EN
Currency:
EUR – €
Choose a currency
  • Euro EUR – €
  • United States dollar USD – $
VAT:
OT 0%
Choose your country (VAT)
  • OT All others 0%
Choose a language
  • Choose a currency
    Choose you country (VAT)
    Dedicated Servers
  • Instant
  • Custom
  • Single CPU servers
  • Dual CPU servers
  • Servers with 4th Gen CPUs
  • Servers with AMD Ryzen and Intel Core i9
  • Storage Servers
  • Servers with 10Gbps ports
  • Hosting virtualization nodes
  • GPU
  • Sale
  • VPS
    GPU
  • Dedicated GPU server
  • VM with GPU
  • Tesla A100 80GB & H100 Servers
  • Sale
    Apps
    Cloud
  • VMware and RedHat's oVirt Сlusters
  • Proxmox VE
  • Colocation
  • Colocation in the Netherlands
  • Remote smart hands
  • Services
  • DDoS L7 Protection
  • L3-L4 DDoS Protection
  • Network equipment
  • IPv4 and IPv6 address
  • Managed servers
  • SLA packages for technical support
  • Monitoring
  • Software
  • VLAN
  • Announcing your IP or AS (BYOIP)
  • USB flash/key/flash drive
  • Traffic
  • Hardware delivery for EU data centers
  • About
  • Careers at HOSTKEY
  • Server Control Panel & API
  • Data Centers
  • Network
  • Speed test
  • Hot deals
  • Sales contact
  • Reseller program
  • Affiliate Program
  • Grants for winners
  • Grants for scientific projects and startups
  • News
  • Our blog
  • Payment terms and methods
  • Legal
  • Abuse
  • Looking Glass
  • The KYC Verification
  • Hot Deals

    22.05.2022

    Integrating FreeIPA with Active Directory

    server one

    Our IT infrastructure has traditionally used FreeIPA to store credentials and control access. When it became necessary to manage our office computers with Windows and Cisco Systems equipment, we had to think about integration with Active Directory. Now, we’ll share our experienced in implementing it in the HOSTKEY local network.

    HOSTKEY

    To solve the problem, you can integrate Linux clients directly into an Active Directory domain and manage them from a domain controller. The second option is integration based on data synchronization or domain trust (AD trust). In this case, user accounts with previously defined attributes are replicated to another directory service and made available to Linux clients.

    Rent dedicated and virtual servers with instant deployment in reliable TIER III class data centers in the Netherlands and the USA. Free protection against DDoS attacks included, and your server will be ready for work in as little as 15 minutes. 24/7 Customer Support.

    The disadvantages of AD trust

    Although considerable developer resources are spent on AD trust, this solution has significant disadvantages and is only really suitable for companies whose infrastructure was originally based on Active Directory. We had been working with FreeIPA, so the implementation would require a lot of work: in fact our whole system for managing our user accounts would have to be remade from scratch.

    The second disadvantage is the need for constant support for servers with AD and FreeIPA because if the connection between them fails, the server with FreeIPA becomes useless and the work of the whole company would then be disrupted. Authorization is a sensitive area which must be as fault-tolerant as possible. AD trust in this case is an additional risk of failure.

    The pros and cons of Windows sync

    The option with the Windows sync mechanism from FreeIPA assumes a complete synchronization of all credentials via LDAP protocol. At the same time, FreeIPA and Active Directory remain standalone solutions, and if any server is damaged, only the services connected to it will fail, not the whole infrastructure. The user works through a single window with FreeIPA. That means, for example, that it is possible to change the password of an account simultaneously for both Windows-based and Linux-based infrastructure.

    We settled on this option, but we decided to refine it because Windows sync is not designed for group management.

    Unfortunately, the Windows sync mechanism in FreeIPA is not prioritized and is not well developed, especially when it comes to group management. We needed groups in order to organize our staff structure by department, or in any other order. This approach allows rules and policies to be written for each group, rather than per individual user, which greatly simplifies account and data access management, as well as software delivery. Another advantage of groups is that they can be nested.

