Fedora Directory Server 1.0 Released!

LnxAddct writes "NewsForge is reporting that the first official release of the Fedora Directory Server has been announced. This is good news for members of the open source community longing for an easy to use, enterprise class directory server. Fedora Directory Server is based off of Netscape Directory Server which Red Hat purchased a year ago and released as open source. Screenshots are available on their site." NewsForge is a Slashdot sister site.

command line

[Darkon]

A fancy GUI [redhat.com] is all very well, but does this come with some decent command line tools to scriptify adding and removing users and the like? One of the things that's kept my department on NIS for so long is that absolute hideous unfriendliness of the OpenLDAP tools vs useradd, usermod and friends.

Re:command line

[Anonymous Coward]

In short: Yes.

However, I find it interesting that you describe OpenLDAP as "absolute hideous unfriendliness" when it simply isn't that case. Granted that the ldif format isn't obvious or familiar, using the command lines tools is actually rather simple. You only need to understand how an LDAP Directory works, and how your schema of choice is laid out.

I have personall written a front end for managing userspace in OpenLDAP via bash scripts, and I can tell you that once I spen a hour reading up on ldif, it w

Re:command line

[dtfinch]

For some people, "absolute hideous unfriendliness" means you have to read documentation, as opposed to the program having a nice GUI interface that is comprehensive, intuitive, obvious, and familiar to a new user.

Re:command line

[Kent Recal]

Well, LDAP, in all it's shapes and forms is absolutely hideous and unfriendly.
Its age shows, it's software from "way back".

LDAP is one of the architectures that would really be worth reinventing.
Imho the main reason why we still don't have "easy" single-signon in unix-land is because
the only available route nowadays leads through LDAP- and kerberos-land which both do their particular
job well but are such a pain to setup, maintain and integrate with that only the bravest and most fearless
sysadmins dare to wa

Re:command line

[chrome]

For those wishing an easier way to manage their userbase in their LDAP directory:

http://phpldapadmin.sourceforge.net/ [sourceforge.net]

Re:command line

[digitalhermit]

The addition of a user is pretty simple... Just run ldapadd against an ldif file. To create the LDIF file is simple and you can do it with a perl script to specify username, userid and password. To create the password you can use crypt or md5. Something like:

    my @validsalt = ('a' .. 'z', 'A' .. 'Z', 0 .. 9, '.', '/');
    my $salt = $validsalt[rand(64)] . $validsalt[rand(64)];
    my $test = crypt($cleartext, $salt);

Of course, you'd also want to do some basic validation of the inputs. Then just wrap the user inputs in an LDIF template and run. It sounds a lot more difficult than it actually is.

The schema can actually validate that userid is unique, but you should check anyway and also validate the groups and gids.

Re:command line

[pe1chl]

The main gripe is that you have to kludge all this yourself.
Every admin in the world must write his or her own script to add a user to the directory.

Why can't we have ready-made programs that perform such simple tasks?
Like useradd, for example.

Re:command line

[digitalhermit]

LDAP itself is not *just* for authentication, though that's one of its more popular uses. That's probably why there are not so many specific auth related tools. It's a similar thing with the more decoupled Linux LVM versus, for example, AIX's tightly integrated LVM. There are GUI tools such as JXplorer and lots of Java based apps that can add/modify entries. JXplorer, for example, can define template screens so that you can view only auth relevant parts of the schema.

Re:command line

[aaronl]

You could use the IDEALX smbldap-tools for the scripts and all. That would give you UNIX and Samba authentication and user account information, and control over groups, as well as a simple command line tool for passwords.

Re:command line

[pe1chl]

As you may know (being such a wiseguy) writing a small script and releasing it to the community does very little towards making a feature available to Linux.
There are so many distributions around and so many different approaches to the same thing at this level, that there is nothing you can do as an individual.

I have written and released free software. I have written dedicated scripts to use LDAP in the company where I work.
Comparing to the competition, I think the integration of LDAP into Linux is quite f

Re:command line

[punkass]

I'm a typical web admin, so can i really afford to take time to write all the scripts to make this work? Hell no.

If you don't have time to administer your web server, what the hell are you doing all day at your web admin job?

