Fedora Directory Server 1.0 Released!

LnxAddct writes "NewsForge is reporting that the first official release of the Fedora Directory Server has been announced. This is good news for members of the open source community longing for an easy to use, enterprise class directory server. Fedora Directory Server is based off of Netscape Directory Server which Red Hat purchased a year ago and released as open source. Screenshots are available on their site." NewsForge is a Slashdot sister site.

command line

[Darkon]

A fancy GUI is all very well, but does this come with some decent command line tools to scriptify adding and removing users and the like? One of the things that's kept my department on NIS for so long is that absolute hideous unfriendliness of the OpenLDAP tools vs useradd, usermod and friends.

Re:command line

In short: Yes.

However, I find it interesting that you describe OpenLDAP as "absolute hideous unfriendliness" when it simply isn't that case. Granted that the ldif format isn't obvious or familiar, using the command lines tools is actually rather simple. You only need to understand how an LDAP Directory works, and how your schema of choice is laid out.

I have personall written a front end for managing userspace in OpenLDAP via bash scripts, and I can tell you that once I spen a hour reading up on ldif, it was really quite simple.

Re:command line

[digitalhermit]

The addition of a user is pretty simple... Just run ldapadd against an ldif file. To create the LDIF file is simple and you can do it with a perl script to specify username, userid and password. To create the password you can use crypt or md5. Something like:

    my @validsalt = ('a' .. 'z', 'A' .. 'Z', 0 .. 9, '.', '/');
    my $salt = $validsalt[rand(64)] . $validsalt[rand(64)];
    my $test = crypt($cleartext, $salt);

Of course, you'd also want to do some basic validation of the inputs. Then just wrap the user inputs in an LDIF template and run. It sounds a lot more difficult than it actually is.

The schema can actually validate that userid is unique, but you should check anyway and also validate the groups and gids.

Re:command line

It is so totally NOT built on top of OpenLDAP. In fact, it share not code with OpenLDAP at all. Thanks for playing.

Re:command line

[aaronl]

You could use the IDEALX smbldap-tools for the scripts and all. That would give you UNIX and Samba authentication and user account information, and control over groups, as well as a simple command line tool for passwords.

Re:command line

[dtfinch]

For some people, "absolute hideous unfriendliness" means you have to read documentation, as opposed to the program having a nice GUI interface that is comprehensive, intuitive, obvious, and familiar to a new user.

wow

[know1]

redhat bought something usefull and made it open source? that's one of the most amazingly good things i've heard this week. i thought open source was all about using software made for free. it's so great to see a xcompany making a living off open source to buy something usefull the community needs and give it out for free. i'm a debian man myself, but keep up the good work redhat!

Re: wow

[Dolda2000]

This isn't exactly the first time RedHat has done something like this. Last year, they also bought Sistina and released GFS for free. I think they have done other such things as well, but I can't remember any off the top of my head.

Re:wow

[TheRaven64]

As another poster pointed out, Sun have done this with other things as well. One example that I suspect a lot of /.ers are familar with is Cygwin - bought be RedHat and open sourced. They are also not the only company to do this. Sun bought a German outfit called Star Division and released their flagship product as open source, and continue to supply most of the developer time to it. You might have used that too.

Re:wow

[LnxAddct]

Heh, you severly underestimate Red Hat's contribution to the community:) Read this for a truncated list of contributions they've made. Some other products they've purchased and released include GFS, Cygwin, and eCos. They also contribute more code to the kernel than any other entity and in large part maintain and extend glib and GCC (they have a few people on the GCC board and contribute huge amounts of code, in fact many of the newest features in GCC 4.0.x you can thank Red Hat for). Here is another list, but that list is only for projects hosted from that site, so its not complete either, but suffice it to say that Red Hat does a staggering amount for the community, its kind of a shame when people bash them.
Regards,
Steve

+ Kerberos ?

[ratatask]

One of the net things is if you couple together Kerberos with LDAP - much like a windows network
with Active Directory.
Does the Fedora DS intergrate those two neatly, single sign on is neat, but OSS provides
no turnkey solutions for this (yet).

Re:+ Kerberos ?

[Dolda2000]

but OSS provides no turnkey solutions for this (yet).

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these. Updating your LDAP, Kerberos, NSS and PAM configs manually isn't exactly hard as it is. If you want to make it easy to set up multiple workstations with this setup, just use Kickstart (or a shell script on NFS...).

