Slashdot Mirror
Where are the 'Modern' Directory Services?
MarcQuadra asks: "I've been a Linux user since 1998, and I admin Mac OS X machines at work, but I have yet to find a distribution that comes out-of-the-box with modern directory services. Sure, there are guides to kerberize and set up OpenLDAP, but before I can start pushing Linux as an alternative at work I'll need a few things. Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification? How about a distro that's based on OpenLDAP and can easily be configured with LDAP-enabled SAMBA and Kerberos? Am I missing something, or is this not a priority with the community at-large?"
Sounds like you want Windows and Active Directory.
Any word on when Redhat will make the Netscape Directory server availible? That would be your solution or look at: http://imc.sourceforge.net/index.html
What about Netware and EDirectory? I hear they use open standards for Linux.
I believe SUSE Enterprise Server (and SUSE Open Exchange server too) has a yast module to setup LDAP easily.
I might be wrong though - I'm still waiting for my copy...
sigaar
The YourOwn (tm) Linux distribution is based on OpenLDAP and all the other out-of-the-box features you're looking for.
It can be downloaded from YourOwnBox.org.
Solaris automounts my home directory just fine. Just point the machine to the NIS domain and it works
WHat reading 50 different howto's with half assed conflicting information not good enough for you? Surely this is blasphamy against the community.
You didn't ask for open source.
:)
Novell eDirectory has been available for many years running on Linux (as well as other platforms). Novell now own SUSE so I'd expect closer and tighter integration moving forward.
Take a look at some of the new integrations coming in Novell Open Enterprise Server built on SLES 9 server.
Disclaimer - I'm a Novell person
Evil ZEN Scientist
"Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification?"
It takes 3 shellcommands and inserting your favorite validation-server to hook up an osx-client on an AD-server, SMB-shares included (not DFS though, as far as I know)
All those moments will be lost in time, like tears in rain. Time to die.
we believe that the idea of data is obsolete, and that, in the future, users will demand less and less of it, and more and more menu animations.
That's "Mr. Soulless Automaton" to you, Bub.
I work for an IT environment at a Canadian University and for Single Sign On solution we use a linux server/clients (debian but it really doesn't matter which you use) which uses the pam_mount module to mount a user's Windows samba share to /home/$username/$folder_name and we also use a log in script which copies back and forth any settings (.dot files) to and from the samba share to the local filesyste as smb does not be default work for home directories as it does not support all of the unix filesystem standards... CIFS was a push in the right Direction to change that but wasn't ready for prime time last time I checked. For authentication we use kerberos against the Windows ADS but any ldap or similar pam module should work for you.
There's this company called Novell that has this product called, variously, "NetWare Directory Services", "Novell Directory Services", "eDirectory", and "Nsure/exteNd/Nterprise/Ngage".
Okay, so maybe their marketing department has sucked big donkey dongs for like the last ten years and that's why you've never heard of them.
But rumor has it they purchased this outfit called SuSE, and that all their stuff has been ported to the Linux kernel, and they also purchased this other outfit, called Ximian, so that all their stuff would play nice with .NET, and...
Well, you get the picture.
LDAP, Kerberos, Samba and all the things that come with that are critical to Linux's survival now. Linux will either live or Die on its ability to use LDAP, Kerberos, SSL and Samba.
LDAP is Linux's ultimate ability that permiates everything Linux can do and makes the many peices of Linux whole. Only the greatest of Linux Users cann use LDAP.
The thing is, its too damn hard, too damn difficult, and there is not enough documentation and configuration too;s for LDAP out there. I've spent three years on LDAP - I know.
LDAP/Samba/Kerbros on Suse works real well out of the box in the latest Suse Server offerings. I don't play with many distros so I can't recommend it against others.
But for professional use on networks of any real size, I really try to push my customers to NDS. Say what you want about Novell, but I have yet to find a beter DS that Novell's.
Suse will hold your hand through the whole process of setting up and authenticating to OpenLDAP and integrating with Samba. You still need to know what you're doing, and you'll probably want to tweak a thing or two, but Suse makes it nice and friendly. You need the enterprise version (which you pretty much need to pay for) to setup the server, that's the only real catch.
So why not use it? It's a full featured directory service based on OpenLDAP with Kerberized AFP and SMB built in, so why use a Linux server and "roll your own" with everything, and do all the extra work?
I have to be missing something here.
Yes having a setup for LDAP with SAMBA tied in would be a plus, you have to consider why it hasen't happened yet.
Only fairly large shops NEED that and they only need to set it up once. The existing howtos appear to be addressing that need well enough that it has not become a big enough itch for anyone to scratch. Again, because once you know enough about it to write the wizards to make setting it all up easy, you have your site done and will probably will never need to do it again. So until a distro vendor sees it as a big enough selling feature to undertake the work I doubt it will happen.
