If the switch supports it, you login with local credentials first, navigate to its config page and configure LDAP under there. You’ll tell it the IP address of the LDAP server as well as give it its client side configuration. You give it a bind account credentials (a dedicated service account with as minimal permissions as needed) that it uses to lookup the users on the server as well as Organization Unit paths and such

When a user goes to login the switch will query the provided credentials against the LDAP server, if it’s valid the LDAP server will respond with a success and the switch will log the user in

Generally there is always a local account fallback in the event that the LDAP server is unavailable for whatever reason

Your confusion is confusing me lol

I don’t see how this would work as it relies upon every single device on the network supporting a particular authentication mechanism.

Wdym? That’s not a thing, you can have some devices on LDAP some with local logins and some with OIDC or any other combination. Authentication is generally an application layer thing and switches operate at layer 2 maybe 3 if it’s doing some routing. As long as your network has a functioning DHCP server the web UI of the switch will be able to communicate with the LDAP server that you configure it to

Do you have time to build something partially from scratch? I could see repurposing an old laptop, disassemble it and make the screen face outwards with the board affixed to the back of the screen lid.

Might take some creative routing with the internal display cable, but I’ve taken apart tons of laptops where this would be doable, especially after you’ve discarded the plastic chassis

Though you’ll still need a frame of some kind, unless you like the “raw-tech” look

I would do option A, but instead of just not using the free internet, I would use it for everything else not needing server services. So like streaming or general browsing.

Just leaving the Google fiber as a dedicated pipe for all my self hosted services

You can do this kind of split with pfSense easily

A simple scan is fine, but to actually image a dying drive for recovery purposes, you should absolutely be doing a direct connection

SSDs were properly destroyed

I hate when companies do this, SSDs do not need to be shredded, there’s no security benefit whatsoever. You don’t even need to do the whole “write 0s/random data X times” like with HDDs. So damn wasteful ugh.

To deploy AD, that depends.

If you like to sail the high seas AND aren’t trying to use it for a business, then no.

If you don’t want to sail the high seas or need to use it for a business, then yes, you’ll need to buy a Windows Server license

I do, for a multitude of reasons

• Easier management of family computers
• an authoritative source for Authentik SSO
• Learning experience, I’m also heavy Linux, but I try to maintain an OS agnostic philosophy with my skill set so I can have options in my career
• I was bored
• Again, since I like to maintain an OS agnostic philosophy I have a healthy mix of Windows, Linux and MacOS devices, and you CAN in fact join Linux (w/ SSSD) and MacOS to a domain too

In addition to what others have said with roaming profiles and such:

DO NOT SET YOUR AD DOMAIN AS THE SAME DOMAIN OF A WEB ADDRESS YOU USE

I…er…someone… Found themselves in this situation and have been in a mess since lmao