let me briefly explain what a domain is in relation to Glassfish. We have an application server, and we want to deploy some application on it. This application cannot be deployed in a vacuum. He needs to create some kind of shell where all the files that are associated with him and some settings will be written. Inside this shell, some additional application components will be deployed, and so on.
This thing is called a domain. It has nothing to do with the domain in the sense of something.ru. This has nothing to do with Internet domains. It is simply a name for a collection of combined, interconnected components. In principle, the domain will have some kind of domain name (from the point of view of an Internet domain), but that will come later. You can configure it if necessary.
Now comes the most important point. When setting up single sign-on, you must specify a fully qualified domain name.
In fact, the instructions from ForgeRock say in large letters on a yellow background: “Write the FQDN to the /etc/hosts file.” If this is not done, an obscure error will be thrown. The result will be a strange diagnosis. What is wrong will be absolutely unclear.
It will say that you will not be able to access port 80. Why can't you? Unknown. Important point. When setting up this configuration, be sure to include the fully qualified name of your host in the /etc/hosts file.
Go to the address, log in (by default the administrator's name is amadmin), select Authorization->Unix. You can select other authorization options if required. But in Unix everything will work through PAM, respectively.
Why do you need Identity Manager and what is it?
Identity Manager from Oracle "knows how" to work with a bunch of different sources of information. Moreover, in one source of information a certain object is called Ivan Petrovich, in another he is Vanya, in the third he is Ivan. These sources of information say something else about him.
What is important? That these sources of information are not required to contain information such as a primary key. There is no unique identifier that lies in each of these sources. Simply by using Identity Manager's management tools, you can link different records from different information sources together in different ways.
Plus, Identity Manager provides synchronization. If, for example, someone is fired from work, then his account is deleted from the list of employees, and from some other list - for example, debtors or creditors of the organization. In general, the entry is deleted from all available sources of information.
Accordingly, if a modification occurs, for example, some fields change, then this is also synchronized between different sources of information, if these fields are there.
As a strategic project, Oracle retained Oracle Identity Manager, which existed before. The project, which was called Sun Identity Manager, also remains. It will continue to exist, but the main product that Oracle sells will be Oracle Identity Manager.
Identity Manager is, in fact, a thing that costs some meaningful money. I know that various Sun and Oracle clients in Russia actually buy it.
There is also an entity called Directory Server, which we talked about a little earlier. This is simply one of the information source options for Identity Manager. As a rule, this is a regular LDAP server. There is a specific product, it is called OpenDS, which Oracle promises to support. It is simply an LDAP server written in Java.
It is convenient to use. If you don’t want to collect anything extra, you can just take this OpenDS and deploy it on the same Glassfish.
I'll tell you about the interaction between the client, application server, Access Manager and Identity Manager.
There is a client that requests access to a file, for example, from a DEP application server with a web interface called a web container. The wrong access rights are defined for the file. The application server "asks" the Access Manager program if it can give access to this file.
Access Manager turns to Identity Manager: “What do we have with the identity of such a comrade?” The information is returned to him that his friend has the role of super administrator in the system. Access Manager says, “You can do this.” The information is sent to the application server, for example, Glassfish: “Yes, you can.” The file is issued.
You probably know that in nsswitch.conf, on systems that have it, such as Debian and OpenSolaris, you can write the word ldap in the place where it is determined where to get the authentication information from. There is information on how to set this up on opennet, which describes the necessary addition to the LDAP schema.
That's the most important thing - what the future will look like if we don't push it too hard to look something different. Option one is what I really hope all government services should switch to, now telling me through the window: “Sorry, we can’t do anything. Our computer is frozen, and the system administrator will come tomorrow.” In such places, of course, you need to install terminals so that there is one server where the system administrator is always present.
In addition, obviously, there are situations when working with CAD, when you have to create a server and some workstations, and where applications with any clients (for example, with mobile phones) for everything else.
Thank you very much for the information that 1C: Accounting has already done what I was missing.
Thank you! I think I have 30 seconds left to answer the questions.