Democrat delenda est
I recently setup a *nix server to act as a Windows PDC for our small workgroup. It wan't that difficult, particularly with the scripts and how-to from IDEALX. Any distro with sane, centrally-managed package management will be equally easy. By this, I mean apt or portage or even the *BSDs. I wouln't undertake this with an RPM distro, unless I had plenty of support.
I don't yet run Kerberos, as I wouldn't gain much from it. There aren't enough Kerberized apps & MS's approach to "embracing and extinguishing" Kerberos has left *nix implementations largely incompatible with MS's implementation. I run OpenLDAP solely over SSL. SMB traffic is limited to out intranet (basically one room) & we are a small shop, so Kerberos isn't a priority. We will later add it.
Home directories are all on the server. Samba is configured to allow windows to mount them & windows is configured to use them as the "My Documents" directories.
I have setup Kerberised SAMBA, OpenLDAP, and SSH at my previous employer. It isn't difficult.
Novell's eDirectory is nice if your ethics & wallet can afford it. OS X also has a decent implementation.
The "modern" approach is to do something OTHER than SMB, but that requires a MS-free zone.
"Joining the Active Directory with OS X.3 Client"- ad.html
http://www.infodiv.unimelb.edu.au/lansg/osx/os-x3
I have nothing to add to the article.
All those moments will be lost in time, like tears in rain. Time to die.
I mount NFS home directories with automount on Red Hat 9.
/etc/auto.master, or NIS to get the auto.master. No biggy -- isn't updating /etc/auto.master easy enough (assuming you don't push it with NIS)?
So, I push an auto.master using NIS. Works peachy. I've never tried it -- but I think that using an SMB share as a home directory would be as simple as changing the automount specification? This doesn't work?
As to NIS: its what I use, and RH9 is happy with it.
However, RH9 does offer "NIS", "LDAP", "Kerberos 5", "SMB" authentication schemes on installation.
Note that autofs uses
What are you trying to do?
Ratboy
Just another "Cubible(sic) Joe" 2 17 3061
Actually if you are a software developer you can work with Novell and bundle upto 250k seats of eDirectory 'free/beer' with your product.
:)
So the directory side of things is not 'pay-at-the-door'
Usual disclaimers.
Evil ZEN Scientist
ISODE-8.0, a complete and BSD-licensed X.500 server, has been available since 1992.
(available at http://opendce.hands.com)
except of course nobody _noticed_ because in 1992, things like free software didn't really exist.
and, of course, X.500 was "far too complicated".
now, of course, everyone is whining that "oo, wouldn't it be nice if only LDAP could do X" and if you look at X.500 you find it _can_ do X.
repeat for any value of X...
I've been testing it on RHEL ES 3 for a couple of weeks now and so far no complaints. Never thought I would say this but....... thanks Novell!
Excellent documentation too.
I'm still waiting for the hover-cars we were promised in the 60's, let alone reliable directory services that have just started to be used!
You should check out the Hurderos project. The goal of Hurderos is to create a framework for directory and authentication using open tools. In other words, an open-source equivalent of Active Directory and NDS.
Although the project is in its infancy, it has really good ideas for integrating identity management, authn, and authz.
http://www.hurderos.org
Actually, there was plenty of free software available in 1992.
...) have been augmented as new requirements have been encountered and are still relatively simple (to understand, to implement, to debug, to use, ...) today.
At about that time I was writing X.500 based applications using ISODE.
In my estimation, X.500 failed to take off for five reasons. The first was that it was overly complex. The protocol was certainly complex. While ISODE made things easier, building applications was still too complicated.
The second is that X.500 was a resource pig, both on the client and the server.
The third is that there were too many optional features in the protocol. No vendor could practically support all of the options and no two vendors could agree on a reasonably common subset of features. Interoperability was a nightmare.
The fourth is that due to its complex data model and binary data encoding, debugging X.500 sessions was extremely difficult using a packet sniffer or other protocol capturing tool. It also meant that writing scripts to do reasonably interesting X.500 things was not going to happen.
The fifth was that once LDAP was fielded, the practical need for X.500 disappeared. The first 3 reasons above created LDAP and once it existed, X.500 was an answer in search of a question.
One might say that there was no mission critical need to directory services. We had DNS for host to address mapping. Directory services was a "would be nice to have" not a "must have".
In addition, because it was originally conceived to be operated by the PTTs of the world, there was an organizational element with regard to who ran what servers and served what branches of the X.500 name space. That never really came together.
Many thought that company employee directories would be on-line for the world to browse. Except nobody checked with the companies to see if they thought that that was a good idea. It wasn't.
Reasons 1 through 4 above apply to many if not most if not all ISO (or OSI) protocols. We used to say that ISO protocols were designed to solve all problems for all people for all time. It turns out that because the protocols were too complex and too resource hungry, and the implementations didn't interoperate, that in the end they solved few problems, for few people, for a very short time. And that was on a particularly good day.
