• moonpiedumplings@programming.devEnglish
    5·
    10 hours ago

    See this old but still relevant comment I made on another thread: https://programming.dev/post/11284326/8200514 . TLDR: There are plenty of ways to do it. But you have to do it yourself and it’s not an all in one solution. Users are the easiest part though. Servers are second easiest. Clients are more difficult.

    Further solutions and quick notes since then:

    • Authentik is what I use for shared logins. It supports ldap as well as oidc.
    • Nubus by univention for user management. It’s a wrapper around openldap and keycloak, so it comes with both those in one solution which looks nice
    • Himmelblau is authentication of local desktops via oidc. Maybe not needed but interesting regardless.
    • Firefox has policies: https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson which let you control and enforce certain settings like preinstalled extensions and default settings. You will probably need this for clients.
    • Linux’s Realmd respects some group policies. Not all and it depends, but I’ve discovered it respects some, converting values to analogs. I’m assuming that Red Hat’s freeIPA/389 directory server can serve group policies as well. I don’t know how reliable this is for top down config though.

    I’m going to focus on clients because users and servers are basically solved although you will have to pick and implement a solution.

    If I was in an all linux environment… it depends on how much control I have over the current setup. The best would probably be to push configuration (but that also supports regular pull as well) from the top down to the users, via something like building immutable images or NixOS configs and then shipping them to clients. This would be an all in one solution that comprehensively covers every part of config.

    I do agree with the other user in the thread, that user config management is a bit more difficult. Firefox policies cover the biggest thing, the browser, but the rest is annoying. Nix user config, or home manager config could do it, but hmmm.

    And then the other thing is client security. When it comes to the specific kind of client security that IT environments want, Linux isn’t as ahead. I would really want an alternative AppLocker, or something similar to restrict app execution. I can guess three possible ways to do this:

    • Mounting home directory noexec
    • SELinux
    • Apparmor

    But, I think you would want to restrict software installation and execution. Not just to prevent malware, but having users install proprietary licensed software in an enterprise environment without actually purchase it could quickly turn into a nightmare for everybody.

    edit: ooh, check this out:

    https://talks.nixcon.org/nixcon-2024/talk/R8ZBWW/

    https://clan.lol/docs/25.11/getting-started/creating-your-first-clan

    https://github.com/nix-community/awesome-nix?tab=readme-ov-file#deployment-tools

    Edit2: also check out meshcentral.

  • truthfultemporarily@feddit.org
    6·
    11 hours ago

    There is no all in one solution.

    You have to solve the individual parts separately:

    • User directory, login: keycloak, authentik
    • Configuration management: Ansible, Puppet

    The user config management part is not solved well in my mind. Puppet is probably the best because it can pull config whenever a client is online, whereas Ansible is push based.

    On the other hand this software can manage absolutely everything, not limited by what GPs support.

    Linux server config management on the other hand is way ahead of Windows. Also Linux installs so quickly, and the images can be so small, many companies don’t even patch, they just boot a fresh image every week (immutable infrastructure).

  • hendrik@palaver.p3x.deEnglish
    4·
    9 hours ago

    With LDAP for example (FreeIPA, OpenLDAP and a bunch of others). There’s NIS as well. If you want it exactly like AD, try Samba.

    In reality, I’d probably put the users into some more modern id and auth solution, and re-assess whether I even need some Microsoft-style directory for servers and clients. I likely have better tools available.

    And the big enterprise distributions, or projects like DebianEdu will have some solution listed in their documentation which is tied in into their ecosystem.

  • PabloSexcrowbar@piefed.socialEnglish
    3·
    10 hours ago

    The closest I’ve ever found to AD for Linux is FreeIPA, though there’s also vastool for corporate environments if you want to use actual AD on Linux.