Questions and answers
Question: Why is OpenSSO better than traditional Kerberos? Philip Torchinsky: - This is a good question. In fact, OpenSSO and in general any types of single sign-on, as far as I can imagine the scope of their use, are primarily used in web projects. Let's just say I'm not sure this is the answer to this question exactly. But I think that for Kerberos the scope of application is already wider. Question: - Question about OpenSolaris. When is the release expected? As far as I know, there have been no fresh builds there for quite some time. Philip Torchinsky: — Fresh builds appear every two weeks and are still available on the website www.genunix.org. Therefore, there are no problems with assemblies. The release was originally expected in March. Current state of affairs: it has been announced that it will appear in the first half of 2010. Unfortunately, I don't know more detailed information. That's all I was told. Thanks a lot!In a modern network, hundreds of user accounts are often organized, dozens of services are running. To prevent a large number of management points from causing inconsistency, you need a single database of accounts and applications. Recently, a number of interesting open source projects have appeared that expand the standard capabilities of LDAP and are quite capable of replacing Active Directory.
389 Directory Server
- Project website: directory.fedoraproject.org.
- License: GNU GPL.
- OS: Fedora/Red Hat/CentOS, will run on Linux (Debian, Ubuntu, Gentoo), Solaris, HP/UX 11, Irix, AIX, Windows and OSF/1.
An enterprise directory server built by the community and sponsored by Red Hat. The basis for it was the Netscape Directory Server, developed since 1996. It received a new name - Fedora Directory Server - after Red Hat acquired the rights to it in 2005. In 2009, the project changed its name again to 389 Directory Server (389 is the LDAP service port number). The reason is simple: FDS was inextricably associated with Fedora, which, according to the developers, hampered development, in particular integration into other distributions. Based on the 389DS, Red Hat released a commercial version of Red Hat Directory Server (RHDS) with 24/7 technical support. Features of the 389DS include full support for the LDAPv3 protocol, SSL/TLS and SASL authentication, data synchronization (user, group, password) with Active Directory (provided that the Windows Sync component is installed on the Win2k3/2k8 CD), access control down to individual attributes (name, group, IP, etc.) The NSS library from the Mozilla Project is used as a crypto engine. Structurally, 389DS consists of a directory server (Core Directory Server, CDS) and an administration server (Admin Server). The latter's task is to manage all available CDS, for which a graphical console (389-console) and command line utilities are offered. On Linux, the console is installed automatically (written in Java). To control from Win2k3/2k8, you should download the Windows Console package from the project website.
Developers note the high performance and scalability of the 389DS. Up to four equal master servers can operate in one network with automatic conflict resolution, load balancing and server redundancy. Servers operating in read-only mode are supported, a kind of analogue of Read Only Domain Controller in Active Directory Win2k8.
The project currently officially offers a repository and packages for RHEL/Fedora (also suitable for CentOS). In addition, installation on other Linux (Debian, Ubuntu, Gentoo), Solaris, HP/UX 11 is possible. Some versions also support Windows, Irix, AIX and OSF/1. However, deployment and subsequent support in “unofficial” systems requires some preparation from the administrator.
The 389DS components are released under the GNU GPL license, but the server is based on a number of products with other licenses (MPL/LGPL/GPL/X). It's also worth noting that 389DS is part of FreeIPA, a centralized solution for user and policy information management and auditing. This product will be discussed below.
FusionDirectory
Since access to the GOsa source code for those not associated with Gonicus GmbH was difficult, the developers decided to create a more open and fully community-supported fork to attract third-party specialists, as well as provide conditions for writing plugins for more applications. The new project is called FusionDirectory. The developers promised not only to create the most “powerful and versatile” management solution with more convenient development tools, but also to improve the documentation. In October 2011, version FusionDirectory 1.0.2 was released, but since work on the project began quite recently, there is no need to talk about any special functional differences from GOsa. The documentation essentially consists of a couple of tutorials, but given its relationship with GOsa, you can use the documentation for the parent project during the familiarization stage with FusionDirectory. The list of supported distributions is clearly defined (Debian, CentOS 5/RHEL 5, Fedora 14/15, openSUSE 11.3/11.4, SLES 11), and, most importantly, a repository has been created for each of them, ensuring easy installation.
Another difference is the officially supported web servers. The developers offer ready-made configuration files for Apache2 and Lighttpd; installation on nginx is also possible, but you will have to create the settings yourself.
Mandriva Directory Server
- Project website: mds.mandriva.org.
- License: GNU GPL.
- Distributions: Mandriva, Debian/Ubuntu, CentOS/RHEL/Fedora, openSUSE, VMware image.
