NethServer Version: NS7
Module: account provider
If we install NS with aim to be able to create user accounts, we have to make a very basic decision what account provider to use.
In this discussion I would like to make it clear in what scenario which account provider would be the best choice.
I would like to do this so, that the outcome of this discussion will be bundled in this start topic and finally added to the wiki.
Maybe it is a good idea to first identify several scenario’s and then add the accountprovider of choice.
NethServer Version: NS7
A very good subject!
IMO, there are two “basic” situations:
- Active Directory environment (new domain or join to an existing domain, PDC, Additional DC, File Server, AIO, …)
- Non Active Directory environment (hosting server, some apps server, File server without DC/AD, Email Server only, placed in DMZ, …)
For case (1), Samba AD account provider is needed.
For case (2), OpenLDAP account provider is needed.
Additional question for debate: When and why do we need an Active Directory environment?
- smb/cifs file sharing
- single sign-on
If this is not needed OpenLDAP and NextCloud could be a better choice!
Targeted to home environment, maybe?
Starting from your idea, another classification (?):
- home environment:
- business environment:
- Samba AD
After few ideas, somebody with logical skill should synthesize all these in something like a dashboard.
It will be very good also for starting to choose how and for what to use NS (extend Rob’s idea).
However a small business/home environment can choose OpenLDAP and use smb shared folders anyway with guest access!
OpenLDAP is a common feature for business and home.
When AD is wanted we must distinct the two possible variants of File server:
- default legacy NTLM support, where ACLs on shared folders can be set only from server-manager
- all clients kerberos, where acls work but non joined workstations can access shared folders only by guest access as last resort
A “simple” question which generates a lot of “headache”!
So, who will want to create that “logical dashboard”?
A stupid question but if Samba has all the features of openLDAP plus the ability of acting as an AD server / connecting to existing domains then why use openLDAP at all?
Has openLDAP got any features that is not included within Samba?
What are the benefits of using openLDAP rather then using Samba, does openLDAP use significantly less resources (ie. RAM, CPU / processes) then Samba?
I keep on hearing about the reasons for using Samba instead of openLDAP but have yet to hear any good arguments for why to use openLDAP instead (sure, Samba has the ability to control a AD directory, but this feature could be ignored and Samba could act as solely an openLDAP alternative).
The thing is, that this isn’t entirely true. Sure AD is a directory service which uses the LDAP protocol and it uses kerberos for authentication, but…
AD is a very strict kind of Directory Service. It is not flexible when it comes to attributes (understatement) where OpenLDAP is highly flexible with attributes. I would love some insight comments by @Christian since he is one of the few that actually understands LDAP.
I was always told that in the MS world the domain is seen as a security boundary. All devices, services and accounts within this domain are managed on the Domain Controller through the AD. Besides that we should know what services we need on our network.
I think it is important to know what exactly are the similarities and what are the differences between OpenLDAP and Samba4AD.
What I found on my search for information:
The Similarities Between LDAP and AD
First, it’s obvious that LDAP and AD are both software implementations of directory services. They are also both hosted on-premises, in most cases. Further, both Microsoft Active Directory and OpenLDAP are fundamentally based on the LDAP protocol. Although most people don’t know that because AD mostly authenticates leveraging Kerberos. However, AD does have the capability to authenticate via LDAP as well. Both directories struggle connecting users to cloud computing infrastructure such as IaaS or Web-based applications.
The Differences Between LDAP and AD
Realistically, there are probably more differences than similarities between the two directory solutions. Microsoft’s AD is largely a directory for Windows users, devices, and applications. AD requires a Microsoft Domain Controller to be present and when it is, users are able to single sign-on to Windows resources that live within the domain structure.
OpenLDAP, on the other hand, has largely worked outside of the Windows structure focusing on the Linux / Unix environment and with more technical applications. OpenLDAP doesn’t have the same concepts of domains or single sign-on. OpenLDAP is largely implemented with open source solutions and as a result has more flexibility than AD.
Another critical difference between OpenLDAP and Active Directory is how AD and OpenLDAP each approach device management. AD manages Windows devices through and Group Policy Objects (GPOs). A similar concept doesn’t exist within OpenLDAP.
So, I think the choice should be determined based on needs. Scenario’s I can think of:
- Device management
- File Server
- Windows clients only
- Mix of clients
- Update management of your clients
Can you guys come up with more scenario’s
@robb and others, I’d like to resume this discussion with a small enhancement proposal. We could easily add more information about the accounts provider concept to the Users&Groups page.
If an account provider has not been configured this could be the new layout (instead of the current standalone “Configure” button):
What happens when the buttons are clicked?
- “Configure” points to “Configuration > Accounts provider”
- “Install” points to “Software center”
- “No, thanks!” point to “Dashboard”
What do you think? Is it a good idea? Is the text clear enough?
/edit: added shared folder explanation
//edit: if you find some English mistakes, please comment directly on my PR here: https://github.com/NethServer/nethserver-sssd/pull/48/files
///edit: @flatspin’s clarification
I like it. It is clear and gives a good overview of the options you have installing or configuring an account provider.
Nice, go for this @davidep.
@quality_team @translations_team @ambassadors_group if you find some post of users which misunderstood the usage, probably the documentation or the panel must be amended, so let it know to developers.
Hi Allessio and all other Nethserver Enthusiasts,
i think this is very useful and a good idea.
Above all, it is also a good way for unskilled Linux users like me,
Error during configuration to avoid.
Very good idea. Like it. Good look and clear.
Maybe one claryfication in addition:
“Please be aware, that the choice of the local account provider is not reversible!”
and, in network tab, if the chosen provider is AD, a big red warning “changing your ip/subnet will break your server”