Slashdot Mirror
Where are the 'Modern' Directory Services?
MarcQuadra asks: "I've been a Linux user since 1998, and I admin Mac OS X machines at work, but I have yet to find a distribution that comes out-of-the-box with modern directory services. Sure, there are guides to kerberize and set up OpenLDAP, but before I can start pushing Linux as an alternative at work I'll need a few things. Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification? How about a distro that's based on OpenLDAP and can easily be configured with LDAP-enabled SAMBA and Kerberos? Am I missing something, or is this not a priority with the community at-large?"
Sounds like you want Windows and Active Directory.
Any word on when Redhat will make the Netscape Directory server availible? That would be your solution or look at: http://imc.sourceforge.net/index.html
What about Netware and EDirectory? I hear they use open standards for Linux.
Where are the 'Modern' Directory Services?
Google.com -- let your fingers do the walking
I believe SUSE Enterprise Server (and SUSE Open Exchange server too) has a yast module to setup LDAP easily.
I might be wrong though - I'm still waiting for my copy...
sigaar
The YourOwn (tm) Linux distribution is based on OpenLDAP and all the other out-of-the-box features you're looking for.
It can be downloaded from YourOwnBox.org.
Solaris automounts my home directory just fine. Just point the machine to the NIS domain and it works
WHat reading 50 different howto's with half assed conflicting information not good enough for you? Surely this is blasphamy against the community.
It has to be mentioned. There will be a 100+ open source solutions proposed but none will come close to either of the two.
I know this is a different issue, but why push for Linux if you're already using OS X at work?
You didn't ask for open source.
:)
Novell eDirectory has been available for many years running on Linux (as well as other platforms). Novell now own SUSE so I'd expect closer and tighter integration moving forward.
Take a look at some of the new integrations coming in Novell Open Enterprise Server built on SLES 9 server.
Disclaimer - I'm a Novell person
Evil ZEN Scientist
"Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification?"
It takes 3 shellcommands and inserting your favorite validation-server to hook up an osx-client on an AD-server, SMB-shares included (not DFS though, as far as I know)
All those moments will be lost in time, like tears in rain. Time to die.
we believe that the idea of data is obsolete, and that, in the future, users will demand less and less of it, and more and more menu animations.
That's "Mr. Soulless Automaton" to you, Bub.
I work for an IT environment at a Canadian University and for Single Sign On solution we use a linux server/clients (debian but it really doesn't matter which you use) which uses the pam_mount module to mount a user's Windows samba share to /home/$username/$folder_name and we also use a log in script which copies back and forth any settings (.dot files) to and from the samba share to the local filesyste as smb does not be default work for home directories as it does not support all of the unix filesystem standards... CIFS was a push in the right Direction to change that but wasn't ready for prime time last time I checked. For authentication we use kerberos against the Windows ADS but any ldap or similar pam module should work for you.
There's this company called Novell that has this product called, variously, "NetWare Directory Services", "Novell Directory Services", "eDirectory", and "Nsure/exteNd/Nterprise/Ngage".
Okay, so maybe their marketing department has sucked big donkey dongs for like the last ten years and that's why you've never heard of them.
But rumor has it they purchased this outfit called SuSE, and that all their stuff has been ported to the Linux kernel, and they also purchased this other outfit, called Ximian, so that all their stuff would play nice with .NET, and...
Well, you get the picture.
LDAP, Kerberos, Samba and all the things that come with that are critical to Linux's survival now. Linux will either live or Die on its ability to use LDAP, Kerberos, SSL and Samba.
LDAP is Linux's ultimate ability that permiates everything Linux can do and makes the many peices of Linux whole. Only the greatest of Linux Users cann use LDAP.
The thing is, its too damn hard, too damn difficult, and there is not enough documentation and configuration too;s for LDAP out there. I've spent three years on LDAP - I know.
LDAP/Samba/Kerbros on Suse works real well out of the box in the latest Suse Server offerings. I don't play with many distros so I can't recommend it against others.