Mandriva Directory Server (MDS) is an easy-to-use solution that allows you to manage user and group accounts, access and network services using a clear interface. In essence, this is a convenient add-on to LDAP - OpenLDAP, although it can also work together with 389DS. Functionally, it can act as a PDC (Windows NT4 level), an LDAP server with synchronization of accounts and passwords, completely replace Active Directory or integrate into it. Client operating systems can be Windows, Linux and Mac OS X. The interface allows you to configure accounts and ACLs in Samba, manage shared access, CUPS-based printing, mail delivery (Postfix), configure Squid and DNS/DHCP services, and administer GLPI accounts. The package includes Kerberos and can be used to provide single-time authentication (SSO). Access control for objects is set down to individual attributes: user, group, IP address, time, etc.
It is especially pleasant that the problems that plagued Mandriva did not affect MDS and the product is constantly evolving. In the latest versions, these capabilities have been supplemented by account management for the Zarafa system, which provides collaboration, centralized storage of OpenSSH public keys, auditing, password policies and much more. Modular architecture allows you to add the necessary functionality or remove unnecessary things from the interface. MDS is easily scalable, supporting several thousand records per server.
The MMC agent module, written in Python and using XML-RPC for data exchange, is designed directly to manage services. Agents are configured using a very easy to use web-based MMC (Mandriva Management Console) interface. The administrator can choose one of two display modes: Normal or Expert.
Unlike 389DS, packages are offered not only for the “native” distribution: there is its own Debian repository, assemblies for CentOS/RHEL/Fedora and openSUSE, as well as a ready-made VMware image. Thus, the MDS server part can be installed relatively quickly and without problems on any *nix system. The product is included with Mandriva Enterprise Server. MDS is the easiest to install and configure solution covered in our review, but self-assembly on systems other than MES still requires some LDAP skills. The project documentation is very detailed and allows you to understand all its nuances.
FreeIPA
- Project website: freeipa.org.
- License: GNU GPL.
- Distributions: server - Fedora/CentOS, client - Linux, AIX, HP-UX, Solaris, openSUSE.
The goal of the FreeIPA (Free Identity, Policy and Audit) project is to create an environment for Linux systems that is an alternative to Active Directory and allows you to centrally manage user authentication, set access and audit policies. In fact, FreeIPA is a symbiosis of several open source projects, such as the Fedora distribution, 389DS, MIT Kerberos, NTP and BIND. This project, developed with financial support from Red Hat, is the basis for the IPA product used in the commercial distribution, which Red Hat introduced to the public in the summer of 2008.
WARNING
FreeIPA up to and including version 2.1.3 has a CSRF vulnerability (CVE-2011-3636). To fix it, you should update to 2.1.4.
The FreeIPA code first appeared as part of Fedora 9 (May 2008), but normal synchronization with Active Directory had not yet been implemented at that time. At first, clients could connect manually, but this was inconvenient. In October 2009, work began on a new branch 2.0. Its final version was presented at the end of March 2011. The day on which the release was announced is remembered by many Linux users as “Fedora 15 Test Day,” dedicated specifically to testing FreeIPA2. Currently implemented:
- centralized management of user, group, computer and service accounts;
- managing access to applications, setting password policies and Kerberos settings, managing SUDO rules;
- Kerberos authentication for users and nodes;
- Host Based Access Control - management and storage of roles in LDAP;
- certificate management service (Dogtag Certificate Server).
A network built using FreeIPA can functionally consist of three types of systems: one or more servers, client machines and an administrator’s computer. The latter, in fact, is a regular client desktop with console utilities for remote management of FreeIPA (by the way, it is not at all necessary to use them - you can easily get by with the web interface, which is written in Java).
Authentication Manager in Fedora allows you to select FreeIPA
To reduce the load on the channel, the client uses a local cache (LDB and XML), receiving settings from it even when there is no access to the server. The SSSD (System Security Services Daemon) authentication management agent is installed on the client system. The client part is implemented not only for Red Hat/Fedora and clones, but also for other OS and platforms: AIX, HP-UX, Solaris, openSUSE. Interestingly, two Red Hat employees are working on assembling client packages for Ubuntu/Debian and ensuring their compatibility.
A special application (certmonger) simplifies the creation and management of certificates by automatically generating and obtaining a new certificate when the old one expires. Optionally, integration with a BIND-based DNS server is possible (you need the LDAP BIND plugin with dynamic updating via GSS-TSIG). When managing computers and groups of computers, authority is verified using a Kerberos keytab or certificate. The modular architecture of the server and client parts allows you to integrate FreeIPA and any product without any problems. Currently, policies are also used to store access parameters for local applications and desktop settings. Not all policy management, auditing and control functions that are planned to be included in the project have yet been implemented. There are no SELinux rules settings, Samba support, FreeRADIUS, centralized SSH and LVM key management, OTP and much more. The obvious disadvantage of the product is that it is primarily focused on distributions derived from Red Hat. You can install the FreeIPA server part from the Fedora, CentOS, K12LTSP and compatible repositories. The developers have done everything to simplify the localization process in version 2.0 (uses gettext and UTF8). In the install/po directory there is a file ru.po, in which only a small part of the messages is translated.
