| ▲ | cullumsmith 7 hours ago | ||||||||||||||||
Nice. I run a very similar setup, but opted for a stack of OpenLDAP / MIT Kerberos / PowerDNS on my "domain controllers." OpenLDAP does multimaster replication and is the backend for DNS records and the Kerberos database. The hardest part was figuring out OpenLDAPs configuration syntax, especially the correct ldif incantations for things like nested group memberOf= queries, schemas, and ACLs. It's somewhat inscrutable... Nowadays an LLM could do it for you at least. At $job we use Linux / sssd, and I always found it super bloated and rather unreliable. It's nice coming home to FreeBSD and old boring stuff like pam_krb5 and nslcd. It just works. The "ipa" command provided by FreeIPA for managing users/groups/etc is super convenient though. | |||||||||||||||||
| ▲ | xorcist an hour ago | parent | next [-] | ||||||||||||||||
I don't think it's exactly the same thing as sssd is primarily a cache. You can use pam_krb5 on Linux too. But can you disconnect your FreeBSD laptop and work as normal from cache? I agree that sssd is quite finicky however, and I'd love a simpler alternative. | |||||||||||||||||
| |||||||||||||||||
| ▲ | whalesalad 5 hours ago | parent | prev [-] | ||||||||||||||||
Would be highly interested in learning more about this setup particularly the PowerDNS integration. | |||||||||||||||||
| |||||||||||||||||