    For example, our DEVOPS department structure consists of the following subgroups, each of which has defined sets of rights and policies, as well as the services they need to work:

    DEVOPS department structure

    We add the created employee account to a certain subgroup, e.g. junior engineers. As a result, the new user ends up in a whole set of groups: Rocket.Chat users, Jira users, etc. He or she automatically gets access to all the services prescribed for the subgroup. It would not be hard to build this scheme by creating fully analogous groups in FreeIPA and AD, but you would have to administer them manually. The disadvantages are obvious: a lot of time will be wasted on routine tasks, and (and this is the most important thing) there will be potential threats to infrastructure security. For example, a simple change of access rights can lead to disruptions in the production process as a result of manual configuration errors.

    The solution

    We needed automatic synchronization, which we had to implement ourselves based on module manage-freeipa. As a result, we wrote a script which gathers information about the groups in FreeIPA, including nested subgroups, and transfers it to AD. Here is a step-by-step description of the algorithm:

    1. Import the manage-freeipa module.
    2. After importing the module, we connected to the server using the previously added credentials:

    $IPAURL = "freeipa_URL"
    $IPAUSER = "USER"
    $IPAPASS = "PASSWORD"
    $ADOUUSERS = "*OU=users,OU=ipa,DC=win,DC=EXAMPLE,DC=COM"
    $ADOUGROUPS = "*OU=groups,OU=ipa,DC=win,DC=EXAMPLE,DC=COM"
    

    3. Then in AD we request a list of OU groups:

    $OU = Get-ADOrganizationalUnit -SearchBase "OU=groups,OU=ipa,DC=win,DC=EXAMPLE,DC=COM" -Filter *

    4. Filter the trust admins group, which I not included in the data synchronization between FreeIPA and AD:

    $groupsAD = $OU | ForEach-Object {Get-ADGroup -SearchBase $_.DistinguishedName -Filter *} | Where {$_.name -notlike "trust admins"}

    5. We get a list of all groups in FreeIPA, except for trust admins and groups that are used exclusively in the FreeIPA managed infrastructure. The selection is based on the cn field only:

    $groupsIPA = Find-IPAGroup | Where {$_.dn -notlike "cn=invapi*" -and $_.dn -notlike "cn=jira*" -and $_.dn -notlike "cn=trust admins*"} | Select-Object -Property cn

    6. There are a number of groups that are only in AD, we look for them and remove them from the general list:

    $groupsOnlyAD = $groupsAD.name | ?{$groupsIPA.cn -notcontains $_}
    $listGroupsAD = $groupsAD.Name | ?{$groupsOnlyAD -notcontains $_}

    7. Take the list from FreeIPA and remove all the groups that are in AD. This leaves only the list of new groups that are in FreeIPA but not in AD:

    $listAddGroups = $groupsIPA.cn | ?{$groupsAD.Name -notcontains $_}

    8. Next comes the command to add these groups to AD:

    $listAddGroups | ForEach-Object {New-ADGroup $_ -path 'OU=groups,OU=ipa,DC=win,DC=EXAMPLE,DC=COM' -GroupScope Global -PassThru -Verbose}

    9. Then there is a cycle of operations for each AD group that is in the $ListGroupsAD list.
    9.1. We get a user list – group members in AD:

    $listGroupsAD |
    ForEach { $Groupname = $_
    $listGroupMembersUsersAD = Get-ADGroupMember $Groupname | Where {$_.distinguishedName -like $ADOUUSERS} | select SamAccountName

    9.2. We get a list of subgroups of group members in AD:

    $listGroupMembersGroupsAD = Get-ADGroupMember $Groupname | Where {$_.distinguishedName -like $ADOUGROUPS} | select SamAccountName

    9.3. We get the list of the users in this group in FreeIPA:

    $listGroupMemberUserIPA = Invoke-FreeIPAAPIgroup_show -group_name $Groupname | Select-Object -Property member_user

    9.4. We get the list of subgroups in this group in FreeIPA:

    $listGroupMemberGroupIPA = Invoke-FreeIPAAPIgroup_show -group_name $Groupname | Select-Object -Property member_group