The project is actively developing, and errors are being discovered. The latest release 2.1.4 addresses the CSRF (Cross-Site Request Forgery) vulnerability, CVE-2011-3636.
Apache Directory Server
Directory server developed by the Apache Software Foundation. Completely written in Java, supports LDAPv3, Kerberos and Change Password Protocol. It is positioned as a solution that can be built into other Java applications, but no one forbids using it standalone. Provides implementation of LDAP and Kerberos, support for any protocol is possible. The product is multi-platform. Packages for installation on Linux, Windows and Mac OS X are available on the project website; the source texts allow you to build ADS on any system for which Java is available. In addition to standard LDAP capabilities, stored procedures, triggers, dynamic Java objects, and much more are implemented. Distributed under the Apache license. The project is developing Apache Directory Studio, which includes an LDAP browser, a schema browser, LDIF and DSML editors, and client programs for administration.
GOsa2
- Project website: oss.gonicus.de/labs/gosa.
- License: GNU GPL.
- Distributions: packages - Debian/Ubuntu, RedHat/CentOS/Fedora, openSUSE/SLES, from source - any *nix.
The GOsa2 project, which is an add-on for popular open source applications, provides the administrator with a single control center for the entire IT infrastructure. The interface allows you to manage *nix and Samba accounts, user and group rights, computers, mailing lists, applications, settings for basic network services: DHCP, DNS, HTTP, SMTP, etc. Development is carried out under the auspices of Gonicus GmbH, which uses GOsa in their services.
All functions are included in plugins (the principle of “one service = one plugin”), so the admin assembles the configuration in accordance with his needs.
Currently, more than 30 plugins have been implemented to manage services such as Squid, DansGuardin, Postfix, Courier-IMAP, Maildrop, GNARWL, Cyrus-SASL, OpenSSL, ISC DHCP, WebDAV, PureFTPd, PPTP, Kerberos, Asterisk, Nagios, OPSI , Netatalk, FAI, rsyslog, and group servers: SOGo, OpenGroupware, Kolab, Scalix. Moreover, all of the above plugins do not have to work on one server; some of them can be installed on separate hosts.
User accounts are grouped into groups to which allowed applications are assigned. When creating new accounts, templates are used (the administrator creates them himself) with specified access rights to objects. A permission set consists of a visibility type, objects (users/groups), and permissions. Permissions define all possible actions: create, delete, move, read, write, etc.
GOsa is the only project in our review with a localized management interface. True, it is not completely localized yet, but using gettext allows you to do it yourself if necessary.
Installation on any Linux distribution is supported. The developers recommend Debian, for which a separate repository has been created. Packages for Red Hat/CentOS/Fedora and openSUSE/SLES are also available, but, as a rule, developers are in no hurry to compile them, so the versions are a little late. You can use any web server, but preference is given to Apache2 and nginx. The documentation is only available in English and does not keep up with the development of the project; many points are reflected in it very superficially.
INFO
FreeIPA is used for authentication and authorization in oVirt's KVM-based virtualization solution.
To synchronize the 389DS with Active Directory, you must install Windows Sync.
After installing the 389-ds package for the 389DS configuration, you should run the script.
The system-config-autentification utility included with Fedora contains a tab that allows you to enable authentication through FreeIPA.
Conclusion
Even the naked eye can see that the most multifunctional tool is GOsa2. This solution provides account management and numerous services, supports installation on most Linux distributions, and has a localized interface. However, the final choice depends on the specific task.
One can argue about the advantages and disadvantages of Linux and open source in general, but one cannot help but admit that in certain areas the open OS has achieved undoubted success. These, by the way, include the server market, where the popularity of Linux is growing from year to year.
IDC data for the 4th quarter of 2012 shows that with the overall growth of the server market by 3.1% (compared to a year earlier), sales of equipment with Linux increased by 12.7%, with Windows - by 3.2%, and with Unix - decreased by 24.1 %. Of course, from here it is easy to understand that Linux is still displacing Unix, not Windows, but, in any case, a market share of 20.4% is already quite significant.
