SURF is the cooperative association of Dutch educational and research institutions. One of the goals of our organization is to facilitate research with HPC (High Performance Computing). We run national super computer clusters and provide computing power, data transport, data management and analysis for the Dutch academic community, i.e. to universities, universities of applied science, senior secondary vocational institutions (MBO), UMCs and research institutions.
At SURFsara, an operating company of SURF based in Amsterdam, we have 135 employees at the moment, and they use Windows, macOS and Linux on the desktop. In this heterogeneous environment, we run a central LDAP server. Also, we use Samba to share files, folders, volumes, and printers throughout the network. When I got employed in 2015, one of my first assignments was to upgrade from Samba 3 to version 4. I didn’t want to use Samba’s own LDAP server, but stick to our OpenLDAP schemas. It turned out that syncing between OpenLDAP and Samba 4 was a real challenge. During my research I discovered Univention Corporate Server and thought: “Problem solved!”
In this article I’m describing our setup and how we use UCS as Identity Management solution internally at SURFsara.
When I started my job at SURFsara, OpenLDAP and Samba 3 were doing great, but eventually we needed Samba version 4. It offers for example Group Policy Objects (GPO) which we really needed in our work environment. Thanks to these group policies you can define a target security and installation configuration for the entire system. During the upgrade to Samba 4 I ran into some problems when trying to synchronize the group memberships and passwords between OpenLDAP and Samba 4.
I searched for an existing solution that would help me out and finally discovered Univention Corporate Server – a Linux-based, Open Source Software which does exactly what we need and offers professional support as well. We definitely didn’t want a proprietary solution, so about three years ago we set up UCS for internal use here at SURFsara.
Switching to UCS
The most important feature for us is the S4 Connector which connects the OpenLDAP and the Samba LDAP service. It synchronizes the user, password and group memberships between Samba 4 and OpenLDAP which means that on the UCS side is associated with a group in the Active Directory domain.
First, we moved to Samba 4 Legacy Mode within UCS and then when we made the switch to AD, one month later. I’m really impressed with the S4 Connector – it doesn’t require a complex configuration and works like a charm. It was no problem to load our existing OpenLDAP schemas. We’ve also replaced the file servers with UCS file servers and going to store our backups for the macOS clients there as well.
Univention Corporate Servers are running on physical machines in our own data center.
Conclusion: Good Documentation, Great Support
Sticking to OpenLDAP and our schemas was really important to us, and finding an Open Source solution to connect Samba 4 to the an OpenLDAP was our top priority. Thanks to Univention Corporate Server that is possible.
The UCS online manual is well-written and comprehensive. Also, the Univention support is great. Basically, everybody here at SURF is happy.