Slashdot Mirror

The result, of course, is undebuggable random crashes in the high-level part of the system. Here's are some typical bug reports from mixed Perl/C work:

• #1 Okay, it seems to be some kind of conflict between mod_perl/Embperl and PHP and perhaps Apache::DBI. My Embperl stuff works if there's no database access. It also works if I don't load libphp4.so. I guess the best solution is to either build everything statically or run seperate servers for PHP and mod_perl.
• #2: Following a large number of updates to our database, slapd is prone to crashing when reading values back. We load a database of about 3800 users with slapadd, then modify a single attribute of every 'person'. Then slapd is likely to crash on reading values back. Restarting slapd seems to make it work again. Just prior to the crash, slapd will give incorrect query results. ... We have a large client site limping along due to this kind of problem ... so any help would be welcome.

I'd like to see safe inter-language calls across a protection boundary. CORBA is about as good as it gets, but it's slow, because it marshalls the data into a stream and pumps it through a socket to the other side. There are faster approaches (look at Multics protection rings) but they need some hardware support, which we don't have today.

The poster illustrates the problem with examples such as bookmarks and address books ( which is a different problem than what liberty et. al tries to solve I believe) . These kinds of information can already be kept in an LDAP server and most applications can store and retrieve these from those servers. Outlook does it, mozilla does, ximian does it.

LDAP address book support is relatively mature in most email readers. Check out OpenLDAP for more info.

Single sign-on can also be done via LDAP. Or Kerberos/LDAP if you're so inclined. Netscape NTSych product, the Psynch® product, etc. can be used to sych NT or win2k with an external database. Check out projects such as pgina. There's a free general purpose NT password sync dll available from AcctSync. This DLL is nice, you can catch user passwords and pass them to an arbituary script with the username. This could be a perl script that updates LDAP to a vbscript that updates the coresponding Oracle user, it doesn't matter.

Also, it's simple to store public certs in an ldap server, making it easier to deploy PKI on a budget ( you don't want to know how much netscape and novell charges for this per user, trust me :)

In short, a lot of your problems can be solved right now by running a LDAP server and configuring your applications to rely on it for their datastore. Good luck.

>OS X Server is overkill? If you want to run a server, then you need a server OS.
>Linux PPC would do nicely, I'd imagine.

Wow, that is such utter BS. Anything you can run on LinuxPPC you could compile for OS X, maybe something like OpenLDAP, and buying a $500 server OS to get a simple app is exactly the definition of overkill.

www.openldap.org has lots of information about how to set up the openLDAP server on various platforms.

The old Netscape (4.x) clients may do the job for you on Win* and Linux. The Mac's built-in address book is LDAP (at least in 10.2, and possibly in 10.1.x).

iPlanet's (well, now it's SunONE) LDAP server is great if you want to spend the money, in which case spending money on the clients shouldn't be an issue as well.

OK, now while Apple have recently decided to open source their Open Directory system, the current state it is in is a little misleading.

What you want to do is to setup Open LDAP and do your authentication via that. This is what Apple are moving towards with Open Directory, NetInfo will be relegated to just another plugin, mainly for local configuration info, and as an interface to the LDAP store.

Anyway, I think this is somewhat off track anyway, as all the poster of this question wanted was a file server, not a cross-platform authentication mechanism. If they're only dealing with one or two user accounts, then they may as well just do it all via file sharing, and not bother having centralised user accounts.

Poking around a little, it looks like there's a good (but old?) FAQ from Netscape, though there some other sources of information out there.

Novell hasn't gotten much right except their directory services. By far, Novell NDS/E-Directory is the best you can get in the industry. If you just want password management, openldap is good enough. However, if you want better user/group/server/services/application management, give eDirectory a shot. There's nothing else better to manage mid-enterprise corporations. It really does kick ass.

It is extremely cross-platform compatible

Sig: What Happened To The Censorware Project (censorware.org)

If there's one thing I hate, it's Faq-o-Matic. I have never been able to get decent information out of such a mega-hyperlinked irritatingly-coloured monstrosity as Faq-o-Matic. That includes OpenLDAP's FAQ-o-Matic, Amanda's FAQ-o-Matic, Lynx's FAQ-o-Matic and FAQ-o-Matic's own FAQ-o-matic. Clicking a hundred links to get to a single paragraph that almost, but not entirely completely fails to answer the question is more annoying than not having an entry at all. And why does every FAQ-o-Matic seem to be hell-bent on experimenting in shades of puke for the colour scheme? Lynx's FOM doesn't follow this trend but damn near every single FOM on the planet is butt-ugly in addition to being terrible to navigate.