Really, I'm not trying to troll here, I'm just really not seeing what this need to click a single button for every possible setup comes from. Rather than trying to provide every possible setup from the start, as Microsoft does (and which much of the complexity in Windows derives from), isn't it better to have a generic solution that can be tailored to one's specific need, instead?

Re:+ Kerberos ?

[CRC'99]

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these.

Yeah, because it's not like this is a well used 'feature' in Windows Domains in just about every large company...

Re:+ Kerberos ?

[moreati]

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these.

Largely, I think it boils down to - 'because they don't understand the technology as we do'. Take a simple, high level requirement: identity management. You or I might see that in terms of the components: such as a directory, an authentication service, creation & removal scripts, some means of replication, monitoring scripts etc.

A $notnerd sees the requirement as a black box, they don't care about the internals. They've probably been told by some techie/salesman that it will address some problem they have. For this person turnkey seems perfect, $company sells $product which is billed as an 'identity managment solution'. A magic black box solution to a black box problem, their work is done - now it is IT's problem.

Updating your LDAP, Kerberos, NSS and PAM configs manually isn't exactly hard as it is. If you want to make it easy to set up multiple workstations with this setup, just use Kickstart (or a shell script on NFS...).

To you it isn't, but what happens when you leave? It's much easier to recruit someone to maintain a push button solution, than a partly bespoke ecology of components and scripts. Often the solution and the ecology are similar in complexity, but the solution hides that behind a GUI and glossy marketting material.

Purchasers often chose to spend their money on specialised software (solutions), hopefully saving time. We often choose to spend our time customising general purpose software, hopefully saving money.

Alex

Re:+ Kerberos ?

[drsmithy]

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these.

Because it makes deploying them easier, quicker, cheaper and less dependant on a particular individual's (or individuals') knowledge.

Re:+ Kerberos ?

[Dolda2000]

A $notnerd sees the requirement as a black box, they don't care about the internals. They've probably been told by some techie/salesman that it will address some problem they have. For this person turnkey seems perfect, $company sells $product which is billed as an 'identity managment solution'. A magic black box solution to a black box problem, their work is done - now it is IT's problem.

I agree completely with that, but my main point is that I think that this "turnkey solution" should be a separate product -- an analogy to metapackages (like GNOME), if you will. This metapackage, which would be the already existing components plus shrink-wrapped config files, could then be sold to corporate purchasers as an "identity management solution". Optimally, it should be tailored to each company. My point is that it should not be part of the directory server, and probably not even part of the Fedora Core distribution.

Maybe it should be part of RHEL, but I'd still see these kinds of turnkey solutions as something that should really be a consultant task. Each company or organization has disparate requirements and therefore, I think each case should be examined individually. I think that in general, open source software should remain the kind of general solution that it is today, and not implement 10+ buttons for each individual scenario. It might be a good idea that Red Hat could produce a number of specialized RHEL distros for the most common scenarios, but RHEL and FC themselves should remain generic.

To you it isn't, but what happens when you leave? It's much easier to recruit someone to maintain a push button solution

Most commonly, the experienced administrator would develop more or less a "push button solution", in the form of a collection of scripts to handle the most common tasks. Thus, when I quit, the next admin could just push the buttons I've prepared for myself. If he doesn't want to dive deeper, he probably shouldn't have to. Of course, it cannot be enough emphasized that the admin who develops a system should document it properly. The thing is, the "push button solution" developed locally will handle any particularities of the organization it was developed by and for, while general turnkey solutions (is that an oxymoron?) will always leave deficiencies since they cannot be tailored to the needs of the organization it will be used by.

Re:+ Kerberos ?

[rhinoX]

Actually, it's not always $notnerd vs. $nerd. I am a nerd in every sense of the word. I understand the technology as well, if not better than any other nerd. I also understand that in my company, my technical talents are better used to _produce new products_ for us to sell to our clients and thus make more money. Screwing around with configuration files, etc. is a _waste of my time_. I just want a directory service that allows single sign-on so I can easily add resources and people to the organization without having to freaking script my own mgmt console around some lame-ass command line tools because someone out there thinks that you have to use a CLI to "understand technology".

Re:+ Kerberos ?

[hkb]

Largely, I think it boils down to - 'because they don't understand the technology as we do'.

Oh that's just egotistical rubbish! People like turnkey solutions mainly for two reasons:

1.) They're novices and they just want something that works
2.) They're not novices, but they're overloaded with work and they don't want to learn the complete ins and outs of yet another massive, complex software package (note I said package, not the protocols it uses, etc).

Gentoo package?

[nighty5]

Anyone know if there is a gentoo package for this? - Even if it's not the most up to date.