Designing protocols to solve every problem and provide every feature that we will ever need lost out to designing protocols that were the simplest things that would serve the desired purpose and solve the current problem. And these simple protocols (FTP, HTTP, NNTP, SMTP, POP3, TFTP,
LDAP, however, is not one of these simple protocols. LDAP was a compromise, like SNMP, and like SNMP, LDAP has paid for not being what it could have been: small, simple, and elegant. Both protocols use the ISO data model (ASN.1) and the ISO encoding model (BER,DER,...). In fact, both protocols were designed to be transitional protocols to get things going until their ISO replacements (X.500 and CMOT (CMIP over TCP)) were ready to be deployed.
The funny thing is that once LDAP and SNMP were fielded, X.500 and CMOT were no longer needed. And funnier yet, the authors of the LDAP and SNMP protocols secretly knew that LDAP and SNMP would not be replaced by X.500 and CMOT, but they had to make the design compromise to ease the transition that they knew would never occur in order to keep the peace while they pulled the rug from beneath the X.500 and CMOT proponents. Of course this was back in the day when most people believed that X.400 would be replacing SMTP in no time at all. But some knew better.
search freshmeat for mkautosmb, its absolutely top.
It browses your LAN and creates automount config files for them, yee hah!
I had to edit it to do "autofs --version" when checking which version of autofs you have, and to make it write out "cifs" instead of "smbfs" to ge around a current smbfs/win2003-server compatability problem.
Either that or look at smb4k, but it suffers from the same smbfs problem I mentioned.
Sam
blog.sam.liddicott.com
No he's right, AD has many other features other than broken standards support :)
Kerberos + LDAP alone can't manage group policies. Being able to manage workstation configurations (including new software installs) in this way is the killer feature of AD imo.
Then theres the GUI tools for managing it all, last time I looked Linux only had directoryadministrator which was a basic GUI for adding/removing groups and users.
This stuff could probably be done with a *nix solution but none do it out of the box. Afaik samba acting as domain controller can't apply group policies, although theoretically it should be possible to hack up some login scripts to emulate this functionality. To get it all running and have GUI control of the entire lot would involve a lot of programming and certainly cost more than a few win2k3 licenses.
(I'd love to be proven wrong if software does exist to do all these please point it out)
I just have to make some advertisement:
During the last two years, I've been hacking on a generalized system for managing an LDAPized system, including all sysadmin tasks like home-dir-creation etc, for my employer. The system is GPL:ed and available from http://grimoire.takeit.se (the webdemo doesn't work ATM, sorry).
The aim of the system is to carry out any sysadmin task on any host in the system, and combine those tasks into more complex ones, even if executed on different machines, and then control access to tasks in a very fine-grained way (a bit similar to Novell:s trustees, in that you have inheritance down the tree).
ATM, the system can handle users, groups (it can let users create their own groups in a controllable fashion), machine accounts and printer ques interacting with Samba, OpenLDAP, Courier, Postfix, CUPS, pam/nss-ldap and some other tools. It is however in beta-stage...
--The knowledge that you are an idiot, is what distinguishes you from one.
First response:
Scott Gordon [sgordon@vaco.com]
RE: Inquiry about Dice Job Number ADMEM
Thanks very much for your inquiry. We've filled this position today with someone of 12+ total years of experience.
Good luck in your job search!
------------
My response to that:
Alas, how is this possible? Active directory was first included with Windows 2000. The "2000" means the year, 2000. Being 2005 now, that means it's only been available for five years.
While I'm not trying to argue with you here, I thought I might let you know so you could fix the job description as it's inaccurate.
I consider myself very good at my trade, and I wouldn't apply for a job when the company can't get the job requirements correct - you know you're in for trouble when the boss apparently knows nothing about the technology; not even enough to realize 2000 means the year 2000. If you're a recruiting firm, you may attract more skilled people if you have an accurate description.
Fortunately I'm not looking for a job as I am already employed. Sometimes I look to see how the market is looking.
Good luck!
-------------
His response:
Joseph,
If you are not searching for a job, then it should not matter.
I appreciate your concern for my job description but it is unnecessary.
Perhaps you should apply your editing skills to your own employment and further yourself in your current company. What task are you not completing while surfing the internet looking for jobs? Does your employer - Future Foundations - know that you are spending company time, money and bandwidth looking for another job? Perhaps, they should know Mr.. Jamieson?
Again, we've filled this opening and the position is no longer available.
Regards,
------------------
Now, "Future Foundations" is just my own e-mail domain name. Like many other people around here, I host my own e-mail so I keep my address no matter what ISP I use. How does this guy think he's going to scare an IT person by calling out their e-mail domain name?
I think he's a small recruiting shop, maybe even just him, as he claims to be CEO or something but also writes these job descriptions. Figures.
But these are the unprofessional people that us professionals have to deal with to get a job these days. It sucks.
- It's not the Macs I hate. It's Digg users. -