Provide FAQs in plain, easy to read HTML or text. Screw FAQ-o-Matic.

Quick pointers to NFS U/GID space solutions:

* rpc.ugidd - easy, but insecure. can leak u/gid info to untrusted parties. only works with userspace nfs server in linux - don't know about other opsystems.
* use the same u/gids on every server - almost certainly not an option.
* use a shared PAM back-end, such as LDAP (what I use), MySQL, or PostgreSQL

a nice Linux book which covers administering OpenLDAP would be great. and please, dead tree, dead tree. when the server is down, you need a dead tree to read. when the server is up, you don't need a book.

-rp

See this earlier Ask Slashdot article for information on suitable GUI clients for Linux / OpenLDAP.

Also, I like iPlanet's directory server. It's free for some quantity of users and has a nice Java GUI admin tool. This is my choice for a grown-up, enterprise directory server.

Softerra's LDAP Administrator is pretty good, and they have a freeware version called LDAP Browser. The LDAP Browser/Editor is nice also.

If you are using LDAP as your addressbook, ldap-abook is a nice interface to add/delete/modify entries. Most email clients are LDAP-aware these days and it's convenient to be able to share an address book between my personal and work email accounts.

I've had to roll my own to do system accounts, however. Make ldapmodify your new best friend, or write an interface of your own - there is a lot of support for Perl or PHP LDAP functions out there. Server-side, I've used OpenLDAP and iPlanet's Directory Server, and I prefer iPlanet. iPlanet has a free non-commercial license option, is significantly faster than OpenLDAP, and has hooks to synchronize with an NT or Active Directory domain so you could do all the user administration in Windows and they would propagate over to your LDAP server.

Other fun things you can do with LDAP are:

Handle Unix authentication through pam_ldap
Hook into NIS with the NIS/LDAP gateway
Authenticate through apache with mod_auth_ldap or auth_ldap or Netegrity
Centralize your smtp routing data in LDAP for sendmail

Good luck.

It is an open-standard protocol for accessing information services.

more can be found here.

from the first result off of google:

http://www.openldap.org/faq/data/cache/3.html

You can sortof get this kinf of functionality by using replicated OpenLDAP. Tell samba to use the LDAP PAM modules for authentication.
It's kind of a kludge, but it works.
I hear that Samba 3 is supposed to have full blown ldap support built in.

If I had my choice on what to implement for the ultimate network distributed filesystem, I would concentrate on LDAP, GFS, and Kerberose. LDAP, by its very nature was designed to be a distributed, redundant resource locator and data respository. It can be back-ended by any number of engines, including your more popular RDBMS's. It may seem a bit overwhelming, but well worth the investment in time and energy. Check out the OpenLDAP site for more information.

The second issue you're trying to address is data redundancy and failover. You want a high-availability solution. Look into using the Linux Global Filesystem (GFS). In a nutshell, it's a clustered journaling filesystem whose participants are equally responsible for the data on disc. If one of the servers in the cluster goes down, the first server to see it plays back the unfinished journal of the downed server, and the whole cluster continues on its merry old way.

So, it would be one GFS+LDAP cluster with multiple 1U, fiberchannel servers attached to a fiberchannel disc array. Tack on a gigabit ethernet backbone, and you've got a winner.

"One of my relatives is responsible for IT spending for a rural county in California. I am looking at Linux as an alternative to Windows on the desktop, and I have suggested StarOffice as an alternative to MS-Office. SO6 should be available by the time the county makes its decision."

"One thing I am interested in is a directory services solution for Linux. Novell has Linux binaries for their excellent NDS/eDirectory product, but I'm worried about Novell's viability as a company. Also, I would prefer to use an open source solution, but the only OSS directory services software that I am aware of is OpenLDAP, and it just doesn't seem mature enough yet for production use. The county has about 1500 client systems."

One thing I am interested in is a directory services solution for Linux. Novell has Linux binaries for their excellent NDS/eDirectory product, but I'm worried about Novell's viability as a company. Also, I would prefer to use an open source solution, but the only OSS directory services software that I am aware of is OpenLDAP, and it just doesn't seem mature enough yet for production use. The county has about 1500 client systems.

Many companies have deployed MS Exchange server partly because of the integrated global address list and the fact that you can store the email in a central database instead of downloading it to the PC like a POP3 server.

IMAP can store emails on the server side and by using LDAP you can have a centralized server for address book. (LDAP can do much more though...)

OpenLDAP has massive breakage both in the 1.2 and 2.x series with the S2G Unix time rollover.

The slurpd server completely fails to push updates from the master server to the slaves, due to string compares of timestamps in 1.2 and a related problem in 2.x. There are patches for both in OpenLDAP CVS.