Scripting languages and LDAP

[dmouritsendk]

Most scripting languages will have some kind of LDAP module available, like python has http://python-ldap.sourceforge.net/ [sourceforge.net] and perl has http://ldap.perl.org/ [perl.org].

So even if Fedora's directory server doesn't offer any console tools (i dont know if it does), it won't be any problem making scripts manipulating its data. Take a look at this example on howto remove a record, its from the python-ldap site, and it isn't exactly overly-complex to use from the looks of it :-)

import ldap
try:
l

FANCY gui?

[/ASCII]

You thought that those screenshots look fancy? My first thought on looking at those screenshots was 'How could they make such a butt ugly theme the default for Swing applications?'. It combines the worst apects of Motif and Windows95.

Re:FANCY gui?

[dtfinch]

The answer is probably that they don't care what it looks like so long as it works and it's easy to use. It's an administration tool, not a video game.

Re:command line

[labratuk]

Thankyou. This is the first thing I noticed too. Obviously something that hasn't changed since its netscape days when they needed to be able to show something to PHBs who made purchasing decisions. A big dumb 'START SERVER' button. Please god let them unix-ise the software in the next few versions.

Re:command line

[illumin8]

A fancy GUI is all very well, but does this come with some decent command line tools to scriptify adding and removing users and the like? One of the things that's kept my department on NIS for so long is that absolute hideous unfriendliness of the OpenLDAP tools vs useradd, usermod and friends.

Have you heard of ldapadd and ldapmodify? These tools are available from OpenLDAP or from pretty much any OS that is LDAP capable. I know you're probably just trolling but it's quite obvious you've never used LDAP o

Re:command line

[Anonymous Coward]

It is so totally NOT built on top of OpenLDAP. In fact, it share not code with OpenLDAP at all. Thanks for playing.

Re:Hey, thanks for the code!

[cloudmaster]

Cool. Knowing that it helped one person makes the effort totally worthwhile. Thank *you*!

Maybe I'll go ahead and write that chage, then. I'm pretty sure it was in there when I wrote what I wrote, but like I said, I haven't really messed with LDAP for a while (and nss_ldap + pam_ldap took care of most of the orignal reason anyway). Either way, "fix LDAP stuff" is now on my to-do list. :)

wow

[know1]

redhat bought something usefull and made it open source? that's one of the most amazingly good things i've heard this week. i thought open source was all about using software made for free. it's so great to see a xcompany making a living off open source to buy something usefull the community needs and give it out for free. i'm a debian man myself, but keep up the good work redhat!

Re: wow

[Dolda2000]

This isn't exactly the first time RedHat has done something like this. Last year, they also bought Sistina and released GFS for free. I think they have done other such things as well, but I can't remember any off the top of my head.

Not the first time.

[ebuck]

As another poster has already stated, it's not the first time that RedHat has bought something and then changed the license to an open-source license.

However, this story is just a bit more complicated.

RedHat open-sourced all of the code they could, which was quite a bit, but originally just the main directory daemon, ns-slapd, a few shared libraries and command-line tools were open source. The real news here is that the last of the "other" bits have finally been re-written under a new (open-source) license.

That's part of the motivation for resetting the release nubmer; note that this is verison "1.0" instead of (grumbles about memory) 8 or 9?

So now, it is a 100% open source solution, no more binary-only rpms.

Re:wow

[TheRaven64]

As another poster pointed out, Sun have done this with other things as well. One example that I suspect a lot of /.ers are familar with is Cygwin - bought be RedHat and open sourced. They are also not the only company to do this. Sun bought a German outfit called Star Division and released their flagship product as open source, and continue to supply most of the developer time to it. You might have used that too.

Sun paid $88,000,000 for Star Office.

[Futurepower(R)]

I remember reading that Sun paid $88,000,000 for Star Office, that became Open Office. Sun still charges for support for Star Office, and my guess is that Sun has made a profit on its investment in Star Office, even though an open source version is free.

