Where are the 'Modern' Directory Services?

MarcQuadra asks: "I've been a Linux user since 1998, and I admin Mac OS X machines at work, but I have yet to find a distribution that comes out-of-the-box with modern directory services. Sure, there are guides to kerberize and set up OpenLDAP, but before I can start pushing Linux as an alternative at work I'll need a few things. Are there any distributions out there that can auto-mount SMB shares as home directories without heavy modification? How about a distro that's based on OpenLDAP and can easily be configured with LDAP-enabled SAMBA and Kerberos? Am I missing something, or is this not a priority with the community at-large?"

Gee...

[TheCabal]

Sounds like you want Windows and Active Directory.

Re:Gee...

[TheCabal]

Dude (since we're apparently on an informal basis)

I help run what is probably one of the largest AD implementations in the country, if not the world. Your perception of AD is true only under certain lamebrained implementations. It IS possible to totally ignore the AD heirarchy and go for a "flat" NT4-style domain structure, but people who set those up should be severely beaten about the face and ears, and never allowed near a server again. If your ADs are like that, get a new job.

Re:Gee...

[TheCabal]

Yeah, I remember back in 2002 or so, I saw an ad for a job requring 5 years experience with Windows2000.

Some things just boggle the mind.

Re:Gee...

[AlphaSys]

Sorry, Jon... you are out of touch. It will absolutely do every bit of that either natively or with the rest of the Win2000/2003 tools that come with it out of the box. Just because you don't know how to do it doesn't mean it doesn't. And yes, that feature set is about 1999.

Like many others here, I have participated in several migrations away from NDS in favor of AD. Each instance has been a big win for the people I worked for.

That being said, I have recently installed a trial of the last release of SuSE LINUX Enterprise Server (the first since Novell acquisition) and I have to say that this product's successors/siblings are going to balance things in the DS arena again. I never had anything against Novell, but they stagnated while they tried to fend off and interoperate the beast simultaneously and MS gained almost all of their infrastructure ground almost solely at Novell's expense while they were floundering without a plan.

The recent SuSE and Ximian acquisitions are going to pay great dividends both for Novell and for the community in the long run. I am excited to see what they do, but for goodness sake, don't applaud the last five years of NDS. That's like claiming the last three Rocky films were the best.

Re:Gee...

[flacco]

AD isn't special. It, like so many other "innovations" from MS, is simply a rip-off off LDAP and NDS.

i'm guessing the difference is that setting up AD server and AD-based single-sign-on doesn't make you want to gouge out your eyes with a shrimp fork (compared to linux at least).

i say i'm guessing because i'm 100% linux at home and work, and i'll never lay a hand on a windows box if i can avoid it; but the theme of this Ask /. is dead-on.

Linux needs *easy*, *default*, *out of the box* ldap-based authentication. i should be able to install a distro, select "ldap auth", and then have everything automagically authenticate against it - shell, apache, samba, IMAP, etc etc etc. same on workstations - select "ldap auth", specify the ldap server, and you're done.

i don't know any distros that offer this ease of use - correct me if i'm wrong. (i run debian sarge and sid).

Re:Gee...

[TheNetAvenger]

Windows and Active Directory are a proprietary ripoff of LDAP and kerberos with some gui tools

Well I guess if you never used it, you would probably think this.

AD goes so far beyond a type of LDAP or authenication system it would be like saying Linux is nothing more than a rip off of 1969 *nix and doesn't do anymore.

(And no I don't believe that about Linux.)

Geesh...

Netware

What about Netware and EDirectory? I hear they use open standards for Linux.

Re:Netware

[Total_Wimp]

Open Enterprise Server has a public beta right now. It runs on SUSE or Netware. The whole reason Novell bought SUSE was to answer questions just like this post.

Of course the poster probably meant "open source directory services". Sorry, eDir is a pay-at-the-door shop.

TW

The community is YOU!

Am I missing something, or is this not a priority with the community at-large?

The YourOwn (tm) Linux distribution is based on OpenLDAP and all the other out-of-the-box features you're looking for.

It can be downloaded from YourOwnBox.org.

Re:The community is YOU!

[KillerDeathRobot]

I can't believe I clicked that link.

Re:The community is YOU!

[bradkittenbrink]

Please do not post links to porn sites, we're trying to have a civilized discussion here...

Solaris?

[ajiva]

Solaris automounts my home directory just fine. Just point the machine to the NIS domain and it works

pfft

WHat reading 50 different howto's with half assed conflicting information not good enough for you? Surely this is blasphamy against the community.

