Slashdot Mirror
Where are the 'Modern' Directory Services?
MarcQuadra asks: "I've been a Linux user since 1998, and I admin Mac OS X machines at work, but I have yet to find a distribution that comes out-of-the-box with modern directory services. Sure, there are guides to kerberize and set up OpenLDAP, but before I can start pushing Linux as an alternative at work I'll need a few things. Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification? How about a distro that's based on OpenLDAP and can easily be configured with LDAP-enabled SAMBA and Kerberos? Am I missing something, or is this not a priority with the community at-large?"
What about Netware and EDirectory? I hear they use open standards for Linux.
You didn't ask for open source.
:)
Novell eDirectory has been available for many years running on Linux (as well as other platforms). Novell now own SUSE so I'd expect closer and tighter integration moving forward.
Take a look at some of the new integrations coming in Novell Open Enterprise Server built on SLES 9 server.
Disclaimer - I'm a Novell person
Evil ZEN Scientist
I work for an IT environment at a Canadian University and for Single Sign On solution we use a linux server/clients (debian but it really doesn't matter which you use) which uses the pam_mount module to mount a user's Windows samba share to /home/$username/$folder_name and we also use a log in script which copies back and forth any settings (.dot files) to and from the samba share to the local filesyste as smb does not be default work for home directories as it does not support all of the unix filesystem standards... CIFS was a push in the right Direction to change that but wasn't ready for prime time last time I checked. For authentication we use kerberos against the Windows ADS but any ldap or similar pam module should work for you.
Yup! SuSE does an excellent job of configuring LDAP for you. This includes:
Configuring Samba for LDAP and populating the LDAP server with the proper entries.
Putting the dhcp server configuration in LDAP.
Custom scripts for Samba to add/remove machines and users in LDAP via Samba.
Configuring Bind to use LDAP as a backend.
I'm pretty impressed. I love RedHat/Fedora, but those distros don't have anything like SuSE has for bootstrapping the LDAP configuration. Maybe RedHat will get more serious about it once they release the GPL'd version of iPlanet Directory Server.
Personally, I can't wait until Samba 4 comes out that will bring this all together (Kerb, LDAP, AD) with it's own LDAP server.
Suse will hold your hand through the whole process of setting up and authenticating to OpenLDAP and integrating with Samba. You still need to know what you're doing, and you'll probably want to tweak a thing or two, but Suse makes it nice and friendly. You need the enterprise version (which you pretty much need to pay for) to setup the server, that's the only real catch.
I recently setup a *nix server to act as a Windows PDC for our small workgroup. It wan't that difficult, particularly with the scripts and how-to from IDEALX. Any distro with sane, centrally-managed package management will be equally easy. By this, I mean apt or portage or even the *BSDs. I wouln't undertake this with an RPM distro, unless I had plenty of support.
I don't yet run Kerberos, as I wouldn't gain much from it. There aren't enough Kerberized apps & MS's approach to "embracing and extinguishing" Kerberos has left *nix implementations largely incompatible with MS's implementation. I run OpenLDAP solely over SSL. SMB traffic is limited to out intranet (basically one room) & we are a small shop, so Kerberos isn't a priority. We will later add it.
Home directories are all on the server. Samba is configured to allow windows to mount them & windows is configured to use them as the "My Documents" directories.
I have setup Kerberised SAMBA, OpenLDAP, and SSH at my previous employer. It isn't difficult.
Novell's eDirectory is nice if your ethics & wallet can afford it. OS X also has a decent implementation.
The "modern" approach is to do something OTHER than SMB, but that requires a MS-free zone.
ISODE-8.0, a complete and BSD-licensed X.500 server, has been available since 1992.
(available at http://opendce.hands.com)
except of course nobody _noticed_ because in 1992, things like free software didn't really exist.
and, of course, X.500 was "far too complicated".
now, of course, everyone is whining that "oo, wouldn't it be nice if only LDAP could do X" and if you look at X.500 you find it _can_ do X.
repeat for any value of X...
I've been testing it on RHEL ES 3 for a couple of weeks now and so far no complaints. Never thought I would say this but....... thanks Novell!
Excellent documentation too.
Sorry, Jon... you are out of touch. It will absolutely do every bit of that either natively or with the rest of the Win2000/2003 tools that come with it out of the box. Just because you don't know how to do it doesn't mean it doesn't. And yes, that feature set is about 1999.
Like many others here, I have participated in several migrations away from NDS in favor of AD. Each instance has been a big win for the people I worked for.
That being said, I have recently installed a trial of the last release of SuSE LINUX Enterprise Server (the first since Novell acquisition) and I have to say that this product's successors/siblings are going to balance things in the DS arena again. I never had anything against Novell, but they stagnated while they tried to fend off and interoperate the beast simultaneously and MS gained almost all of their infrastructure ground almost solely at Novell's expense while they were floundering without a plan.
The recent SuSE and Ximian acquisitions are going to pay great dividends both for Novell and for the community in the long run. I am excited to see what they do, but for goodness sake, don't applaud the last five years of NDS. That's like claiming the last three Rocky films were the best.
Can I bum a sig? I left mine at the office.
Most LDAP directories are used to keep track of people; therefore there is an InternetOrgPerson type which (if I remember rightly) has the following attributes by default:
- CommonName (i.e., userID)
- Full name
- Password (can be stored with both Windows and Unix encryption,
or in plaintext)
- Telephone number(s)
- Mailing address(es)
- JPEG photo
- e-mail address
- user ID #
- home directory (?), shell (?) (these might be in some other type)
However, LDAP types are extensible, so you could create a new type to represent employees, inventory, or even projects, or you could extend an existing type. For instance, you might want to add some of the following to InternetOrgPerson (if they're not already there):- GPG public key
- instant-messaging ID
- ID badge number
It's even possible to use an SQL or legacy-system database as a backend for OpenLDAP with some custom coding, although I'm sure a lot of people who use it don't bother.So that's what's in the directory. You might still ask, "what is it used for?"
Firstly, Windows, Netware, Solaris and Linux can all be told to get their login information from an LDAP directory. This means that (if it works) someone only needs one account in an organization, that their Windows password is automatically the same as their Unix password, etc. It does not mean that they need to use the same home directory on all systems; but home directories can be automatically created by login scripts. NIS+ was a Unix-only way to distribute just the information found in /etc/passwd; LDAP
is cross-platform.
Secondly, some E-mail clients (specifically Netscape, its derivatives, and Outlook; I don't have experience to speak for others) can treat an LDAP directory as an extension of the address-book. That sure beats running down the hall and referring to a printed list every time you want to e-mail someone or call them on the phone and only remember their name.
Of course, if your "organization" is one person working on ten computers in a family-member's basement, LDAP probably isn't worth the effort.
The Word document is about 1 MB in Zip format and available via this link http://www.echohome.org/serverconfiguration.zip