Re:wow

[LnxAddct]

Heh, you severly underestimate Red Hat's contribution to the community:) Read this [fedoraproject.org] for a truncated list of contributions they've made. Some other products they've purchased and released include GFS [redhat.com], Cygwin [cygwin.com], and eCos [sourceware.org]. They also contribute more code to the kernel than any other entity and in large part maintain and extend glib and GCC (they have a few people on the GCC board and contribute huge amounts of code, in fact many of the newest features in GCC 4.0.x you can thank Red Hat for). Here [sourceware.org] is another list, but that list is only for projects hosted from that site, so its not complete either, but suffice it to say that Red Hat does a staggering amount for the community, its kind of a shame when people bash them.
Regards,
Steve

Re:wow

[Ben Hutchings]

Some other products they've purchased and released include GFS, Cygwin, and eCos.

Cygwin and eCos (and, I think the majority of GCC 2.0) were developed by Cygnus, which Red Hat subsequently bought.

... Red Hat does a staggering amount for the community, its kind of a shame when people bash them.

Indeed. It's just their distributions that suck.

Re:wow

[Trogre]

Being a Debian man too, I'm wondering how long it will be until we can apt-get install this program...

+ Kerberos ?

[ratatask]

One of the net things is if you couple together Kerberos [mit.edu] with LDAP - much like a windows network
with Active Directory.
Does the Fedora DS intergrate those two neatly, single sign on is neat, but OSS provides
no turnkey solutions for this (yet).

Re:+ Kerberos ?

[Dolda2000]

but OSS provides no turnkey solutions for this (yet).

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these. Updating your LDAP, Kerberos, NSS and PAM configs manually isn't exactly hard as it is. If you want to make it easy to set up multiple workstations with this setup, just use Kickstart (or a shell script on NFS...).

Really, I'm not trying to troll here, I'm just really not seeing what this need to click a single button for every possible setup comes from. Rather than trying to provide every possible setup from the start, as Microsoft does (and which much of the complexity in Windows derives from), isn't it better to have a generic solution that can be tailored to one's specific need, instead?

Re:+ Kerberos ?

[cerberusss]

I've never understood why people need "turnkey solutions" for things like these.

It's one possible measure for the amount of care that's put in the product. You can say this doesn't go for this particular product, but lots of times adoption of a product starts with someone who has 15 minutes of spare time.

If the product doesn't show a few nice things within those 15 minutes, it just might be possible it's not looked further into.

I'm not saying this is the correct procedure to evaluate an important piec

Re:+ Kerberos ?

[CRC'99]

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these.

Yeah, because it's not like this is a well used 'feature' in Windows Domains in just about every large company...

Re:+ Kerberos ?

[moreati]

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these.

Largely, I think it boils down to - 'because they don't understand the technology as we do'. Take a simple, high level requirement: identity management. You or I might see that in terms of the components: such as a directory, an authentication service, creation & removal scripts, some means of replication, monitoring scripts etc.

A $notnerd sees the requirement as a black box, they don't care about the internals. They've probably been told by some techie/salesman that it will address some problem they have. For this person turnkey seems perfect, $company sells $product which is billed as an 'identity managment solution'. A magic black box solution to a black box problem, their work is done - now it is IT's problem.

Updating your LDAP, Kerberos, NSS and PAM configs manually isn't exactly hard as it is. If you want to make it easy to set up multiple workstations with this setup, just use Kickstart (or a shell script on NFS...).

To you it isn't, but what happens when you leave? It's much easier to recruit someone to maintain a push button solution, than a partly bespoke ecology of components and scripts. Often the solution and the ecology are similar in complexity, but the solution hides that behind a GUI and glossy marketting material.

Purchasers often chose to spend their money on specialised software (solutions), hopefully saving time. We often choose to spend our time customising general purpose software, hopefully saving money.

Alex

Re:+ Kerberos ?

[Dolda2000]

A $notnerd sees the requirement as a black box, they don't care about the internals. They've probably been told by some techie/salesman that it will address some problem they have. For this person turnkey seems perfect, $company sells $product which is billed as an 'identity managment solution'. A magic black box solution to a black box problem, their work is done - now it is IT's problem.

I agree completely with that, but my main point is that I think that this "turnkey solution" should be a separate pro

Re:+ Kerberos ?

[moreati]

Ah, looks like we're both arguing the same side of the coin.