    9.5 The lists of subgroups and users in FreeIPA and AD are compared (the list of FreeIPA users is subtracted from the list of AD users and vice versa). Lists of users and subgroups to be added or removed are created:

    $delListMembers = $listGroupMembersUsersAD.SamAccountName | ?{$listGroupMemberUserIPA.member_user -notcontains $_}
    $delListGroups = $listGroupMembersGroupsAD.SamAccountName | ?{$listGroupMemberGroupIPA.member_group -notcontains $_}
    $addListMembers = $listGroupMemberUserIPA.member_user| ?{$listGroupMembersUsersAD.SamAccountName -notcontains $_}
    $addListGroups = $listGroupMemberGroupIPA.member_group | ?{$listGroupMembersGroupsAD.SamAccountName -notcontains $_}

    9.6 The next step is to check if there is someone on the list of users and subgroups to remove: if there is no one, the next step is skipped:

    if (! ([string]::isnullorempty($delListMembers)))
    {
    $delListMembers | ForEach-Object {Remove-ADGroupMember $Groupname $_ -Confirm:$false}
    }
    if (! ([string]::isnullorempty($delListGroups)))
    {
    $delListGroups | ForEach-Object {Remove-ADGroupMember $Groupname $_ -Confirm:$false}
    }

    9.7 The same check is done for adding users and subgroups:

    if (! ([string]::isnullorempty($addListGroups))){
    $addListGroups | ForEach-Object { Add-AdGroupMember -Identity $Groupname -members $_ }
    }
    if (! ([string]::isnullorempty($addListMembers)))
    {

    9.8 Before adding a user to a group in AD, you must verify that the user is in AD. The entire cycle of step 9 is performed for each group in the $listGroupsAD list obtained in step 6. When the session is complete, it disconnects from the FreeIPA server:

    $addListMembers |
    ForEach-Object { try
    {
    Get-ADUser -Identity $_
    Add-AdGroupMember -Identity $Groupname -members $_
    }
    catch {}
    }
    }
    }
    Disconnect-IPA

    The script is run by the job scheduler every 15 minutes.

    Conclusions

    The script has greatly simplified user account management and new employee onboarding, as well as improved the overall security of HOSTKEY's internal IT infrastructure. Next, we plan to configure FreeIPA integration with Active Directory directly through our API without module manage-freeipa. This will have to be done for security reasons anyway because the last time the module was updated was two years ago and there is a risk that support will be discontinued by the developers.

    Rent dedicated and virtual servers with instant deployment in reliable TIER III class data centers in the Netherlands and the USA. Free protection against DDoS attacks included, and your server will be ready for work in as little as 15 minutes. 24/7 Customer Support.

    Other articles

    16.09.2024

    10 Tips for Open WebUI to Enhance Your Work with AI

    Unleash the true power of Open WebUI and transform your AI workflow with these 10 indispensable tips.

    27.08.2024

    Comparison of SaaS solutions for online store on Wix and WordPress.com versus an on-premise solution on a VPS with WordPress and WooCommerce

    This article compares the simplicity and cost of SaaS platforms like Wix and WordPress.com versus the flexibility and control of a VPS with WordPress and WooCommerce for e-commerce businesses.

    08.07.2024

    Let's build a customer support chatbot using RAG and your company's documentation in OpenWebUI

    We'll share our journey creating a technical support chatbot designed to assist our front-line team by answering user questions (and eventually becoming a part of our team itself).

    01.07.2024

    VPS or Dedicated Server: Optimal Hosting Solutions

    Discover whether VPS or Dedicated Servers are the perfect fit for your project. Our article breaks down the pros and cons of each, helping you make an informed decision tailored to your specific needs.

    26.06.2024

    Seeking a self-hosted alternative to Slack? We recommend investigating Rocket.Chat

    If you're looking for a way to maintain complete control over your team's communication, while also ensuring the security of sensitive information and avoiding costly subscription fees, then exploring open-source alternatives to Slack is definitely worth considering.

    HOSTKEY Dedicated servers and cloud solutions Pre-configured and custom dedicated servers. AMD, Intel, GPU cards, Free DDoS protection amd 1Gbps unmetered port 30
    4.3 67 67
    Upload