The problem is detailed in the openldap-bugs mailing list -- it was extremely scary to come to work this morning and find out that all the LDAP servers had stopped pushing updates, causing account creations to fail and mail to bounce!

OpenLDAP has massive breakage both in the 1.2 and 2.x series with the S2G Unix time rollover.

The slurpd server completely fails to push updates from the master server to the slaves, due to string compares of timestamps in 1.2 and a related problem in 2.x. There are patches for both in OpenLDAP CVS.

The problem is detailed in the openldap-bugs mailing list -- it was extremely scary to come to work this morning and find out that all the LDAP servers had stopped pushing updates, causing account creations to fail and mail to bounce!

OpenLDAP has massive breakage both in the 1.2 and 2.x series with the S2G Unix time rollover.

The slurpd server completely fails to push updates from the master server to the slaves, due to string compares of timestamps in 1.2 and a related problem in 2.x. There are patches for both in OpenLDAP CVS.

The problem is detailed in the openldap-bugs mailing list -- it was extremely scary to come to work this morning and find out that all the LDAP servers had stopped pushing updates, causing account creations to fail and mail to bounce!

While Active Directory and NDS are widely used in the Microsoft and Novell worlds, LDAP has never been very popular in the Unix world. Most people even never heard about it.
LDAP is a standard protocol to access very modular hierarchical databases (called "directories" but anything can be stored in a LDAP directory, not only addresses) . It's way more flexible than SQL. You can redefine your own types and constraints (schema), all objects are extensible, all instances can belong to several classes, and anything that can fit in a tree can fit in a LDAP directory.
The first steps into LDAP aren't trivial. The syntax of LDIF files is a bit difficult to learn, but it's worth learning it.
There's an excellent open source LDAP server called OpenLDAP. It has support for LDAP version 3, SSL, IPv6, and everything you need to use LDAP. I've successfully installed it on large production servers. It's stable, and fast (if add your own indexes) .
Just like IPv6, LDAP for Unix is here for a long time (thanks, iPlanet), but it needs better integration with common software. If LDAP was implemented in all daemons and client software, it would ease a lot network administration. You can then configure all servers from a single workstation, in a coherent, unified database.
And for programmers, adding LDAP support is not a hell. Have a look at some OpenLDAP samples. I implemented LDAP support in Pure FTPd in less than one hour with no previous knowledge of the OpenLDAP API. The src/log_ldap.c is a simple getpwnam() wrapper and it can be reused by any program that use this library call to read /etc/passwd. It's a GPL package, so feel free to merge it to any piece of free software.
Also, Unix lacks good visual XML and LDAP editors. The recently announced Ganimede looks promizing, though. But if you are starting to learn LDAP, also give a try to GQ (sorry, I can't remember the URL, check it on Freshmeat) . It's a simple GTK tool to browse and edit LDAP directories and schemas.

Can be organized into a hierarchy

Is small in size

Is read much more than it is written consider using a LDAP data store. There are excellent open source and commercial options available for Linux.

Get started by reading this nice series of tutorials from LinuxWorld.
After that, help yourself to some of the free schemas here.

Check out this openldap faq entry which should give you a lot of detail on what attributes outlook recognizes and netscape recognizes. As normal.. outlook tends to do its own thing instead of following standards closely.

Malice95

• qmail My favorite MTA. Altough the license can't officially be called 'free', you are free to modify the sources.
• Apache-SSL The most extensible webserver with good security features.
• PHP A very popular domain language for the web, with lots of extra modules.
• Horde I recently 'discovered' this ASP platform for PHP code, and began to like PHP because of it.
• IMP I've just hooked up an Apache-ssl/IMP webmail setup to my qmail/IMAP system (residing on another host), and it was very easy to do (thanks to the great Debian maintainers!). The functionality of the webmail client is pretty good compared to some others, altough the calender system is not integrated yet (help out if you can ;). And it even has a multi-language spellings checker.
• IMAP Used with qmails Maildir format makes a very scalable, robust and maintainable email system.
• PostgreSQL My favorite RDBMS, and getting better all the time.
• LDAP IMP has a nice lookup interface for multiple LDAP servers, it allows for easy point-and-click "to" and "bcc" selections.
• Kronolith The calendar component used in Horde, It uses the MCAL and supports multiple users accessing the same calendar.
• MCAL This is a flexible C library for accessing calendars. Altough I've not used it (yet).