But for professional use on networks of any real size, I really try to push my customers to NDS. Say what you want about Novell, but I have yet to find a beter DS that Novell's.
Suse will hold your hand through the whole process of setting up and authenticating to OpenLDAP and integrating with Samba. You still need to know what you're doing, and you'll probably want to tweak a thing or two, but Suse makes it nice and friendly. You need the enterprise version (which you pretty much need to pay for) to setup the server, that's the only real catch.
So why not use it? It's a full featured directory service based on OpenLDAP with Kerberized AFP and SMB built in, so why use a Linux server and "roll your own" with everything, and do all the extra work?
I have to be missing something here.
Yes having a setup for LDAP with SAMBA tied in would be a plus, you have to consider why it hasen't happened yet.
Only fairly large shops NEED that and they only need to set it up once. The existing howtos appear to be addressing that need well enough that it has not become a big enough itch for anyone to scratch. Again, because once you know enough about it to write the wizards to make setting it all up easy, you have your site done and will probably will never need to do it again. So until a distro vendor sees it as a big enough selling feature to undertake the work I doubt it will happen.
Democrat delenda est
I recently setup a *nix server to act as a Windows PDC for our small workgroup. It wan't that difficult, particularly with the scripts and how-to from IDEALX. Any distro with sane, centrally-managed package management will be equally easy. By this, I mean apt or portage or even the *BSDs. I wouln't undertake this with an RPM distro, unless I had plenty of support.
I don't yet run Kerberos, as I wouldn't gain much from it. There aren't enough Kerberized apps & MS's approach to "embracing and extinguishing" Kerberos has left *nix implementations largely incompatible with MS's implementation. I run OpenLDAP solely over SSL. SMB traffic is limited to out intranet (basically one room) & we are a small shop, so Kerberos isn't a priority. We will later add it.
Home directories are all on the server. Samba is configured to allow windows to mount them & windows is configured to use them as the "My Documents" directories.
I have setup Kerberised SAMBA, OpenLDAP, and SSH at my previous employer. It isn't difficult.
Novell's eDirectory is nice if your ethics & wallet can afford it. OS X also has a decent implementation.
The "modern" approach is to do something OTHER than SMB, but that requires a MS-free zone.
"Joining the Active Directory with OS X.3 Client"- ad.html
http://www.infodiv.unimelb.edu.au/lansg/osx/os-x3
I have nothing to add to the article.
All those moments will be lost in time, like tears in rain. Time to die.
I mount NFS home directories with automount on Red Hat 9.
/etc/auto.master, or NIS to get the auto.master. No biggy -- isn't updating /etc/auto.master easy enough (assuming you don't push it with NIS)?
So, I push an auto.master using NIS. Works peachy. I've never tried it -- but I think that using an SMB share as a home directory would be as simple as changing the automount specification? This doesn't work?
As to NIS: its what I use, and RH9 is happy with it.
However, RH9 does offer "NIS", "LDAP", "Kerberos 5", "SMB" authentication schemes on installation.
Note that autofs uses
What are you trying to do?
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
Actually if you are a software developer you can work with Novell and bundle upto 250k seats of eDirectory 'free/beer' with your product.
:)
So the directory side of things is not 'pay-at-the-door'
Usual disclaimers.
Evil ZEN Scientist
ISODE-8.0, a complete and BSD-licensed X.500 server, has been available since 1992.
(available at http://opendce.hands.com)
except of course nobody _noticed_ because in 1992, things like free software didn't really exist.
and, of course, X.500 was "far too complicated".
now, of course, everyone is whining that "oo, wouldn't it be nice if only LDAP could do X" and if you look at X.500 you find it _can_ do X.
repeat for any value of X...
I've a similar question myself: Is there a Linux distro which, upon installation, aids in the setup of a Directory Services server, a network filesystem for storing user data (possibly including $HOME directories) and installation of client workstations which use those services?
...