Novell eDirectory

[ezs]

You didn't ask for open source.

Novell eDirectory has been available for many years running on Linux (as well as other platforms). Novell now own SUSE so I'd expect closer and tighter integration moving forward.

Take a look at some of the new integrations coming in Novell Open Enterprise Server built on SLES 9 server.

Disclaimer - I'm a Novell person :)

Re:Novell eDirectory

[ezs]

I forgot to include the links ;)

Karma whore links below:

http://www.novell.com/products/openenterpriseser ve r/
http://www.novell.com/products/edirectory/

http://www.novell.com/zenworks

In fact...

[ENOENT]

we believe that the idea of data is obsolete, and that, in the future, users will demand less and less of it, and more and more menu animations.

Hacked Solution

I work for an IT environment at a Canadian University and for Single Sign On solution we use a linux server/clients (debian but it really doesn't matter which you use) which uses the pam_mount module to mount a user's Windows samba share to /home/$username/$folder_name and we also use a log in script which copies back and forth any settings (.dot files) to and from the samba share to the local filesyste as smb does not be default work for home directories as it does not support all of the unix filesystem standards... CIFS was a push in the right Direction to change that but wasn't ready for prime time last time I checked. For authentication we use kerberos against the Windows ADS but any ldap or similar pam module should work for you.

Re:SLES

[thule]

Yup! SuSE does an excellent job of configuring LDAP for you. This includes:

Configuring Samba for LDAP and populating the LDAP server with the proper entries.
Putting the dhcp server configuration in LDAP.
Custom scripts for Samba to add/remove machines and users in LDAP via Samba.
Configuring Bind to use LDAP as a backend.

I'm pretty impressed. I love RedHat/Fedora, but those distros don't have anything like SuSE has for bootstrapping the LDAP configuration. Maybe RedHat will get more serious about it once they release the GPL'd version of iPlanet Directory Server.

Personally, I can't wait until Samba 4 comes out that will bring this all together (Kerb, LDAP, AD) with it's own LDAP server.

LDAP is critical to Linux's survival now.

[Zombie+Ryushu]

LDAP, Kerberos, Samba and all the things that come with that are critical to Linux's survival now. Linux will either live or Die on its ability to use LDAP, Kerberos, SSL and Samba.

LDAP is Linux's ultimate ability that permiates everything Linux can do and makes the many peices of Linux whole. Only the greatest of Linux Users cann use LDAP.

The thing is, its too damn hard, too damn difficult, and there is not enough documentation and configuration too;s for LDAP out there. I've spent three years on LDAP - I know.

Re:LDAP is critical to Linux's survival now.

[mrroach]

One of the things that has always annoyed me is how bad the administration tools for LDAP are. My preferred method for quite a while was to keep an LDIF laying around that I would edit and import with slapadd. Not a beautiful solution.

I have since created an LDAP admin tool that doesn't have a strange obsession with DN's, doesn't make you specify UIDNumbers, and generally tries not to suck.

It is also (to my knowledge) the only LDAP admin tool that will manage your Kerberos principals alongside your LDAP users (if you're into that sort of thing). Anyhow, enough of my blathering, check it out: (http://edsadmin.sf.net).

The next step of my Grand Vision is EDSRealmAssistant, which currently auto-configures samba+ldap, and will in the future do the whole LDAP+SAMBA+KRB5+DNS+DHCP shebang that everyone wants but is too lazy to set up :-)

-Mark

Re:LDAP is critical to Linux's survival now.

[lamber45]

LDAP is really just a database-access protocol, with security and distributed-system features built in. I believe RFC 3377 is the most recent relevant standard.

Most LDAP directories are used to keep track of people; therefore there is an InternetOrgPerson type which (if I remember rightly) has the following attributes by default:

• CommonName (i.e., userID)
• Full name
• Password (can be stored with both Windows and Unix encryption, or in plaintext)
• Telephone number(s)
• Mailing address(es)
• JPEG photo
• e-mail address
• user ID #
• home directory (?), shell (?) (these might be in some other type)

However, LDAP types are extensible, so you could create a new type to represent employees, inventory, or even projects, or you could extend an existing type. For instance, you might want to add some of the following to InternetOrgPerson (if they're not already there):

• GPG public key
• instant-messaging ID
• ID badge number

It's even possible to use an SQL or legacy-system database as a backend for OpenLDAP with some custom coding, although I'm sure a lot of people who use it don't bother.

