Slashdot Mirror
Where are the 'Modern' Directory Services?
MarcQuadra asks: "I've been a Linux user since 1998, and I admin Mac OS X machines at work, but I have yet to find a distribution that comes out-of-the-box with modern directory services. Sure, there are guides to kerberize and set up OpenLDAP, but before I can start pushing Linux as an alternative at work I'll need a few things. Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification? How about a distro that's based on OpenLDAP and can easily be configured with LDAP-enabled SAMBA and Kerberos? Am I missing something, or is this not a priority with the community at-large?"
What about Netware and EDirectory? I hear they use open standards for Linux.
You didn't ask for open source.
:)
Novell eDirectory has been available for many years running on Linux (as well as other platforms). Novell now own SUSE so I'd expect closer and tighter integration moving forward.
Take a look at some of the new integrations coming in Novell Open Enterprise Server built on SLES 9 server.
Disclaimer - I'm a Novell person
Evil ZEN Scientist
What is within Yast is an OpenLDAP Client component.
If you are setting up an OpenLDAP server, you still need to do everything 'by hand' in order to get it setup and running. I have only started looking into this myself and I have to say that it isn't something you can just fire up and get running in just a few minutes.
If you ignore the other uses of a tool, does that make the tool less useful, or you less useful?
I work for an IT environment at a Canadian University and for Single Sign On solution we use a linux server/clients (debian but it really doesn't matter which you use) which uses the pam_mount module to mount a user's Windows samba share to /home/$username/$folder_name and we also use a log in script which copies back and forth any settings (.dot files) to and from the samba share to the local filesyste as smb does not be default work for home directories as it does not support all of the unix filesystem standards... CIFS was a push in the right Direction to change that but wasn't ready for prime time last time I checked. For authentication we use kerberos against the Windows ADS but any ldap or similar pam module should work for you.
Yup! SuSE does an excellent job of configuring LDAP for you. This includes:
Configuring Samba for LDAP and populating the LDAP server with the proper entries.
Putting the dhcp server configuration in LDAP.
Custom scripts for Samba to add/remove machines and users in LDAP via Samba.
Configuring Bind to use LDAP as a backend.
I'm pretty impressed. I love RedHat/Fedora, but those distros don't have anything like SuSE has for bootstrapping the LDAP configuration. Maybe RedHat will get more serious about it once they release the GPL'd version of iPlanet Directory Server.
Personally, I can't wait until Samba 4 comes out that will bring this all together (Kerb, LDAP, AD) with it's own LDAP server.
Suse will hold your hand through the whole process of setting up and authenticating to OpenLDAP and integrating with Samba. You still need to know what you're doing, and you'll probably want to tweak a thing or two, but Suse makes it nice and friendly. You need the enterprise version (which you pretty much need to pay for) to setup the server, that's the only real catch.
I recently setup a *nix server to act as a Windows PDC for our small workgroup. It wan't that difficult, particularly with the scripts and how-to from IDEALX. Any distro with sane, centrally-managed package management will be equally easy. By this, I mean apt or portage or even the *BSDs. I wouln't undertake this with an RPM distro, unless I had plenty of support.
I don't yet run Kerberos, as I wouldn't gain much from it. There aren't enough Kerberized apps & MS's approach to "embracing and extinguishing" Kerberos has left *nix implementations largely incompatible with MS's implementation. I run OpenLDAP solely over SSL. SMB traffic is limited to out intranet (basically one room) & we are a small shop, so Kerberos isn't a priority. We will later add it.
Home directories are all on the server. Samba is configured to allow windows to mount them & windows is configured to use them as the "My Documents" directories.
I have setup Kerberised SAMBA, OpenLDAP, and SSH at my previous employer. It isn't difficult.
Novell's eDirectory is nice if your ethics & wallet can afford it. OS X also has a decent implementation.
The "modern" approach is to do something OTHER than SMB, but that requires a MS-free zone.
"Joining the Active Directory with OS X.3 Client"- ad.html
http://www.infodiv.unimelb.edu.au/lansg/osx/os-x3
I have nothing to add to the article.
All those moments will be lost in time, like tears in rain. Time to die.
Actually if you are a software developer you can work with Novell and bundle upto 250k seats of eDirectory 'free/beer' with your product.
:)
So the directory side of things is not 'pay-at-the-door'
Usual disclaimers.
Evil ZEN Scientist
ISODE-8.0, a complete and BSD-licensed X.500 server, has been available since 1992.