However, servers are a broad concept. IDC believes that the popularization of Linux is primarily driven by cloud and high-performance computing. The analyst firm is echoed by The Linux Foundation, which claims that 76% of large companies it surveyed already use Linux to build “clouds” and 74% plan to maintain or even increase the presence of an open OS.
Linux is also widely used for deploying web servers and various internal Internet services, such as proxy, email, etc. The latter has historically been quite popular among small businesses, including Ukrainian ones, as it allows significant savings on licenses and maintenance, for example , outsource to an Internet provider. Participants in a survey by The Linux Foundation named the breadth of capabilities (75%), low total cost of ownership (71%), and high security (69%) as the main arguments in favor of Linux.
Linux can also be used to build an IT infrastructure, thanks to independent implementations, and Samba. However, if we consider that the majority of workplaces in organizations are still based on Windows and this situation is unlikely to change radically, then we have to admit that Linux in this capacity looks rather pale. However, recently there has been progress here too.
Released at the end of last year, Samba 4 implements an almost full-fledged analogue of Active Directory (AD), including a domain controller, DNS service, Kerberos authentication, and group policies. Naturally, this is only the first release, containing errors and shortcomings, the correction of which, however, is in full swing. In addition, Samba 4 cannot yet create complex domain structures and hierarchies and establish trust relationships, which limits its applicability in large organizations.
Thus, at the moment, the most realistic applications of Samba 4 are the construction of test infrastructures and training classes, as well as implementation in small businesses. However, Western observers are quite skeptical about the latter: will the savings outweigh the risks of unstable infrastructure operation? In Ukrainian realities, however, the value system is somewhat different, and financial and legal arguments can outweigh all others.
Moreover, in many cases the real choice is not so great. Microsoft offers special editions of Windows Server 2012 for small businesses - Essentials and Foundation. The first, at a price of $500, is quite interesting for 25 users, the second is offered for OEM installation and is ready to support 15 users. But the problem is that for a larger number you will need to not only purchase an additional CAL, but also change the server license to Standard. Samba 4 has no such restrictions and can be scaled to any required level. Probably, an OEM model would also be better suited for its distribution, guaranteeing full compatibility with the equipment and the absence of surprises, at least at first.
Meanwhile, the implementation of Samba 4 itself is quite a simple matter. Naturally, it’s better to start by testing some specialized distribution. This, for example, is offered by SerNet, a German integrator and participant in the Samba project - SerNet Samba 4 Appliance. Additionally, you can deploy Zafara collaboration software on it; it includes a ready-made script for adjusting the AD schema.
Novell/SUSE offers its Excellent Samba4 Appliance, both in the form of bootable images and already deployed virtual disks for all popular virtualization systems. This distribution is periodically updated following the release of new fixes for Samba 4.
Actually, initializing AD consists of deploying the distribution kit or creating and launching the corresponding virtual machine and executing the ready-made dcpromo script, which requests a few parameters (domain name, IP address, etc.).
Since Samba 4 was created on the basis of the officially purchased one, its compatibility promises to be quite high. In any case, you can use all the standard Microsoft administrative tools, which in the case of the Excellent Samba4 Appliance are even accessible through the internal web server.
Since Samba 4 implements all the RPC procedures required for AD, you can also use command line utilities and PowerShell scripts. The Linux community is also developing its own tools, both graphical and scripted, but their level of readiness is still unsatisfactory.
When using Microsoft tools, further domain administration is completely familiar to anyone even superficially familiar with AD in Windows Server. Adding accounts, creating groups, and delineating powers is done completely transparently.
One of the most valuable advantages of Samba 4 is its support for the Group Policy mechanism, which is a convenient and effective means of administering workstations on Windows. Essentially, this is the first step towards a managed infrastructure and thanks to Samba 4 it has become even easier.
The simplest example is to enable the desired Windows Update mode in all places and block the ability of the user to change it. The problem is solved in exactly the same way in both Windows Server and Samba 4:
The result after rebooting the workstation or forcing a group policy update is quite predictable:
Thus, Samba 4 allows you to organize a simple AD domain on Linux without actually needing deep knowledge of Linux itself. In addition, the flexibility of an open OS makes it possible to create compact monofunctional distributions with Samba 4 that will work reliably in both physical and virtual environments. The stability and scalability of Samba 4 itself is still in question, but the development team, it seems, is not going to stop there.