Where are the 'Modern' Directory Services?

MarcQuadra asks: "I've been a Linux user since 1998, and I admin Mac OS X machines at work, but I have yet to find a distribution that comes out-of-the-box with modern directory services. Sure, there are guides to kerberize and set up OpenLDAP, but before I can start pushing Linux as an alternative at work I'll need a few things. Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification? How about a distro that's based on OpenLDAP and can easily be configured with LDAP-enabled SAMBA and Kerberos? Am I missing something, or is this not a priority with the community at-large?"

Gee...

[TheCabal]

Sounds like you want Windows and Active Directory.

Re:Gee...

[TheCabal]

Dude (since we're apparently on an informal basis)

I help run what is probably one of the largest AD implementations in the country, if not the world. Your perception of AD is true only under certain lamebrained implementations. It IS possible to totally ignore the AD heirarchy and go for a "flat" NT4-style domain structure, but people who set those up should be severely beaten about the face and ears, and never allowed near a server again. If your ADs are like that, get a new job.

Re:Gee...

[Maxwell]

People that have never used NDS think AD is really great.

People that have used NDS are stunned at the HUGE loss of functionality they suffer by moving from NDS to AD and hate it, and it's stupid limitations every day.

AD 2003 is not even at NDS with Netware 4.11 level yet. it is truly astonish how petty AD - but you and many peopel liek you think it is just great.

Just wait until they integrate application publishing with it! Desktop settings! File services! The ability to replicate parts of the tree independtly! email! wow , won't that be great?? All that would put you at ~ 1999.

MS blatantly rips off the rest of the industry, I wish they would hurry up and copy NDS COMPLETLY now. Instead you get 'good engouh' AD.

JON

JON

Re:Gee...

[TheCabal]

Ripoff or implementation?

You can't exactly ripoff an open standard.

Re:Gee...

[shaitand]

Flacco I agree completely. I think most of the services need these kind of smooth and easy tools. Some people rail against them, they are afraid of becoming a windows clone or something. They need a wake up call.

The benefit of linux is NOT that only elite users who know their shit can configure linux implmentations of technology (hopefully most who thought so have gone to BSD by now), the benefit of linux is that after the wizard finishes running I can tweak/adjust every parameter it set for me.

Right now the up front cost of linux is higher than windows, not just because existing infrastructure has to be changed, but because right now you HAVE to set almost every parameter manually. Wizards (that can run in curses or x mode) and sane defaults could save a great deal of time WITHOUT sacrificing flexibility (binary configuration utils do NOT mean the settings have to be stored in binary files),

Once we manage that dream I'll fight for simple curses/graphical configuration tools that actually read in your existing configuration and let you modify it AFTER initial install.

The programmers from a unix background need to concentrate on keeping a solid and flexible system and accept that it is the Novell/Windows who should put forth the ideas for high level interaction between the system/applications and the user. *nix is king in terms of stability, scalability, security, automatablity, and programmability; but ALL *nix systems have had a setup and basic day to day administration experience on par with rubbing your testicals against salty razorblades.

Apple systems go to the other extreme, a one click install rather than asking the fundemental questions needed (for instance a web based admin package might ask where your cgi-bin and webroot are located) for setup means you ALWAYS have to reconfigure after install. Basically they handhold too much to be of any use to someone who actually knows what they are doing.

Re:Gee...

What he is saying is that if you look at the MS documentation on the AD structure and the fact that all of the Domains include fully transitive trusts, the end result nets you a nicely organized NT 4.0 domain with the exception of the root domain.

Pray tell you run the worlds largest AD domain and you did not understand that under the AD structure the domain trusts were fully transitive by default ? Changing the domains of the fully transitive model provides for interesting situations as crap replicates from domain to daomain. For this very reason we decided to go into 2 domain structure and use AD to organize the dang thing. The original poster is right.

BTW I also work on one of the largest AD deployments also. Although I do not think it is the same one as you.

Re:Gee...

[AlphaSys]

FOO: YHBT, I think. You don't use a workgroup either. A domain is a domain, a security group is a security group and an organizational unit is an organizational unit (I can see how that can be confusing). You do not have to have any thing other than a parent domain to support an OU and OUs can nest any imaginable way and have a single parent domain. You really don't know what you're talking about so sit back and listen a little. OUs are not to be used for the same reasons as the old "resource domains" of NT yore. I explain it really simply for folks who ask about it... "OUs are for what can be done TO the objects contained, Group Membership is for what can be done BY the objects contained"

When I said the migrations were big wins for the customers, I AM generally speaking in terms of managing tens of thousands of users at a time. But I am also talking about more than that -- I am talking about their ability to write custom directory-aware applications. This is the big void (I'm not going to say failing because it is not impossible, it's just that no one is quite there yet) in the *N*X world.