So that's what's in the directory. You might still ask, "what is it used for?"

Firstly, Windows, Netware, Solaris and Linux can all be told to get their login information from an LDAP directory. This means that (if it works) someone only needs one account in an organization, that their Windows password is automatically the same as their Unix password, etc. It does not mean that they need to use the same home directory on all systems; but home directories can be automatically created by login scripts. NIS+ was a Unix-only way to distribute just the information found in /etc/passwd; LDAP is cross-platform.

Secondly, some E-mail clients (specifically Netscape, its derivatives, and Outlook; I don't have experience to speak for others) can treat an LDAP directory as an extension of the address-book. That sure beats running down the hall and referring to a printed list every time you want to e-mail someone or call them on the phone and only remember their name.

Of course, if your "organization" is one person working on ten computers in a family-member's basement, LDAP probably isn't worth the effort.

NDS is Best

[duncan]

LDAP/Samba/Kerbros on Suse works real well out of the box in the latest Suse Server offerings. I don't play with many distros so I can't recommend it against others.

But for professional use on networks of any real size, I really try to push my customers to NDS. Say what you want about Novell, but I have yet to find a beter DS that Novell's.

Try Suse

[kanotspell]

Suse will hold your hand through the whole process of setting up and authenticating to OpenLDAP and integrating with Samba. You still need to know what you're doing, and you'll probably want to tweak a thing or two, but Suse makes it nice and friendly. You need the enterprise version (which you pretty much need to pay for) to setup the server, that's the only real catch.

OS X Server has it built in... Open Directory

[CatOne]

So why not use it? It's a full featured directory service based on OpenLDAP with Kerberized AFP and SMB built in, so why use a Linux server and "roll your own" with everything, and do all the extra work?

I have to be missing something here.

Using *nix as a Primary Domain Controller

[Noksagt]

I recently setup a *nix server to act as a Windows PDC for our small workgroup. It wan't that difficult, particularly with the scripts and how-to from IDEALX. Any distro with sane, centrally-managed package management will be equally easy. By this, I mean apt or portage or even the *BSDs. I wouln't undertake this with an RPM distro, unless I had plenty of support.

I don't yet run Kerberos, as I wouldn't gain much from it. There aren't enough Kerberized apps & MS's approach to "embracing and extinguishing" Kerberos has left *nix implementations largely incompatible with MS's implementation. I run OpenLDAP solely over SSL. SMB traffic is limited to out intranet (basically one room) & we are a small shop, so Kerberos isn't a priority. We will later add it.

Home directories are all on the server. Samba is configured to allow windows to mount them & windows is configured to use them as the "My Documents" directories.

I have setup Kerberised SAMBA, OpenLDAP, and SSH at my previous employer. It isn't difficult.

Novell's eDirectory is nice if your ethics & wallet can afford it. OS X also has a decent implementation.

The "modern" approach is to do something OTHER than SMB, but that requires a MS-free zone.

ISODE - X.500 server - been available since 1992

[lkcl]

ISODE-8.0, a complete and BSD-licensed X.500 server, has been available since 1992.

(available at http://opendce.hands.com)

except of course nobody _noticed_ because in 1992, things like free software didn't really exist.

and, of course, X.500 was "far too complicated".

now, of course, everyone is whining that "oo, wouldn't it be nice if only LDAP could do X" and if you look at X.500 you find it _can_ do X.

repeat for any value of X...

Re:I'm a bit confused?

[INetUser]

As part of a school project, our team configured a drop in Linux based replacement for ADS and email on the then current SuSE 9.0. Once set up, you can even use the Windows NT Domain tools to administer it. The Linux machine even played the role of domain controller.

Worked really slick. Single sign-on for all machines, Linux and Windows.

I have the Word doc write up of how we did it around here someplace. I'd be willing to share if you are interested.

As others have mentioned, and I'll confirm, that there is an automounter that comes with the distro that can mount smb file shares on windows machines in the network. I've got this working at home right now.

Re:eDirectory and charging

[rsax]

Here is the link to the 250,000 free eDirectory user licenses. I don't think it's just limited to software developers but I don't know how long this offer will last. Grab em while they're hot.

I've been testing it on RHEL ES 3 for a couple of weeks now and so far no complaints. Never thought I would say this but....... thanks Novell!

Excellent documentation too.

Re:I'm a bit confused?

[INetUser]

The Word document is about 1 MB in Zip format and available via this link http://www.echohome.org/serverconfiguration.zip