Nice. I run a very similar setup, but opted for a stack of OpenLDAP / MIT Kerberos / PowerDNS on my "domain controllers."
OpenLDAP does multimaster replication and is the backend for DNS records and the Kerberos database.
The hardest part was figuring out OpenLDAPs configuration syntax, especially the correct ldif incantations for things like nested group memberOf= queries, schemas, and ACLs. It's somewhat inscrutable... Nowadays an LLM could do it for you at least.
At $job we use Linux / sssd, and I always found it super bloated and rather unreliable. It's nice coming home to FreeBSD and old boring stuff like pam_krb5 and nslcd. It just works.
The "ipa" command provided by FreeIPA for managing users/groups/etc is super convenient though.
> The hardest part was figuring out OpenLDAPs configuration syntax, especially the correct ldif incantations ..
As a long time Linux user on personal machines, I found myself for the first time a couple of years ago needing to support a small team and given them all login access to our small cluster. I figured, hey it's annoying to coordinate user ids over these machines, I should just set up OpenLDAP.. little did I know.. honestly I'm pretty handy at dealing with Linux but I was shocked to discover how complicated and annoying it was to set up and use OpenLDAP with NFS automounting home directories.
For the first time in my life I was like, "oh this is why people spend years studying system administration.."
I did get it working eventually but it was hard to trust it and the configuration GUI was not very good and I never fully got passwd working properly so I had to intervene to help people change their passwords.. in the end we ended up just using manually coordinated local accounts.
The whole time I'm just thinking, I must be missing something, it can't be this bad.. I'm still a bit flabbergasted by the experience.
I don't think it's exactly the same thing as sssd is primarily a cache. You can use pam_krb5 on Linux too. But can you disconnect your FreeBSD laptop and work as normal from cache? I agree that sssd is quite finicky however, and I'd love a simpler alternative.
You are correct, sssd has a ton of features (like basically replicating the entire domain locally and caching passwords so you can roam away from your corp network). If you need those things, you need sssd.
Would be highly interested in learning more about this setup particularly the PowerDNS integration.
PowerDNS is an open-source DNS server that lets you store your DNS configuration in a variety of different backends, one of which is LDAP.
For each of my "domain controllers, I run: OpenLDAP, an MIT Kerberos KDC, and a PowerDNS server. The KDC and PowerDNS both get their data from LDAP on 127.0.0.1, and LDAP changes are synchronized between all the nodes.
This is convenient because you don't have to synchronize zone files on multiple hosts.
I use custom /bin/sh-based config management system, but you can probably get the gist of it here:
https://github.com/cullumsmith/infrastructure/blob/master/sc...
https://github.com/cullumsmith/infrastructure/blob/master/fi...
In addition to this, for those of you running Proxmox it has PowerDNS integration.