Domain security in FreeBSD

preWarp · Jul 12, 2023

Hello. I'm very unfamiliar with network security. I am still interested in this question:

What applications in freeBSD facilitate managment of security for a domain? I am considering topics such as identity access managment and domain security.

I know Windows Server uses active directory for IAM and managment of domain security.

What main applications are used with freeBSD? I know kerberos deals with verifying cryptographic keys. But what about the larger implementation of domain security managment on freeBSD?

skeletor · Jul 14, 2023

You can use kerberos+ldap implementation, such as
- Apache Directory Server
- 389 Directory Server
- FreeIPA
- fusion directory

SirDice · Jul 14, 2023

Or just "plain" LDAP. Or connect to an existing Windows AD. Or an AD built with Samba.

rootbert · Jul 14, 2023

skeletor said:
You can use kerberos+ldap implementation, such as
- Apache Directory Server
- 389 Directory Server
- FreeIPA
- fusion directory

the first three specimen won't run on FreeBSD. Furthermore, I do not encourage to run Samba on FreeBSD in a complex/corporate environment, use a Linux distribution. I suggest to have a look at the 802.1X standard and a nice project called packetfence.

SirDice · Jul 14, 2023

rootbert said:
I do not encourage to run Samba on FreeBSD in a complex/corporate environment, use a Linux distribution.

I honestly suggest just running Windows server if you really need AD. Usually already in place as most shops will have at least some Windows servers and clients.

Gyros Komplett · Jul 14, 2023

Basically, AD is mainly LDAP and Kerberos, with DNS for service discovery (instead of SLP).
OpenLDAP and Kerberos (MIT, Heimdal) should be available on any unix-like environment. You can attach an OpenLDAP system using SASL to Kerberos, or use LDAP as a backend for Kerberos - your choice

skeletor · Jul 28, 2023

rootbert said:
the first three specimen won't run on FreeBSD.

You are wrong.
- Apache Directory Server - written in java, so, it doesn't matter on which OS will you run. Or you try it and it has some Linux-specific features?
- 389 Directory Server - yes, binaries available only for Linux, but you can try to build from source. Why not?
- FreeIPA - the same, as previous. But, it has a lot of dependencies, so, in this case it would be difficult.

rootbert · Aug 8, 2023

skeletor said:
You are wrong.
- Apache Directory Server - written in java, so, it doesn't matter on which OS will you run. Or you try it and it has some Linux-specific features?
- 389 Directory Server - yes, binaries available only for Linux, but you can try to build from source. Why not?
- FreeIPA - the same, as previous. But, it has a lot of dependencies, so, in this case it would be difficult.

I spare my honest comment here and instead wait for your patches to make them run on FreeBSD. Our whole team who has spent several man-month on this issue is eager to learn that these products do run on FreeBSD, we are really glad that someone finally has a solution but in the same moment are a bit baffled that he does not share his knowledge.

skeletor · Aug 10, 2023

rootbert said:
I spare my honest comment here and instead wait for your patches to make them run on FreeBSD. Our whole team who has spent several man-month on this issue is eager to learn that these products do run on FreeBSD, we are really glad that someone finally has a solution but in the same moment are a bit baffled that he does not share his knowledge.

Look, I don't run especially this application, but I run a lot other application on FreeBSD/Solaris which doesn't support it. I don't say that it's possible in any way, but when you tell, that it's impossible, please give more details, what exactly you and your team couldn't fix? For example, atlassian bitbucket 7.X version and above won't run on Solaris because it has Linux-specific network java-classes, despite on it written on java. So, I'm interest, what exactly you cound't fix to run it on FreeBSD? Another example, it's a "fusion directory", which also couldn't run on Solaris, because, linux and solaris has some small difference between OpenLDAP: search filter on solaris MUST BE at the end, after all command options. But on the linux search filter CAN BE in any position. So, search filter was in the middle of query in some files and didn't work in solaris. Our previous LDAP team couldn't solve this issue, but current team - could.
I don't tell that I'll solve your issue with such product, but expect from you what exactly you couldn't fix with your team?
You can write it here, or in a separate topic.
Also, "vermaden" is a user at this forum and he has experience in FreeIPA, because he has some articles on his blog https://vermaden.wordpress.com/2023/08/10/freebsd-on-freeipa-idm-with-poudriere-repo/ , https://vermaden.wordpress.com/2023/03/29/connect-freebsd-13-2-to-freeipa-idm/

Domain security in FreeBSD

preWarp

skeletor

SirDice

Administrator

rootbert

SirDice

Administrator

Gyros Komplett

skeletor

rootbert

skeletor