I'm talking of the same installation disks, but at the very onset, instead of just asking (or perhaps more than just asking) if I want a Desktop, Server or workstation install, it include sub-options like:
Server:
[] Directory Services Server
[] Network File Server
[] User $HOME directory (or some other friendly name)
[] Print Services Server
Workstation:
In other words, the very things one would need and in the order one would install for a small- to medium-sized enterprise.
http://www.djack.com.pl/Suse9hlp/ch21s08.html
See 21.8.5. LDAP Server Configuration with YaST
IANALBIPOOGL (I am not a Lawyer, but I play one on GrokLaw.)
I've been testing it on RHEL ES 3 for a couple of weeks now and so far no complaints. Never thought I would say this but....... thanks Novell!
Excellent documentation too.
I'm still waiting for the hover-cars we were promised in the 60's, let alone reliable directory services that have just started to be used!
OpenLDAP, as an implimentation of LDAP v3 right now, is lightyears beyond Active directory in functional sophistication. Its not OpenLDAP that sucks.
Its the fact that Configuration is too hard because the nessessary interfaces aren't there. The only thing that comes close is "Directory Administrator"
OpenLDAP is a superb LDAP implimentation from a technical standpoint. Far outpacing ADS. ADS just has ease of use, that Open LDAP needs.
Linux needs OpenLDAP replacements for things like useradd, usermod, and passwd, or some way of modulizing them.
The free seats have been on offer for years. They aren't going away anytime soon. Why? Strategy. Novell *wants* people to develop eDirectory applications and not be turned off by licence costs.
You should check out the Hurderos project. The goal of Hurderos is to create a framework for directory and authentication using open tools. In other words, an open-source equivalent of Active Directory and NDS.
Although the project is in its infancy, it has really good ideas for integrating identity management, authn, and authz.
http://www.hurderos.org
this sounds like windows users whining about mountpoints. yeah, docs are lacking, but all the components are there, some twice over. just glue it all together with a little bash. done -- probably even with lower TCO.
Don't thank God, thank a doctor!
I'm working on a RHEL4 machine that I setup to use LDAP during the install. It was very easy, all done through a simple GUI. Worked great.
sigs are a waste of space
Sounds to me like you're asking for two seperate things.
1) A Linux desktop distribution which can automount $HOME directories (from a central server?) on normal workstations with a fair amount of ease (in terms of configuration).
Answer: There's nothing that I know of that can do this "out of the box" so to speak, but it should be fairly trivial to do.
I'll make note that mounting a share on a Windows server to a Linux desktop seems to often result in the share mount dying - it's kind of messy without using automount, and I've not personally used automount much.
I can't speak for kerebos auth itself, as I'm not too familiar with that element...
Other than that, though, it should be relatively trivial to set automount up to mount a samba share using credentials provided by OpenLDAP or what have you. As you can mount SMB shares via fstab, it's not really an issue to jump up one step and use automount. I am, of course, assuming you'll be making a single "desktop deployment" image and not doing the antiquated thing and manually configuring each machine - that would be just dumb.
2) A Linux server distribution with OpenLDAP + Samba + Kerberos set up, out of the box, so that all you'd have to do would be populate the OpenLDAP server with username/password combinations.
There's nothing that does this which I'm aware of. That's why a company should hire competent people; maybe that's partially why no distro has done it - it's hard, and the distro people don't want to piss off the competent admins by making their skillset "outdated". But that's just a guess.
Another guess is that it's simply not a widely deployed combination. The organization I work for now has (only) several thousand NetPCs deployed in the field, and it's just an NT4 domain login with LDAP on the backend. Groupwise is used on the client side to tie into LDAP directly.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
err. And how is this different to SMB? You might like to hear what Andrew Tridgell (the original Samba author) has to say about this. I quote from an article he wrote for Groklaw (http://www.groklaw.net/article.php?story=20050205 010415933&query=Samba)
"The protocol that Samba implements was first invented by Barry Feigenbaum at IBM in early 1983. He initially called it the "BAF" protocol after his initials, but changed the name to "SMB" before the first official release. You may note that the name "Samba" contains the letters "SMB", and that is not a coincidence.