When MS designed AD, they designed it with the same thing in mind they design everything -- end-user extensibility. Group policy is a very workable swiss-army-kinfe of tools for the admin to make administration much easier. Developers are easily able to build on it in a very good OO manner. They also built a fair amound of standards-based interoperability into it so that anyone with familiarity with LDAP, Kerberos, etc. was going to be able to get into programming for it quickly. They made the integration super tight between it and other core OS services -- Kerberos, DFS, RADIUS, RRAS, Message Queueing, etc., etc. -- as well as their flagship products that sell separately including Exchange, SQL2K, ISA and everything they've come out with beyond that. I've never been an MS fanboy as far as their business practices go, and I have cursed Win9x and NT4 installations more than a vast majority of posters here. But MS is starting to get some things right as far as their products go. Before, they were an easy target for the RH and the SuSE of the world (hell, the Debs and Slackwares too, even BSDs for crying out loud) to target by saying "they're too unreliable and difficult to configure to do enterprise computing with". Those days are coming to an end. While millions of FOSS contributors have trained their eyes on the desktop, MS has transcended it and is poised to gain back the market that made FOSS a threat to begin with: enterprise computing. And all they had concede was 10% web browser share. It's time for the major vendors to put their thinking hats on. And maybe it is time for them to think about working together again too. They've all been thinking, "hey, it's FOSS, but I can still put some widgets onto the pieces I glue together and call it proprietary and sell it for the same prices as MS or even more". RH is all about it. SuSE is too. But what you end up with are separate incompatible implementations of enterprise-grade features. What's worse, the RH and the SuSE of the world are still at the whim of whoever maintains the components they have glued onto. Sure, they can fork and maintain their own if they have to, but they specifically do not want to.

I think the top ten vendors need to form a consortium to delineate about five goals that they want to see in enterprise features, agree on thorough, complete specifications, and then engage the community with cash and other incentives to get it done. And when the goals are realized, the reults need to be free enough that all distros can interoperate. When you encumber other's rights to do one thing with the software, you encumber all abilities to do any thing in a truly interoperable manner. The major vendors need to figure out how they're going to benefit from the features being available without encumbering them or they will remain behind MS just because MS got ahead of them and the FOSS community is too fragmented. When there are c

Re:Gee...

[hostyle]

The one pushed by the convicted monopolist? I'm just guessing here.

Re:Gee...

[schon]

All I got when I complained their wasn't any tools to help setup some fairly basic netowrking options

So, you *complained* that someone wasn't doing something for you for free, and people were dismissive - and you were surprised?

Here's a tip for you: don't complain. When you complain you come off as a whiny brat. If something you need doesn't exist, either ask someone *nicely* if it could be included (or when they're planning to implement it.)

Most networking setup doesn't require knowledge of C or C++; shell/perl would probably do.

four or five years later were still sitting aroudn waiting for that sorta thing

To quote Tonto, what do you mean by "we", kemosabe?

I find it really funny

It's funny because you alienate people, and then they *don't* do what you want them to? Yes, you're right it is funny - but it's probably not funny in the way that you think.

LDAP is critical to Linux's survival now.

[Zombie+Ryushu]

LDAP, Kerberos, Samba and all the things that come with that are critical to Linux's survival now. Linux will either live or Die on its ability to use LDAP, Kerberos, SSL and Samba.

LDAP is Linux's ultimate ability that permiates everything Linux can do and makes the many peices of Linux whole. Only the greatest of Linux Users cann use LDAP.

The thing is, its too damn hard, too damn difficult, and there is not enough documentation and configuration too;s for LDAP out there. I've spent three years on LDAP - I know.

Re:Sure, WinXp

Expensive, insecure, closed. Choose 3.

Small demand

[jmorris42]

Yes having a setup for LDAP with SAMBA tied in would be a plus, you have to consider why it hasen't happened yet.

Only fairly large shops NEED that and they only need to set it up once. The existing howtos appear to be addressing that need well enough that it has not become a big enough itch for anyone to scratch. Again, because once you know enough about it to write the wizards to make setting it all up easy, you have your site done and will probably will never need to do it again. So until a distro vendor sees it as a big enough selling feature to undertake the work I doubt it will happen.

Well, there's...

The venerable 4.4BSD automounter (am-utils) is nice for auto-mounting nfs. nis isn't ideal but works, and can do much more than just throw passwd around. In fact, I'd not use it for the passwd stuff, but just announce amd maps with it.

samba is quite useful, even if I still have to look at its new 3.* features. LDAP is somehow the obvious directory choice, even if it is clearly not ideal. Maybe that is because all others are even less-than-ideal, or just not open and/or sane enough. RADIUS is often only used by (I)SPs and the like, but could be used in the local network, too. And of course there's kerberos.

