Discussion: scenarios to choose an account provider

When AD is wanted we must distinct the two possible variants of File server:

  • default legacy NTLM support, where ACLs on shared folders can be set only from server-manager
  • all clients kerberos, where acls work but non joined workstations can access shared folders only by guest access as last resort
1 Like

A “simple” question which generates a lot of “headache”!

So, who will want to create that “logical dashboard”?

A stupid question but if Samba has all the features of openLDAP plus the ability of acting as an AD server / connecting to existing domains then why use openLDAP at all?

Has openLDAP got any features that is not included within Samba?
What are the benefits of using openLDAP rather then using Samba, does openLDAP use significantly less resources (ie. RAM, CPU / processes) then Samba?

I keep on hearing about the reasons for using Samba instead of openLDAP but have yet to hear any good arguments for why to use openLDAP instead (sure, Samba has the ability to control a AD directory, but this feature could be ignored and Samba could act as solely an openLDAP alternative).

The thing is, that this isn’t entirely true. Sure AD is a directory service which uses the LDAP protocol and it uses kerberos for authentication, but…
AD is a very strict kind of Directory Service. It is not flexible when it comes to attributes (understatement) where OpenLDAP is highly flexible with attributes. I would love some insight comments by @Christian since he is one of the few that actually understands LDAP.

I was always told that in the MS world the domain is seen as a security boundary. All devices, services and accounts within this domain are managed on the Domain Controller through the AD. Besides that we should know what services we need on our network.
I think it is important to know what exactly are the similarities and what are the differences between OpenLDAP and Samba4AD.
What I found on my search for information:

The Similarities Between LDAP and AD

First, it’s obvious that LDAP and AD are both software implementations of directory services. They are also both hosted on-premises, in most cases. Further, both Microsoft Active Directory and OpenLDAP are fundamentally based on the LDAP protocol. Although most people don’t know that because AD mostly authenticates leveraging Kerberos. However, AD does have the capability to authenticate via LDAP as well. Both directories struggle connecting users to cloud computing infrastructure such as IaaS or Web-based applications.

The Differences Between LDAP and AD

Realistically, there are probably more differences than similarities between the two directory solutions. Microsoft’s AD is largely a directory for Windows users, devices, and applications. AD requires a Microsoft Domain Controller to be present and when it is, users are able to single sign-on to Windows resources that live within the domain structure.

OpenLDAP, on the other hand, has largely worked outside of the Windows structure focusing on the Linux / Unix environment and with more technical applications. OpenLDAP doesn’t have the same concepts of domains or single sign-on. OpenLDAP is largely implemented with open source solutions and as a result has more flexibility than AD.

Another critical difference between OpenLDAP and Active Directory is how AD and OpenLDAP each approach device management. AD manages Windows devices through and Group Policy Objects (GPOs). A similar concept doesn’t exist within OpenLDAP.

So, I think the choice should be determined based on needs. Scenario’s I can think of:

  • Device management
  • File Server
  • BYOD
  • Windows clients only
  • Mix of clients
  • Update management of your clients

Can you guys come up with more scenario’s

4 Likes

:clap::clap::clap:

@robb and others, I’d like to resume this discussion with a small enhancement proposal. We could easily add more information about the accounts provider concept to the Users&Groups page.

If an account provider has not been configured this could be the new layout (instead of the current standalone “Configure” button):

What happens when the buttons are clicked?

  • “Configure” points to “Configuration > Accounts provider”
  • “Install” points to “Software center”
  • “No, thanks!” point to “Dashboard”

What do you think? Is it a good idea? Is the text clear enough?

/edit: added shared folder explanation

//edit: if you find some English mistakes, please comment directly on my PR here: https://github.com/NethServer/nethserver-sssd/pull/48/files

///edit: @flatspin’s clarification

12 Likes

I like it. It is clear and gives a good overview of the options you have installing or configuring an account provider.

2 Likes

I’m eager to know what our @ambassadors_group @gerald_FS @medworthy @bkroening @transocean @dennylim think about that

Nice, go for this @davidep.

@quality_team @translations_team @ambassadors_group if you find some post of users which misunderstood the usage, probably the documentation or the panel must be amended, so let it know to developers.

2 Likes

Hi Allessio and all other Nethserver Enthusiasts,

i think this is very useful and a good idea.
Above all, it is also a good way for unskilled Linux users like me,
Error during configuration to avoid.

Regards

Uwe

1 Like

Very good idea. Like it. Good look and clear. :thumbsup: :thumbsup: :thumbsup:
Maybe one claryfication in addition:
“Please be aware, that the choice of the local account provider is not reversible!”

6 Likes

and, in network tab, if the chosen provider is AD, a big red warning “changing your ip/subnet will break your server” :wink:

3 Likes

Nice catch, @flatspin: updated the screenshot:

Install a local accounts provider; once installed, it must not be removed

This is a further enhancement. I hope to fix nethserver-dc and implement the procedure to change its IP address from the web interface.

6 Likes

I like the idea provided by @davidep but like others in this thread, I think that there needs to be more documentation / help for this feature (including a more comprehensive explanation of how a NS based server could be implemented into an existing Microsoft based infrastructure).

Also, maybe some form of ‘reset back to default’ function that reverts the server back to the default / original IP and removes both authentication providers.

1 Like

great idea!

If that would fold, am immediately at the test thereby.

We have a package in testing! To install /cc @quality_team

yum --enablerepo=nethserver-testing update nethserver-sssd
1 Like

We should also add some comments like I’ve seen @davidep (I vaguely recall) post, for example, if you’re building a standalone mail server, then ldap is best and it needs to be stressed that authenticated file sharing must use samba ad.

How would you reword it?

There are two kinds of accounts provider available for this local server:

* Samba Active Directory; ideal for Windows networks and Outlook based email, required for authenticated file sharing and windows client administration.
* LDAP; ideal for standalone gateways and mail servers, file sharing is not authenticated.

I’m spitballing here…

2 Likes

This is a big word! I wouldn’t say it here :rolling_eyes:

2 Likes