The term "CIFS" or "Common Internet File System" was coined by Microsoft in 1996 as a marketing exercise in an attempt to combat a perceived threat from Sun Microsystems after their WebNFS announcement. The term caught on, and now the SMB protocol is often called CIFS. The two names refer to the same protocol, as is easily demonstrated by connecting a current Microsoft "CIFS" client to a Samba "SMB" server from 1992."
However, for those who know little or nothing of X.500 and are just looking for simple directory services, this makes the LDAP documentation pretty much worthless or extremely annoying, depending on just how tenacious you are.
I don't mean to pick on the various LDAP projects. This kind of thing happens all over the place with free enterprise software.
Red Hat acquired the Netscape/iPlanet directory server (LDAP) code from AOL, along with the original team working on it (i.e. its not open source and dump software). Its about 1.8 million lines of code, and RH is releasing it as free / open source software ASAP. Chris Blizzard of mozilla fame had a great presentation at the Fedora Conference (FUDcon ;-) today about their progress. Very cool stuff.
Blizzard wants to learn from Mozilla and not release the code until a standard build system (such as autoconf) is in place... You can imagine with that much code its going to take a little time to work through in a new build system, but his current estimate is they'll release the first functional useful code "on the order of weeks". There are some smaller chunks that are going to have to be rewritten owing to dependencies on external proprietary code we did not acquire, but it looks like nothing really bad, and the core should be coming along quickly.
This codebase is one of the major commercial directory servers in use, is supposed to scale to giant enterprise loads, and is (according to some RH hackers who just got their hands on it internally) much easier to setup than OpenLDAP. It comes with a nice GUI config interface, etc. Naturally, it'll be integrated into Fedora pretty quickly, and hopefully Debian, Gentoo, SuSE and other distributions too.
-Seth
The problem is that each flavor/vendor uses its own brand of automount schema. OS X uses that awful 'mounts' mapping with its equally awful automounter. Solaris has its own brand. Then there is amd. Etc. Until someone RFCs a decent LDAP schema for automounting and everyone follows along, I suspect this is going to remain a dream.
In the meantime, if you work in a heterogeneous environment, expect to do some work (and in some cases, quite a bit) to build shims between flavors.... and thats before you get to things like Kerberized NFS and/or NFSv4.
In most other respects, everything else is fairly standard. RFC2307b gets you almost all the way via LDAP and Kerberos lets you do it all in an SSO'd environment.
Actually, there was plenty of free software available in 1992.
...) have been augmented as new requirements have been encountered and are still relatively simple (to understand, to implement, to debug, to use, ...) today.
At about that time I was writing X.500 based applications using ISODE.
In my estimation, X.500 failed to take off for five reasons. The first was that it was overly complex. The protocol was certainly complex. While ISODE made things easier, building applications was still too complicated.
The second is that X.500 was a resource pig, both on the client and the server.
The third is that there were too many optional features in the protocol. No vendor could practically support all of the options and no two vendors could agree on a reasonably common subset of features. Interoperability was a nightmare.
The fourth is that due to its complex data model and binary data encoding, debugging X.500 sessions was extremely difficult using a packet sniffer or other protocol capturing tool. It also meant that writing scripts to do reasonably interesting X.500 things was not going to happen.
The fifth was that once LDAP was fielded, the practical need for X.500 disappeared. The first 3 reasons above created LDAP and once it existed, X.500 was an answer in search of a question.
One might say that there was no mission critical need to directory services. We had DNS for host to address mapping. Directory services was a "would be nice to have" not a "must have".
In addition, because it was originally conceived to be operated by the PTTs of the world, there was an organizational element with regard to who ran what servers and served what branches of the X.500 name space. That never really came together.
Many thought that company employee directories would be on-line for the world to browse. Except nobody checked with the companies to see if they thought that that was a good idea. It wasn't.
Reasons 1 through 4 above apply to many if not most if not all ISO (or OSI) protocols. We used to say that ISO protocols were designed to solve all problems for all people for all time. It turns out that because the protocols were too complex and too resource hungry, and the implementations didn't interoperate, that in the end they solved few problems, for few people, for a very short time. And that was on a particularly good day.