(available at http://opendce.hands.com)
except of course nobody _noticed_ because in 1992, things like free software didn't really exist.
and, of course, X.500 was "far too complicated".
now, of course, everyone is whining that "oo, wouldn't it be nice if only LDAP could do X" and if you look at X.500 you find it _can_ do X.
repeat for any value of X...
Only the greatest of Linux Users cann use LDAP.
/etc/nsswitch.conf
/etc/ldap.conf
I made the following changes on my linux box:
Step 1:
Edit
add "ldap" to the passwd, shadow, and group lines.
add "nisplus" to automount line
Step 2:
Edit
Set host and base DN
Step 3:
There is no step 3!
http://www.djack.com.pl/Suse9hlp/ch21s08.html
See 21.8.5. LDAP Server Configuration with YaST
IANALBIPOOGL (I am not a Lawyer, but I play one on GrokLaw.)
XAD brings together OpenLDAP, Kerberos, and other open source software to provide single sign-on across Linux, UNIX and Windows.
I've been testing it on RHEL ES 3 for a couple of weeks now and so far no complaints. Never thought I would say this but....... thanks Novell!
Excellent documentation too.
LDAP is the core of what people usually call middleware. Ever logged into your machine and authenticated against a server, LDAP. Ever done a directory lookup on someone using Outlook at work? LDAP. Use happy fancy Cisco VoIP phones? LDAP...etc etc etc. Basically, if you have to pass directory info between systems for any reason at all, most of the time you're using LDAP (x501).
I've been a Linux user since 1998, and I admin Mac OS X machines at work, but I have yet to find a distribution that comes out-of-the-box with modern directory services.
...including Mac OS X by implication in your conclusion that you have "yet to find a distribution that comes out-of-the-box with modern directory services."
To me, this also implied you had server or other hardware capable of running Mac OS X family operating systems. Therefore, the logical answer, and the first thing I thought of when I read your post, was Open Directory on Mac OS X Server. It's based on OpenLDAP and other open technologies, such as SAMBA, and does everything your asking for.
And to the other poster who asked how Open Directory behaves with mixed Windows/Mac/Linux clients: very well. It's just an LDAP- and Kerberos-based directory and authentication server, and it works very, very well. And it will be even better on Tiger.
The free seats have been on offer for years. They aren't going away anytime soon. Why? Strategy. Novell *wants* people to develop eDirectory applications and not be turned off by licence costs.
You should check out the Hurderos project. The goal of Hurderos is to create a framework for directory and authentication using open tools. In other words, an open-source equivalent of Active Directory and NDS.
Although the project is in its infancy, it has really good ideas for integrating identity management, authn, and authz.
http://www.hurderos.org
Sorry, Jon... you are out of touch. It will absolutely do every bit of that either natively or with the rest of the Win2000/2003 tools that come with it out of the box. Just because you don't know how to do it doesn't mean it doesn't. And yes, that feature set is about 1999.
Like many others here, I have participated in several migrations away from NDS in favor of AD. Each instance has been a big win for the people I worked for.
That being said, I have recently installed a trial of the last release of SuSE LINUX Enterprise Server (the first since Novell acquisition) and I have to say that this product's successors/siblings are going to balance things in the DS arena again. I never had anything against Novell, but they stagnated while they tried to fend off and interoperate the beast simultaneously and MS gained almost all of their infrastructure ground almost solely at Novell's expense while they were floundering without a plan.
The recent SuSE and Ximian acquisitions are going to pay great dividends both for Novell and for the community in the long run. I am excited to see what they do, but for goodness sake, don't applaud the last five years of NDS. That's like claiming the last three Rocky films were the best.
Can I bum a sig? I left mine at the office.
Some of us have been working on that sort of thing for years. We master data from our tool into NIS, DNS, LDAP, SAMBA, and DHCP, and I suspect lots of places have various home grown tools to do likewise. Any large place will need things of this kind, anyway.
EDSAdmin looks very nice, though. Nice job!