As you say, the turnkey solution should be a customisation of general parts, possibly tweaked to integrate with one another. The trick is getting a $notnerd to see this, marketting this solution so they choose it over Active Directory or ZENWorks. Consultants choosing and recommending it one good method.

I believe this identity solution should be delivered like any other opensource project. A source package which distributions can repackage and inte

Re:+ Kerberos ?

[rhinoX]

Actually, it's not always $notnerd vs. $nerd. I am a nerd in every sense of the word. I understand the technology as well, if not better than any other nerd. I also understand that in my company, my technical talents are better used to _produce new products_ for us to sell to our clients and thus make more money. Screwing around with configuration files, etc. is a _waste of my time_. I just want a directory service that allows single sign-on so I can easily add resources and people to the organization without having to freaking script my own mgmt console around some lame-ass command line tools because someone out there thinks that you have to use a CLI to "understand technology".

Re:+ Kerberos ?

[moreati]

Also agreed.

Sorry for my poor choice of phrase. What I meant was "person who at the time is uninterested in the technology, beyond how it can further their ends". I chose $notnerd because, in my experience, it's often the case when a monolithic solution-in-a-box is chosen.

I'm not arguing against turnkey, I'm arguing for technically sound solutions. In my eye that means both a strong GUI (for everyone doing one off tasks) and a strong scriptable interface (for automating repetitive tasks). Having a scriptabl

Re:+ Kerberos ?

[killjoe]

What do you mean "lame-ass command line tools". In what way are they lame? Do they not work? I find the command line tools to be very powerful and easy to work with.

Re:+ Kerberos ?

[hkb]

Largely, I think it boils down to - 'because they don't understand the technology as we do'.

Oh that's just egotistical rubbish! People like turnkey solutions mainly for two reasons:

1.) They're novices and they just want something that works
2.) They're not novices, but they're overloaded with work and they don't want to learn the complete ins and outs of yet another massive, complex software package (note I said package, not the protocols it uses, etc).

Re:+ Kerberos ?

[moreati]

Sorry, I've chosen my words poorly. Again.

I should have said 'because they don't understand or care about the technology as we do, only the results'.

Turnkey is sometimes a good choice, such as in the cases you give. Customised packages & bespoke are sometimes a good choice sometimes.

My argument (and I believe Dolda2000's argument), is that turnkey solutions should not be monolithic. They should be built on independant components, rather than being a take it or leave it lump.

Any solution (eg Active Direc

Re:+ Kerberos ?

[killjoe]

Why is a $notnerd maintaining something as important as your directory and authentication? Any CIO who hires a button pusher to maintain something as crucial as identity servers should be fired on the spot.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:+ Kerberos ?

[moreati]

The $notnerd isn't maintaining the system. Precise meaning has really come back, to bite me on the arse in this thread.

A non-techie most often gets the final decision about which solution to choose. They base their decision on advice from their in house techies, sales pitches and bids received etc.

One pitfall they wish to avoid, is a system that is more expensive to maintain and customise in the long term. A solution-in-a-box is commonly held to have lower staffing overhead, because less experienced (aka ch

Re:+ Kerberos ?

[drsmithy]

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these.

Because it makes deploying them easier, quicker, cheaper and less dependant on a particular individual's (or individuals') knowledge.

Re: Who needs turnkey

[BenFranske]

I think it's because the domain of technical knowledge is so great that it's really quite difficult to grasp it all. If you're a small or medium sized company you may not have someone who really understands Kerberos and LDAP. Your sysadmins may know everything in the world about mailservers, webservers, DNS servers, DHCP servers and database servers but very little about AAA servers, Kerberos and LDAP. Look at the security community which is still farily young. People are already starting to specialize into

Re:+ Kerberos ?

[nathanh]

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these. Updating your LDAP, Kerberos, NSS and PAM configs manually isn't exactly hard as it is.

Yes, yes it is. Now you can obviously do it. So can I - that's one of the many jobs I do, installing LDAP and Kerberos services for corporate and government clients - but it's not easy. If it was easy then these companies and agencies wouldn't need to hire me. They could do it themselves.

Let's face it. The t

Re:+ Kerberos ?