Designing protocols to solve every problem and provide every feature that we will ever need lost out to designing protocols that were the simplest things that would serve the desired purpose and solve the current problem. And these simple protocols (FTP, HTTP, NNTP, SMTP, POP3, TFTP,
LDAP, however, is not one of these simple protocols. LDAP was a compromise, like SNMP, and like SNMP, LDAP has paid for not being what it could have been: small, simple, and elegant. Both protocols use the ISO data model (ASN.1) and the ISO encoding model (BER,DER,...). In fact, both protocols were designed to be transitional protocols to get things going until their ISO replacements (X.500 and CMOT (CMIP over TCP)) were ready to be deployed.
The funny thing is that once LDAP and SNMP were fielded, X.500 and CMOT were no longer needed. And funnier yet, the authors of the LDAP and SNMP protocols secretly knew that LDAP and SNMP would not be replaced by X.500 and CMOT, but they had to make the design compromise to ease the transition that they knew would never occur in order to keep the peace while they pulled the rug from beneath the X.500 and CMOT proponents. Of course this was back in the day when most people believed that X.400 would be replacing SMTP in no time at all. But some knew better.
search freshmeat for mkautosmb, its absolutely top.
It browses your LAN and creates automount config files for them, yee hah!
I had to edit it to do "autofs --version" when checking which version of autofs you have, and to make it write out "cifs" instead of "smbfs" to ge around a current smbfs/win2003-server compatability problem.
Either that or look at smb4k, but it suffers from the same smbfs problem I mentioned.
Sam
blog.sam.liddicott.com
The thing in contention here is "demand". Now, OK, frex; IE has 90% of the market, Firefox less than 10%. A conventional view says that IE is in considerable more demand than Firefox (or Opera). Now, allright, I can accept that, but I don't agree with it. The bottom line is that no one (or very few) actually want IE but they have it and don't want another browser enough to learn how to download and install (or are not permitted to... or...). Given that you had to choose and download a browser would the ratio of 90/8/2 (IE/Firefox/Opera) be the same? I sincerely and very strongly doubt that that is the case. IE is crap in comparison to either of the others mentioned. So when people talk about "demand" or "market demand" they are not talking about demand in the english use of the word at all. They are talking about usage figures not how much one product is valued/wanted/desired over another. If the "market" was on equal standing the situation would be very different.
So, what I mean when I say there is no "demand" for MS products is that no one really likes them. No one really wants them. And if there was something that was not harder for them to deal with and they had a real choice they would abandon MS gleefuly and rapidly.
I'm actually quite sick of the pro-anti-Microsoft war and don't particularly care much about it, but that isn't going to make me abandon the truth of things. MS is a bag of worms, Linux was developed from a terminal emulator and shows it, UNIX (although my favourite) is thirty year old concepts overlaid with patches and extensions usually badly implemented. It is _all_ crap. Live with it.
Anyway, it will all pass. MS has most likely had its day in the Sun. It's optimal strategy for long term survival now would be to fund say, twenty guys to work on Hurd (and maybe another 20 for EROS too). To stay ahead and set directions, to truly open just about everything except the UI. In the end it is only the UI - the user experience - that is important. So, right now, MS has sufficent resources to fund as much of the OSS movement as it wants. If it (MS) funded say 1/3 of the current OSS developers, how could it not stay in front? Wouldn't worldviews suddenly change?
Zero Sum (don't amount to much). [root@localhost]
Flat is seldom the answer unless your domain will be very small.
Domains form security boundaries. Unless you want everybody who is in domain admins or who may need domain admins the ability to completely screwup your schema and enterprise configuration then you should have as a minimum a place-holder root.
A placeholder root also allows different security policies for different users. This is the most annoying weakness of AD: user accounts get the security policy of the domain controllers, and not of the user container. So separate domains for separate requirements.
Mergers/de-mergers/acquistions all benefit substatially from being able to spin domains in and out of a forest. You don't need a forest for this, but it helps.
