I am trying to figure out how I can retain personal SSH keys (probably the most important part, or at least important to have an alternative connection method) while also having modern tools like SSO or at least SAML, some way to federate to different ADs.
I know there are a few things out there like Authentik and Authelia, but not 100% sure Authentik covers those needs above. Does anyone have experience with these or other modern LDAP alternatives that work well with Linux?
The only alternative I know of that goes close to what FreeIPA does (minus the cert part) is kanidm. It does:
- oauth2
- ssh key distribution
- RADIUS
- PAM/SSSD
- LDAP
I just noticed they have a beta for multimaster replication, which is nice.
I use it at home. Note, though, that it does not do any hand-holding, and all configuration is done through CLI. Also note, there are docs for the stable or dev branch and there sometimes are big differences between the two.
You also could add Samba Active Directory to the list. It isn’t necessarily better but it is good for mixed environments
Maybe I’m just nostalgic but I think a classic IPA doesn’t need a modern twist. I’m all for IPA open sourcing their beer; heck, free beer is good enough for me.
In all seriousness though, I already saw a user recommend kanidm. I can vouch for kanidm; written in Rust, it allows offline authentication and offline caching of user info, which is really handy if you’re in a situation with poor internet connectivity. kanidm is feature rich:@g5pw@feddit.it already mentioned OAuth2 support, LDAP, RADIUS; etc. It even supports TOTP!! Kanidm doesn’t support SAML IIRC, But SSO can be achieved through OAuth2 with OIDC.
From kanidm’s Github:
Kanidm aims to have the features richness of FreeIPA, but without the resource and administration overheads. If you want a complete IDM package, but in a lighter footprint and easier to manage, then Kanidm is probably for you. In testing with 3000 users + 1500 groups, Kanidm is 3 times faster for search operations and 5 times faster for modification and addition of entries (your results may differ however, but generally Kanidm is much faster than FreeIPA).
It’s my understanding that FreeIPA can federate with Active Directory, but personally I haven’t tried that myself. As for Authentik, it looks interesting but it’s the first I’ve heard of it. I also rely on FreeIPA’s certmonger implementation, so I wonder if Authentik could replace that?
Just to understand your use case, you have users in Active Directory where you want to manage SSH keys and be able to login via SSH to linux machines?
Yeah, users in AD and the FreeIPA replacement essentially handles the SSH key management + middle-man the auth to Linux servers.
This is what I’ve read about where users in AD can be federated to FreeIPA: https://www.freeipa.org/page/V4/One-way_trust. Not sure if this covers your use case
I think my main concern is FreeIPA’s longevity. As a tool, it’s rather outdated even in its latest version. It works, but the upkeep on it is not quite robust. Its implementation of AD standards are also limited. This is why I’m looking for an alternative to FreeIPA.
Free as in free beer?
You could enroll all your servers into a pam, and let that manage your keys. https://goteleport.com/ for instance has open source core and is quite easy to get started with.
I prefer FreeLager myself.
I’m sorry for worthless comment in advance. I’ve never heard of FreeIPA, but I’d definitely get free IPA ;-)
IPA beer is good for sure. freeIPA is a central way to manage Linux devices. manage users ssh keys and even limiting sudo commands with sudo rules. and some other things. It can not do everything active directory does but their sure are a load of similarities.
What are you using freeIPA for?