The only real problem is lack of vision (because there's so many ways to do it, and every company needs something different, maybe?) and, as already remarked, the combination of all the HOWTOs into something more closely knit together.

But the parts are all there, no doubt about that. So far it's only been the commercial sector that's been doing the integration and/or building their own solution.

Re:Linux instead of OS X?

[Leo+McGarry]

The money you spend on new hardware will be far less than what you'll spend in time and trouble getting a half-assed Linux solution together.

You want Mac OS X Server. Trust me on this.

Re:OS X Server has it built in... Open Directory

[Leo+McGarry]

Because 'the people upstairs' who make purchasing decisions are dead-set on x86 hardware in the server room.

They are wrong. Explain this to them. That's part of your job.

Also, there's perfectly good x86 hardware in there now, I'd rather use itr than pay Apple for new metal.

Given that this "perfectly good x86 hardware" is absolutely incapable of doing what you want it to do without a massive investment of time and effort, it seems obvious to me that it's not "perfectly good" at all, is it?

Run the numbers. You will find that buying an Xserve will cost you much less than trying to make your jury-rigged solution work.

Re:Netware

Grab a copy of Open Enterprise Server from Novell. Its in open beta and is basicly what you are asking for. It may be more than your asking for actually as they offer lots more services than you need.

I have had a chance to play with it, Its Suse with Netware services on it basicly. NDS is probably the nicest directory out there and it has LDAP built into it so you can connect other Linux distros into it if you don't want to just run OES.

They have made Samba talk to NDS so you create user objects in NDS and it works through out the system. They plan on replacing Netware with OES so its well polished.

LDAP/SAMBA/KERBEROS half the battle

OK, a turnkey alternative to AD is highly desirable, but doesn't solve the whole puzzle.

What is needed is for OSS applications to be tightly integrated into this environment.

Microsoft's biggest selling point is integration of it's applications with each other and AD. That's what enterprise customers want(and need) to hear, and are willing to spend $$$ on.

Re:Novell eDirectory

[swdunlop]

Dunno, they've been in business quite a bit longer than any other major Linux supporter, excepting IBM. I don't think Novell will be disappearing any time soon.

Re:Linux instead of OS X?

[archen]

Well I'm not sure about how much you've got invested in PC's already, but I think OSX is more of an investment. Microsoft and Linux require faster and faster hardware every year, while OSX gets faster and faster on the same hardware. Assuming this trend continues, this could reduce your upgrade cycle quite a bit.

Re:Flatness

Yes, a forest should never be necessary in theory, but that's not reality. You end up merging with other companies that have their systems setup differently and the only easy solution is to join your trees into a forest.

Or you have different divisions that insist on their own autonomy, and each sets up their own domain. You can imagine that this would be common in university environments.

Re:Sure, WinXp

[Zero+Sum]

OK, fair comment. I'm multi-tasking right now and I'm old and not that good at it, so perhaps I did not make myself clear.

The thing in contention here is "demand". Now, OK, frex; IE has 90% of the market, Firefox less than 10%. A conventional view says that IE is in considerable more demand than Firefox (or Opera). Now, allright, I can accept that, but I don't agree with it. The bottom line is that no one (or very few) actually want IE but they have it and don't want another browser enough to learn how to download and install (or are not permitted to... or...). Given that you had to choose and download a browser would the ratio of 90/8/2 (IE/Firefox/Opera) be the same? I sincerely and very strongly doubt that that is the case. IE is crap in comparison to either of the others mentioned. So when people talk about "demand" or "market demand" they are not talking about demand in the english use of the word at all. They are talking about usage figures not how much one product is valued/wanted/desired over another. If the "market" was on equal standing the situation would be very different.

So, what I mean when I say there is no "demand" for MS products is that no one really likes them. No one really wants them. And if there was something that was not harder for them to deal with and they had a real choice they would abandon MS gleefuly and rapidly.

I'm actually quite sick of the pro-anti-Microsoft war and don't particularly care much about it, but that isn't going to make me abandon the truth of things. MS is a bag of worms, Linux was developed from a terminal emulator and shows it, UNIX (although my favourite) is thirty year old concepts overlaid with patches and extensions usually badly implemented. It is _all_ crap. Live with it.

Anyway, it will all pass. MS has most likely had its day in the Sun. It's optimal strategy for long term survival now would be to fund say, twenty guys to work on Hurd (and maybe another 20 for EROS too). To stay ahead and set directions, to truly open just about everything except the UI. In the end it is only the UI - the user experience - that is important. So, right now, MS has sufficent resources to fund as much of the OSS movement as it wants. If it (MS) funded say 1/3 of the current OSS developers, how could it not stay in front? Wouldn't worldviews suddenly change?