Then hack /etc/pam.d/pop and/or /etc/pam.d/imap to use pam_ldap.so for 'auth' rather than use pam_pwdb.so

• Postfix replacing sendmail for SMTP stuff. We decided to go this way for reasons of fairly straightforward compatability with sendmail in terms of alias and virtual user tables, but with an overall simpler configuration scheme. Postfix also appeared to be much more efficient in terms of CPU and Memory usage. One big plus was the off-the-shelf support for LDAP for users, maildrops and aliases. We are moving alot of our systems across to LDAP and one less application for me to add LDAP support to made things easier. At the office we run this on FreeBSD 3.4, and at home I have run it on BSD, Linux and Solaris with no problems.
• Cyrus IMAP/POP server from Carnegie Mellon. Previously we were running Cubic Circle's cucipop program which proved to be a great package, but the code is so nutty that any attempts to hack it resulted in great frustration. Cyrus also offered LDAP support, but some hacking was required to get things to fit in with our schema, and to get the authentication just right. It took about 10 minutes to insert the code for DRAC (POP before SMTP authentication). Running on FreeBSD.
• Smunge - a service side package I wrote to let users check 2 POP boxes as if they were one. This also has LDAP and DRAC support out-of-the-box (tm) :) - Builds on Linux, Solaris and FreeBSD.
• Hoarde IMP we used as a web email client (talking via imap, whereas dial up customers could only use pop)- Running on Solaris.
• For Radius we currently use FreeSide, but we are moving towards Merit. I have written an LDAP authentication module for Merit, and I'm waiting for the OK from my bosses to GPL it. BSD and Solaris.
• LDAP - we like LDAP :) We currently run OpenLDAP on a production server. We have tinkered with Netscapes Directory Server, but you can only configure that through some crappy slow java interface, and that kinda sucks.

Unless I misunderstood the question, I think the poster may want to look at the OpenLDAP project. It's been around quite a while and offers some of the services requested. Check out www.openldap.org.

Somewhat better than SMB and NFS, huh?

But not better than NDS.

And, having programmed ADSI, I can confidently say it's not much better than LDAP. There might be more "built-ins" with the Microsoft product, but the API was one of the most painful, annoying, subtly non-standard interfaces I've ever dealt with. I had a heck of a lot more fun connecting to OpenLDAP on a Linux box. Understatement: it was cheaper, too.

We currently have the following on our Intranet.
Web based email - IMP
Global address book - Openldap
Search engine - htdig
Discussion groups - Hypernews

PHP and Apache will need to be installed to get things going.

You can view M$Word documnets with mswordview which is installed with IMP.

A lot of what you may need is on SuSe 6.2 which may make it easier to be sure that the right libraries etc exist

Note: this is not for the faint of heart, and probably involves overhauling your mail setup.

I've also looked into setting up something like that. It came down to using something like LDAP which is scaleable, standard, and OS-nonspecific for mail users. Then I had Qmail and Cyrus on the backend. I applied the Qmail LDAP patch, allowing Qmail to use LDAP for its user list. For Cyrus, there is another pwcheck file here. It adds the ability for it to authenticate against an LDAP server. Finally (yay!) we need the Qmail/Cyrus glue (as Qmail uses a slow mail format compared to Cyrus, and has no IMAP support [yick!]).

Incoming mail goes to Qmail, which uses scripts to deliver to Cyrus (users LDAP listed). User logins go through Cyrus server programs (which use LDAP auth), and can get their messages that way. This should also support virtual domains.

All in all, it sounds good ;-) I have yet to implement it (I'm going slowly and testing every step. Right now I'm converting my user base to LDAP, then I'll update Cyrus, etc).

Have fun.

My next goal is to get the Palm calendar to synch cleanly with KOrganizer and then either find or build some CGI's to take the vcal file that KOrganizer uses and present it as HTML.

Why should you care? Well my point is this: The real value of a tool is not measured in any one device (Palm, my.personal.machine, mywebsite.at-my-isp.com) but in how that tool can be used in conjunction to form larger more useful constructs.

bnf

There's always OpenLDAP at http://www.openldap.org. I don't know what kind of performance it has though.

This may be good for those that wants to get Linux into NDS networks, but the community should concentrate on creating a open and free directory service for itself built on open and nonproperity standards. Support Linux Dierctory Project and OpenLDAP: A System Administrator's Vie w of LDAP Linux Directory Services The OpenLDAP Project

The NSS modules have been 'rpm'ed and the system designed around PAM. - although I'm not sure the neccesity of this for basic authentication - It think it's to do with password modification.

There has been a little discussion on the openldap and rage.net lists.
I hope to have a go testing some of this soon....(albiet on a v.small scale!).

There is an RFC specifically on dealing with Password (among many other things) in LDAP. and utils to convert passwd files to LDAP.
- And this is what I do for fun??