Native FreeBSD Kerberos/LDAP with FreeIPA/IDM

I feel this is one of the weaknesses of Linux/unix ecosystem. The freeipa/sssd/nss/pam/krb/ldap/dns (+keycloak/samba/...) etc stack is just incredibly byzantine. I'm sure it is technically very capable in the right hands, but to me it feels like intractable mountain of things and worst of all the failure modes are pretty bad; you can accidentally leave security holes or alternatively lock yourself out.

Nice. I run a very similar setup, but opted for a stack of OpenLDAP / MIT Kerberos / PowerDNS on my "domain controllers."

OpenLDAP does multimaster replication and is the backend for DNS records and the Kerberos database.

The hardest part was figuring out OpenLDAPs configuration syntax, especially the correct ldif incantations for things like nested group memberOf= queries, schemas, and ACLs. It's somewhat inscrutable... Nowadays an LLM could do it for you at least.

At $job we use Linux / sssd, and I always found it super bloated and rather unreliable. It's nice coming home to FreeBSD and old boring stuff like pam_krb5 and nslcd. It just works.

The "ipa" command provided by FreeIPA for managing users/groups/etc is super convenient though.

Don’t forget to delete the keytab file from the ipa server! Otherwise anyone will be able to unauthenticated download that file and impersonate that host principal

Better yet you’ll want to encrypt that file in some way when transferring it

Hah, what a coincidence, just started to look into yesterday how do I setup LDAP/OIDC on FreeBSD and today I was going to try FreeIPA or Keycloak. Thanks for sharing.