And: Non-enterprise users will most likely not need AD/LDAP support.
I strongly disagree with this. Everyone with more than 2 users in their organization can benefit from AD/LDAP support, if it is easy to set up and administer.
Because... what else is viable for managing multiple user accounts across several machines? Twenty years ago, I would have said NIS (from Sun, originally called YP for 'yellowpages'). But that was horribly insecure. NIS+ was supposed to fix that, but support was never there in Linux land.
Kerberos? That seems too difficult for most small networks.
Don't get me wrong, I don't like LDAP, but there isn't anything better that I'm aware of. LDAP has some support for other applications (for example, we use it for Redmine user accounts), I don't know of anything else besides LDAP that has widespread support.
But the initial configuration was a bit of a mess, where I was going back and forth among the official docs, the Ubuntu docs, and other guides. I should write my own guide so that I can add to the confusion.
>> And: Non-enterprise users will most likely not need AD/LDAP support.
> I strongly disagree with this. Everyone with more than 2 users in their organization can benefit from AD/LDAP support, if it is easy to set up and administer.
Actually anyone with either more than one user, or more than one device/computer IMNHO.
We really (still) need a sane, easy-to-set up authz/auth solution. Things have gotten a lot better - but still, nfsv4 is sort of not here, samba/cifs isn't quite secure, coda is sort abandoned, davfs isn't quite fully-featured... And so on and on.
Ssh keys are (almost) easy to use, but really hard to manage securely (everyone just ignores this, and pretend private keys won't leak) - managing a ssh CA is essentially as tricky as any other CA.
Ms realised this, and boxing up kerberos+ldap+dns (and some other bits) was their solution: Active Directory.
I'm not convinced we can't do better for a turn-key linux-first, modern solution (we have public key cryptography now, that should(?) simplify a kerberos work-a-like? Make it a standard, and bsd support should be easy, and a port to Windows/gina feasible.
I strongly believe the particulars of the solution doesn't really matter much - just make it open, with a good test suite and decent reference implementation.
Redhat is AFAIK doing great work here, as was/is Debian Edu (nee "skolelinux").
> I strongly disagree with this. Everyone with more than 2 users in their organization can benefit from AD/LDAP support, if it is easy to set up and administer.
You will always need a server. And aside from QNAP NASes (which aren't cheap) there are no "set it up and it runs" options which are free and easy to maintain.
Cheapest option, hardware wise, would be a RPi but it will melt when you try to use it as a filer. Next option is a PC, which adds at the minimum 200W of 24/7 power requirement, not exactly cheap given today's electricity prices.
Software-wise you have the option of MS Small Business Server which clocks in at 200€ but definitely requires a PC plus someone who can set it up, and a Linux variant with Samba which is free but definitely requires someone skilled.
Then there comes the maintenance - with Windows there shouldn't be a problem with regular updates, but with Linux... not so much.
The maintenance and the energy consumption of a server is what keeps small businesses off AD.
FreeIPA and RPi should be pretty good combo for prosumer/SB market. RPi has definitely enough horsepower to run a small domain, and FreeIPA bundles all those admittedly gnarly pieces into one neat packages
> RPi has definitely enough horsepower to run a small domain
Maybe enough for the DC part (i.e. Kerberos server, LDAP server, ntpd) but not enough for a fileserver given the Pi is still 100 MBit and limited by its USB ethernet connection, as well as that it doesn't have eSATA, mSSD or any other high-performance storage option. Plus SMB/CIFS implementations are known for performance issues.
Also, a Pi is nowhere near reliable enough for running something as mission critical as an AD server. Good luck when your micro-SD card gets corrupted, e.g. due to power fluctuations. And you WILL get corruptions, especially if you have high write throughput.
There are various other NUC type devices based on laptop chipsets (or you could just use an old laptop with hardware Ethernet and a large-enough hard drive... built-in battery backup!).
The software maintenance is definitely an issue, but I don't see Windows Small Business Server being any better than Linux, there's still a lot of mysterious things that can happen.
We can have both: Ms has Azure Ad - a new/refined open standard that provided sane caching/off-line use should allow self-host on-premise, in cloud as well as Saas/IaaS - add in a new coda-like fs (also optionally as a service) - and I'm pretty sure people would throw some money at it.
Imagine having a box running a lan-local cache/node for a few tb of cloud-backup disk - network mounted as /home/$user and/or / - with local machine cache and regular mirroring to the cloud? With the added bonus of being open - making pure self-host an option as well as moving to other vendors?
Yes, I'd get rid of our phone equipment if I could. It has been a hassle. I just wanted to get everyone Skype accounts with dial-in numbers years ago.
Well, even if you wanted to cloud-host authentication, what easy solution is there for Linux? Where I can create directories on a local file server and assign groups for restricted access?
Well you can host a Docker image of an openldap container, secured by SSL certification (in my experience, Let's Encrypt works for this, just take care to not expose the ldap port, only ldaps) and prevented from unauthorized access by denying anonymous binds.
Using service accounts you can then have other cloud services like Atlassian, Slack or Gitlab authenticate against the LDAP server.
Ad phone equipment: Asterisk in Docker combined with a VoIP provider (and exposing a SIP server) can work, but I have not tried this in practice. It should support standard Android and iOS SIP clients, but beware that this will drain your battery life due to permanent connections and keepalives - I don't know how easy (and supported) push notifications for calls are. Also, going from the VoIP provider through a questionable (in terms of QoS) Docker hoster to your phone will introduce a measurable latency, and the re-coding that may happen in Asterisk can also negatively affect audio quality.
Well you can host a Docker image of an openldap container, secured by SSL certification (in my experience, Let's Encrypt works for this, just take care to not expose the ldap port, only ldaps) and prevented from unauthorized access by denying anonymous binds.
When I set all this up, Docker wasn't even a thing, so it's nice to have that as an option now.
For VoIP, the hardware itself is a pain, though the open-standards software side of things is a pain too.
To deal with QoS issues, we have previously had POTS lines from AT&T plugged into a phone card on the server. So we've got that wonderful digital -> analog -> digital conversion in there.
We've recently switched to Comcast, which has a box with... analog phone ports coming out of it. So we've still got the digital -> analog -> digital conversion, plus any QoS issues on Comcast's last-mile network. Though that hasn't seemed to be a problem, so maybe they've got that figured out. And no, they didn't offer a SIP solution, at least not to us.
As you allude to, I don't see a SIP based solution for our mobile devices as viable, because of the battery drain and roaming. I really just wanted to use Skype or something similar. Who calls me on my desk phone anymore? I'll tell you who, sales people. I don't give out my desk phone number, I'd really rather you just send me an email. If you are important enough, I'll give you my mobile phone number, but that's rare.
I strongly disagree with this. Everyone with more than 2 users in their organization can benefit from AD/LDAP support, if it is easy to set up and administer.
Because... what else is viable for managing multiple user accounts across several machines? Twenty years ago, I would have said NIS (from Sun, originally called YP for 'yellowpages'). But that was horribly insecure. NIS+ was supposed to fix that, but support was never there in Linux land.
Kerberos? That seems too difficult for most small networks.
Don't get me wrong, I don't like LDAP, but there isn't anything better that I'm aware of. LDAP has some support for other applications (for example, we use it for Redmine user accounts), I don't know of anything else besides LDAP that has widespread support.
But the initial configuration was a bit of a mess, where I was going back and forth among the official docs, the Ubuntu docs, and other guides. I should write my own guide so that I can add to the confusion.