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Whoops, link for the lazy here: http://edsadmin.sf.net
-Mark
I'm working on a RHEL4 machine that I setup to use LDAP during the install. It was very easy, all done through a simple GUI. Worked great.
sigs are a waste of space
Most LDAP directories are used to keep track of people; therefore there is an InternetOrgPerson type which (if I remember rightly) has the following attributes by default:
- CommonName (i.e., userID)
- Full name
- Password (can be stored with both Windows and Unix encryption,
or in plaintext)
- Telephone number(s)
- Mailing address(es)
- JPEG photo
- e-mail address
- user ID #
- home directory (?), shell (?) (these might be in some other type)
However, LDAP types are extensible, so you could create a new type to represent employees, inventory, or even projects, or you could extend an existing type. For instance, you might want to add some of the following to InternetOrgPerson (if they're not already there):- GPG public key
- instant-messaging ID
- ID badge number
It's even possible to use an SQL or legacy-system database as a backend for OpenLDAP with some custom coding, although I'm sure a lot of people who use it don't bother.So that's what's in the directory. You might still ask, "what is it used for?"
Firstly, Windows, Netware, Solaris and Linux can all be told to get their login information from an LDAP directory. This means that (if it works) someone only needs one account in an organization, that their Windows password is automatically the same as their Unix password, etc. It does not mean that they need to use the same home directory on all systems; but home directories can be automatically created by login scripts. NIS+ was a Unix-only way to distribute just the information found in /etc/passwd; LDAP
is cross-platform.
Secondly, some E-mail clients (specifically Netscape, its derivatives, and Outlook; I don't have experience to speak for others) can treat an LDAP directory as an extension of the address-book. That sure beats running down the hall and referring to a printed list every time you want to e-mail someone or call them on the phone and only remember their name.
Of course, if your "organization" is one person working on ten computers in a family-member's basement, LDAP probably isn't worth the effort.
The Word document is about 1 MB in Zip format and available via this link http://www.echohome.org/serverconfiguration.zip
Windows and Active Directory are a proprietary ripoff of LDAP and kerberos with some gui tools.
There is no reason a distro couldn't smoothly tie them together with some simple curses/graphical configuration tools. The question is a good one.
Sounds to me like you're asking for two seperate things.
1) A Linux desktop distribution which can automount $HOME directories (from a central server?) on normal workstations with a fair amount of ease (in terms of configuration).
Answer: There's nothing that I know of that can do this "out of the box" so to speak, but it should be fairly trivial to do.
I'll make note that mounting a share on a Windows server to a Linux desktop seems to often result in the share mount dying - it's kind of messy without using automount, and I've not personally used automount much.
I can't speak for kerebos auth itself, as I'm not too familiar with that element...
Other than that, though, it should be relatively trivial to set automount up to mount a samba share using credentials provided by OpenLDAP or what have you. As you can mount SMB shares via fstab, it's not really an issue to jump up one step and use automount. I am, of course, assuming you'll be making a single "desktop deployment" image and not doing the antiquated thing and manually configuring each machine - that would be just dumb.
2) A Linux server distribution with OpenLDAP + Samba + Kerberos set up, out of the box, so that all you'd have to do would be populate the OpenLDAP server with username/password combinations.
There's nothing that does this which I'm aware of. That's why a company should hire competent people; maybe that's partially why no distro has done it - it's hard, and the distro people don't want to piss off the competent admins by making their skillset "outdated". But that's just a guess.
Another guess is that it's simply not a widely deployed combination. The organization I work for now has (only) several thousand NetPCs deployed in the field, and it's just an NT4 domain login with LDAP on the backend. Groupwise is used on the client side to tie into LDAP directly.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
search freshmeat for mkautosmb, its absolutely top.
It browses your LAN and creates automount config files for them, yee hah!
I had to edit it to do "autofs --version" when checking which version of autofs you have, and to make it write out "cifs" instead of "smbfs" to ge around a current smbfs/win2003-server compatability problem.
Either that or look at smb4k, but it suffers from the same smbfs problem I mentioned.
Sam
blog.sam.liddicott.com
RH/Fedora has been doing that at install time for ages - apparently 6.1 or so. How well it works might be another matter - I've never had cause to use it, but it'd be worth a look for anyone who hasn't seen it and discounted it already.
The appropriate reference to the RHEL manual
No he's right, AD has many other features other than broken standards support :)
Kerberos + LDAP alone can't manage group policies. Being able to manage workstation configurations (including new software installs) in this way is the killer feature of AD imo.
Then theres the GUI tools for managing it all, last time I looked Linux only had directoryadministrator which was a basic GUI for adding/removing groups and users.
This stuff could probably be done with a *nix solution but none do it out of the box. Afaik samba acting as domain controller can't apply group policies, although theoretically it should be possible to hack up some login scripts to emulate this functionality. To get it all running and have GUI control of the entire lot would involve a lot of programming and certainly cost more than a few win2k3 licenses.
(I'd love to be proven wrong if software does exist to do all these please point it out)