Note: I know there are some questions talking about similar topic, but they were all a couple of years old, therefore I prefered to mention my exact situation to get the most proper solution according to the being time techniques.
I want please to discuss some different cases to get whole understanding.
I want to manage a system of a company or a university (so medium and large scale cases), and I intend to provide the following services for the users of the system on an Ubuntu server: OpenVPN, Jabber, Git, FreeRadius, Email , Redmine and samba file sharing, etc…
I want all the services to authenticate using the same username and password (so to fetch the username and password from a centralized authenticating system, OpenLDAP or Active Directory (with Samba4 as domain controller)).
And I want to allow the clients to logon to the public PCs in the company or university using their same previous username and password, and those public PCs of the clients are a mixture of Windows, Linux, MAC, (and let's discuss the case, when we have just Windows clients, so NO mixture).
I used to use OpenLDAP to authenticate all the mentioned services, and to handle Windows login using pGina, over OpenLDAP and it was pretty good for me.
But I got confused when I started learning about domain controllers for windows using samba4, and I couldn't make a decision what is better for me, is it pGina, or is it Samba4 domain controller? Keeping in mind that in this case (Domain Controller) I cannot use OpenLDAP anymore, because I cannot authenitcate windows against OpenLDAP, but just samba4 AD (And I cannot run Samba4DC in parallel with OpenLDAP in the same server because they are both LDAP servers).
I know that in the being time I cannot make Windows Login authentication against OpenLDAP, but can't I make them somehow communicating with each other of use the benifits of them both (in case I need OpenLDAP to do something not available in AD)?
Do you advise to use OpenLDAP or Active Directory (Using Samba4 as Domain Controller) and why? (taking in consideration handling the authentication of all mentioned services and system login authentication using JUST ONE username and password for each client).
What will I be able to do (and what not) if I used Samba4AD and not OpenLDAP (and the opposite case).
According to what I understood from previous readings, they said that the advantage of AD is that it can manage groups policy in Windows.
How can the groups policy exactly be usful for my case? and which alternatives do I have in case you advised to use OpenLDAP?
To summarize the main questions:
- In my case, is OpenLDAP prefered or Samba4AD DC to authenticate all
services + clients login with the same username and password? (although I understand that I cannot authenticate windows with OpenLDAP but you might have some additions to say about that). - What are the advantages of joining clients PCs to a domain controller
by Samba4 instead of just using pGina? - In case of lack of features in them both (something is provided in
one and not in the other), what is the alternative solution to avoid
that features lacking?
And Please keeping in concideration that I prefer the open source, supported and long term live solutions (logically).
Thank you in advance!
Best Answer
I think this is too broad a question to really work well here, but I think there's a simpler question: "I'm looking at Samba4 vs. OpenLDAP, what should I base my decision on?"
The answer to that question is: Samba4 makes sense if you need some of the Windows-specific (or at least Windows-centric) features that AD provides. (And if you don't want to buy Windows Server and Client licenses.)
When considering using Samba4, you should think of it as being equivalent to Windows Server. You get (most of) the same things you get from Microsoft: integrated login from Windows clients, management using Windows tools, Windows-style ACLs, Group Policies, directory replication (but not to OpenLDAP!), and an LDAP-compatible directory that other applications can authenticate against.
In your situation:
I would say that the most useful Windows-specific features that Samba4 (or Windows Server) provide are Group Policies and client/file/share management using Windows tools. Neither of these seem to be especially important to you right now.
OTOH, I'm not familiar with pGina or any other tools to allow Windows clients to authenticate against OpenLDAP. I don't know if they work well, if they're easy to set up and maintain. They certainly aren't as easy to manage as a domain-joined Windows PC.
As another example:
In our case, we had mostly Windows clients with some Linux and Mac users and we decided that having the Windows clients join an AD domain was important, so we set up Samba4 and dumped our OpenLDAP server. We were able to do this because we didn't have too many accounts and were able to come up with workarounds to sync passwords between OpenLDAP and AD. We had no issues with Redmine, OpenVPN, Owncloud, and other services authenticating against Samba4.