I've searched used such strings as "ldap", "nss", "directory" etc - but nothing comes up too interesting.

Interesting, but is it Good Enough(tm)?

[jd]

In and of itself, LDAP started off as a partial implementation of the X.500 directory services - partial being the bits that people generally found useful. The LDAP specification has changed over time, reflecting a better understanding of what people actually needed - together with the fact that as systems became more powerful, people generally needed rather more out of services.

The first problem is that Netscape probably didn'tadd much to their Directory Service towards the end, and it is unclear how much Fedora has had to put resources into code cleanups and bug fixes, as opposed to adding the capabilities it is going to need.

The second problem is that there needs to be an Open Source system compatible with (and preferably better than) Microsoft's Active Directory. The LDAP side of that is absolutely critical. For this directory server to be of much interest to network administrators, this package absolutely must support two-way communication with Microsoft Active Directory's LDAP. It can support more - and it would be great if, for once, Open Source "embraced and extended" something from The Other Side...

To be of interest to system admins, it needs to work with PAM and preferably one of the standard "unified" admin interfaces, like Webmin or (yes, it is still used) linuxconf, in addition to specialized tools. It needs both. Specialized but simple command-line tools are great for doing batch tasks or quick tasks, which will be the bulk of routine tasks. More complex tasks, changing configuration files, etc, are often easier in a unified interface. For extremely precise operations, user interfaces hide too much detail, so for those you often do have to use some hefty command-line and probably a text editor for control and config files.

In other words, you've three distinct classes of operation and distinct types of interface for each. The "best" tools are ones which provide all three interface types and make it easy to develop others.

The last problem I'm seeing is that computing has moved on since Netscape ruled the world. Unified Parallel C is beginning to look like a serious rival to classical C, and even classical C compilers are gaining parallel support in the form of OpenMP (now included in a development branch of GCC). Fedora can't even keep their parallel patches in sync with the kernel. For that matter, their development repository is rarely synchronized, even though that's just a dependency chain they can follow from the SRPMs.

(Don't get me wrong - I like Fedora's distro, it is simply that if they are neglectful of something they can do in a script and a makefile, and of mere patches they had already made public, then how confident can I be of their ability to maintain a very complex piece of software?)

Re:Interesting, but is it Good Enough(tm)?

I'm sorry, what the hell are you talking about? That was the most mindless post I have ever seen.

The first problem is that Netscape probably didn'tadd much to their Directory Service towards the end, and it is unclear how much Fedora has had to put resources into code cleanups and bug fixes, as opposed to adding the capabilities it is going to need.

Red Hat / Fedora Team spent about a year cleaning it up and porting it to linux, or didn't you bother to read the summary?

For this directory server to be of much interest to network administrators, this package absolutely must support two-way communication with Microsoft Active Directory's LDAP. It can support more - and it would be great if, for once, Open Source "embraced and extended" something from The Other Side...

Uh? What does it need? 3-way communication with AD? 4-way? Active Directory is just a bastardized for of LDAP, and even OpenLdap includes the bits needed to work with it. What you are saying here doesn't make any sense.

To be of interest to system admins, it needs to work with PAM and preferably one of the standard "unified" admin interfaces, like Webmin or (yes, it is still used) linuxconf, in addition to specialized tools.

What you are saying here demostrates a complete ignorance of PAM, LDAP, and directory services in general. PAM has long supported LDAP, as has the NSS libraries. Webmin and Linuxconf are two interfaces the people have added as a layer on top of existing services. Nothing NEEDS to work with them, they support whatever they want. FDS has a great GUI and that is the point. Otherwise, an LDAP service is a usefull as the schema you load and how you implement it.

I like Fedora's distro, it is simply that if they are neglectful of something they can do in a script and a makefile, and of mere patches they had already made public, then how confident can I be of their ability to maintain a very complex piece of software?

Ok, seriously, get a clue. If you are looking for assurance, pony up some cash and buy the fully supported Red Hat Directory Server. Frankly, I think the entire Fedora effort is great, but I wouldn't run any substatinal business on it. For that I pay for Red Hat.

Re:Interesting, but is it Good Enough(tm)?

[Temkin]

Red Hat / Fedora Team spent about a year cleaning it up and porting it to linux, or didn't you bother to read the summary?

"Porting to Linux" is and of itself a mindless statement, since this is Netscape DS, aka iPlanet DS, which is an antique fork of Sun's current SJES DS, all of which have been running on Linux for better part of a decade.