Internal politics also may mandate separate domains - many companies are loosely allied fiefdoms, and there is no way they will agree to monolithic centralised IT. So give them a bone - here, your very own domain. They will not realise that there is no effective difference if you control the root.
Other reasons are said to include control of replication, but I've never really bought this. AD replication is pretty minor compared to other traffic. I know that in 2000 there is a problem with groups (membership is replicated, not membership deltas - changed in 2003) that might suggest it's a good idea, but if you are doing a 2003 roll out - nah.
Oh yeah - as seems de rigour in this thread I was also once involved in one of the largest AD roll outs in the entire world - headquarters (one of them) opposite Waterloo station in London.
No he's right, AD has many other features other than broken standards support :)
Kerberos + LDAP alone can't manage group policies. Being able to manage workstation configurations (including new software installs) in this way is the killer feature of AD imo.
Then theres the GUI tools for managing it all, last time I looked Linux only had directoryadministrator which was a basic GUI for adding/removing groups and users.
This stuff could probably be done with a *nix solution but none do it out of the box. Afaik samba acting as domain controller can't apply group policies, although theoretically it should be possible to hack up some login scripts to emulate this functionality. To get it all running and have GUI control of the entire lot would involve a lot of programming and certainly cost more than a few win2k3 licenses.
(I'd love to be proven wrong if software does exist to do all these please point it out)
I just have to make some advertisement:
During the last two years, I've been hacking on a generalized system for managing an LDAPized system, including all sysadmin tasks like home-dir-creation etc, for my employer. The system is GPL:ed and available from http://grimoire.takeit.se (the webdemo doesn't work ATM, sorry).
The aim of the system is to carry out any sysadmin task on any host in the system, and combine those tasks into more complex ones, even if executed on different machines, and then control access to tasks in a very fine-grained way (a bit similar to Novell:s trustees, in that you have inheritance down the tree).
ATM, the system can handle users, groups (it can let users create their own groups in a controllable fashion), machine accounts and printer ques interacting with Samba, OpenLDAP, Courier, Postfix, CUPS, pam/nss-ldap and some other tools. It is however in beta-stage...
--The knowledge that you are an idiot, is what distinguishes you from one.
First response:
Scott Gordon [sgordon@vaco.com]
RE: Inquiry about Dice Job Number ADMEM
Thanks very much for your inquiry. We've filled this position today with someone of 12+ total years of experience.
Good luck in your job search!
------------
My response to that:
Alas, how is this possible? Active directory was first included with Windows 2000. The "2000" means the year, 2000. Being 2005 now, that means it's only been available for five years.
While I'm not trying to argue with you here, I thought I might let you know so you could fix the job description as it's inaccurate.
I consider myself very good at my trade, and I wouldn't apply for a job when the company can't get the job requirements correct - you know you're in for trouble when the boss apparently knows nothing about the technology; not even enough to realize 2000 means the year 2000. If you're a recruiting firm, you may attract more skilled people if you have an accurate description.
Fortunately I'm not looking for a job as I am already employed. Sometimes I look to see how the market is looking.
Good luck!
-------------
His response:
Joseph,
If you are not searching for a job, then it should not matter.
I appreciate your concern for my job description but it is unnecessary.
Perhaps you should apply your editing skills to your own employment and further yourself in your current company. What task are you not completing while surfing the internet looking for jobs? Does your employer - Future Foundations - know that you are spending company time, money and bandwidth looking for another job? Perhaps, they should know Mr.. Jamieson?
Again, we've filled this opening and the position is no longer available.
Regards,
------------------
Now, "Future Foundations" is just my own e-mail domain name. Like many other people around here, I host my own e-mail so I keep my address no matter what ISP I use. How does this guy think he's going to scare an IT person by calling out their e-mail domain name?
I think he's a small recruiting shop, maybe even just him, as he claims to be CEO or something but also writes these job descriptions. Figures.
But these are the unprofessional people that us professionals have to deal with to get a job these days. It sucks.
- It's not the Macs I hate. It's Digg users. -