It will be interesting to compare Fedora DS to Sun's current offering. Sun even provides an open source tool for this called SLAMD.

Re:Interesting, but is it Good Enough(tm)?

[illumin8]

The first problem is that Netscape probably didn'tadd much to their Directory Service towards the end, and it is unclear how much Fedora has had to put resources into code cleanups and bug fixes, as opposed to adding the capabilities it is going to need.

To really understand this move by Redhat, it has to be taken into context with last weeks news about Sun open sourcing their enterprise applications, one of which is iPlanet Directory Server. iPlanet Directory Server and Redhat's both forked from the same Netscape code base. The difference is that Sun has invested 3-4 years of heavy development time, improving features involving 4-way multi-master replication across WAN links and many other things. It seems like Redhat just dusted off the 5 year old-code, rewrote some of the encumbered bits, and released something that's probably equivelant to Netscape Directory Server 4.0. Sun is up to iPlanet Directory Server 5.2 and has been innovating.

I think this is a move by Redhat to counter the move Sun made last week in opening up their directory server product.

Re:Interesting, but is it Good Enough(tm)?

[talksinmaths]

"Porting to Linux" wasn't the best verbage the AC could have used, but it doesn't quite descend to the level of 'mindless statement'. The fedora developers have worked to make DS for Linux a better product. For example the 1.0 release uses apache + mod_nss instead of the ns-httpd server, and the performance improvement is impressive. Of course the non-Linux platforms for which they produce DS presumably also reap these benefits, but it seems to me that the primary motivation is to make a great Linux product.

About the console

[Sk0yern]

Have anyone else noticed how slow the console is on a RedHat Enterprise 3 server?
Its like you press a button, then you have to wait for 10 seconds before anything is happening. On Enterprise 4, everything is about 50 times faster, maybe even more.
The main difference here should be 2.4 kernel versus 2.6 kernel, but what makes the console that much faster on 2.6?

Re:About the console

User error, hit any person at keyboard to continue.

It is probably trying to do some kind of lookup, ipv6 or your nameservice, you did configure your /etc/nsswitch.conf to look at the nameserver, not the local ldap server (recursive lookups are bad ! )

ldap schmel-dap

My employer recently tried to "enchance" our application to authenticate to an LDAP directory rather than our traditional backend security server. Wow, is LDAP ever NOT the tool for that job.

There are so few standards around LDAP authentication that it is impossible to support "LDAP" - you have to support MS Active Directory, Oracle Info Server, Novell eDir, etc..

For example, there is no standard way to handle password expiration. Every directory does it differently. There is no standard location or hashing algorithm for user passwords, nor is there any sort of standard password policy (password complexity rules, maximum retries until lockout, etc)

So we basically had to rewrite support for all these things that we already had in a modular fashion so now administrators are stuck configuring "the AD plugin", or "the OIS plugin".. ... but anyway, LDAP thinks it's all that and a bag of potato chips, but I'm here to tell you it is NOT.

Re:ldap schmel-dap

[deep44]

For example, there is no standard way to handle password expiration. Every directory does it differently. There is no standard location or hashing algorithm for user passwords, nor is there any sort of standard password policy (password complexity rules, maximum retries until lockout, etc)

RFC 2307 - using LDAP to provide a Network Information Service.

Almost everything you touched on is covered in that RFC. So the standards exist, but Microsoft/Oracle/etc chose not to adhere to them by creating their own one-off schema.

I'm not saying they were wrong to do that, but don't blame the LDAP protocol because you had problems using it to interface with AD.

Re:ldap schmel-dap

[deep44]

Yes, anybody can submit an RFC, but the IETF decides which ones to accept as official RFCs. Joe Random's weblog would probably not qualify.

Additionally, who cares if it's not an official standard? The original poster said that LDAP is flawed because Microsoft AD, Oracle, and Novell all use different schemas within their directory products. That has nothing to do with LDAP (the protocol), and everything to do with the design choices those companies made.

Not the first time.

[ebuck]

As another poster has already stated, it's not the first time that RedHat has bought something and then changed the license to an open-source license.

However, this story is just a bit more complicated.

RedHat open-sourced all of the code they could, which was quite a bit, but originally just the main directory daemon, ns-slapd, a few shared libraries and command-line tools were open source. The real news here is that the last of the "other" bits have finally been re-written under a new (open-source) license.

That's part of the motivation for resetting the release nubmer; note that this is verison "1.0" instead of (grumbles about memory) 8 or 9?

So now, it is a 100% open source solution, no more binary-only rpms.

Re:Java Enterprise System from Sun is better produ

[allenw]

... and will be opened as well. I can't help but think that RH rushed this out the door to counter Sun.

But does anyone really want an older version that's likely been untouched for years?

Sam Carter

[Andrewkov]

I'm Sam Carter, please stop using my name in screen shots!

Re: Who needs turnkey

[BenFranske]

I think it's because the domain of technical knowledge is so great that it's really quite difficult to grasp it all. If you're a small or medium sized company you may not have someone who really understands Kerberos and LDAP. Your sysadmins may know everything in the world about mailservers, webservers, DNS servers, DHCP servers and database servers but very little about AAA servers, Kerberos and LDAP. Look at the security community which is still farily young. People are already starting to specialize into wireless secuirty, WAN security, LAN security, etc. What you need the turnkey solutions for are the areas you are still learning but don't grasp.

If you have a 250 person company you may have three sysadmins, six developers and two managers in IT. I've worked at companies like that and they're pretty common. The three sysadmins need to keep the phones, network, servers, printers and any other hardware running. Chances are they aren't experts at running every kind of server and might have some difficulty with getting a non-turnkey solution for the areas they're less famailiar with up and running. It also needed to be up and running last week. One of the realities of buisness is that you often need to make do with the staff and their existing knowledge which means a lot of turnkey solutions which usually means Microsoft.

I'd like to see this in SuSE

[kimvette]

I'd like to see this in SuSE (Retail as well as Open). SuSE does have some LDAP management tools but it's not really an alternative to Microsoft's Active Directory yet (blasphemy, I know, but it's hard to argue against point-and-click management of a hierarchical directory service). This is something Linux sorely needs - a strong directory and centralized authentication service that is easy to deploy AND manage, and if a Windows client will work with it, it will be very, very hard to justify paying for Windows server and the gazillion CALs for each server when the same could be had for free on *nix. As long as they keep the CLI for maintenance tasks and mass import/migration of users, they'll have a winner. I hope every major distribution backs one of the tools and works to make it really, really solid.

I don't think this would kill off RHEL or SLES or Novell Linux, because larger organizations will want bundled support and value-added items like subscibed centralized deployment tools, consulting time, and so forth.

Re:Nice to see

[jbellows_20]

A real solution would be a policy engine, an actual application that read policies from an enterprise server then took those policies and applied them to the workstation. Take that and give it an interface (whether gui or tui) to allow the management of the different policies. I've looked around and there isn't much. Zenworks from Novell is supposed to be able to do this but haven't had time to setup a test system to see what it can do. As much as one might hate Microsoft, he/she has to admit that their Enterprise management tools are one of the best out of very few options.

Re:Why would anyone want to suffer like this?

[trolleywobbles]

You know, I resent that. I've had a lot of experience with both Fedora and Gentoo, and I don't think you have any idea what you're talking about. Both (especially Gentoo) are very maleable distros, and it's just sad you have to rely on your precious package manager to apt-get anything done. The reason you have to compile everything for Gentoo is that it enables much more cross-platform software and programming. But I wouldn't expect you to understand any of this. Just let your Ubuntu lull you into a false sense of security...

good! 1 step closer to an Active Directory killer

[totro2]

This project is nothing less than a breakthrough. Why? There is no "one good LDAP schema". Yet that's what virtually everybody wants.

This project is to LDAP what the Dublin Core is to Zope. It's a common standard that a larger system can be built on (for example, providing complex functionality like Active Directory). Yes, OpenLDAP conforms to the LDAP standard, but a common, standardized LDAP schema that provides a basis for an Active Directory Killer is an even more important standard that everybody doesn't quite seem to realize they are really in lack of.

We shouldn't have 1000 different sites who all want an OSS Active Directory alternative using 1000 different LDAP schemas, all slightly different. That's just stupid.

For those who moan and groan to "just learn LDAP, making a schema is easy", it is your attitude that stifles a real Active Directory killer for emerging.

Nobody wants to learn how to create an LDAP schema. The LDAP notation is ugly. Making a good schema that is will stand the test of time and work with various LDAP-aware programs that are already out there is not trivial. Think LDAP-aware address books in email clients, that expect certain fields in the schema.

This project promises to insulate the end user from needing to learn the internals of writing LDAP schemas. And it provides one LDAP schema to code to in all OSS that has any form of authentication, providing the possibility of the holy grail of "single sign on" (AKA "SSO") in the OSS world. Think data bases, web tools, CMS, email, workstation login, VPN login, etc.

So this is a big deal, IMHO.