[Tony Hoyle]

Even for the 'common admin' it has to look like an AD server for the Windows workstations, otherwise it'll get passed over. That means having ldap+kerberos built in from the first install.

Common signon for Linux machines is all very well, but you've been able to do that with NIS for years.

Re:+ Kerberos ?

[hendersj]

The "Common Admin" these days tends to not understand how systems work. Sad, but true.

I would think that the important thing would be to raise the level of knowledge of the common admin, rather than to dumb down the technology to the point that it looks like Windows. Why is it that we expect our sysadmins to be unable to cope with decent technology?

That doesn't mean intentionally making the technology difficult to use. It means expecting that the masses sysadmins out there actually understand how to impl

Re:+ Kerberos ?

[adrian.henke]

I set up OpenLDAP as backend for the heimdal kerberos, so i guess you can do the same with FDS even though its not an official feature.

Re:+ Kerberos ?

[tenchiken]

I agree. Hopefully the next Fedora, RedHat ES will support this directory server out of the box for authentication and serving. LDAP is finally begining to mature to the point that it is realistic to use it to control heirarchal information for large and medium (and even small) enterprises. About 8 years ago I did a project to tied sendmail to a LDAP server for email authentication. Tha was painful in the extreme. Now Zimbra has a LDAP and Hula (which I think the two most promising future email platforms) b

Re:+ Kerberos ?

[the_olo]

Andrew Bartlett [samba.org] from the Samba team is a proponent of such integration, taking place in Samba 4 [samba.org]. See his paper [samba.org] on this.

Re:+ Kerberos ?

[the_olo]

This is sort of backwards.

The HOWTO discusses allowing authentication to Fedora Directory Server using Kerberos credentials from a Kerberos database. So this works like this: you want to use the LDAP service (Fedora Directory Server) to e.g. search for some users. You connect to it, and supply your Kerberos ticket, that's obtained from a Kerberos KDC (Key Distribution Server), based on authentication based on your Kerberos Server's database (probably some ordinary files). You get authenticated based on Ke

Get Carter.

[Chaffar]

The example they used in the screenshots [redhat.com] is the same one used here! [66.102.9.104] There must be a deeper meaning to this blatant plagiarism. I mean, even the phone number is the same... Yep, definitely a terrorist plot in the making somewhere here...

Gentoo package?

[nighty5]

Anyone know if there is a gentoo package for this? - Even if it's not the most up to date.

I've searched used such strings as "ldap", "nss", "directory" etc - but nothing comes up too interesting.

Re:Gentoo package?

[Pecisk]

My pick is is not yet ported - so you can try to contribute a ebuild! It is your chance to shine! :)

More seriously, I will check out depencies. As I have rather big interest in this product, I will check out If I can't contribute an ebuild.

Re:Gentoo package?

[sveinungkv]

Not yet, [gentoo.org] but since the release of 1.0 hit slashdot, I guess it will come soon... ;)

Re:Gentoo package?

[GreyWolf3000]

Well, he could have been going another direction with the sentense, by using a different meaning for "since." I think the natural way the sentence flows suggests he's using "since" as a synonym for "because." This is a likely case; however, I also find it likely that he actually means "since" as in "after," e.g.:

"Not yet, but after the release hit slashdot, ...

Of course, the second clause doesn't exactly parse correctly in that case, but...well..just a thought :P

Re:Gentoo package?

[mikaelhg]

Anyone know if there is a gentoo package for this?

This isn't a toy, it's an actual useful enterprise software package people use on production servers.

Hence, probably not very high priority to Gentoo packagers.

Interesting, but is it Good Enough(tm)?

[jd]

In and of itself, LDAP started off as a partial implementation of the X.500 directory services - partial being the bits that people generally found useful. The LDAP specification has changed over time, reflecting a better understanding of what people actually needed - together with the fact that as systems became more powerful, people generally needed rather more out of services.

The first problem is that Netscape probably didn'tadd much to their Directory Service towards the end, and it is unclear how much

Re:Interesting, but is it Good Enough(tm)?

[Anonymous Coward]

I'm sorry, what the hell are you talking about? That was the most mindless post I have ever seen.

The first problem is that Netscape probably didn'tadd much to their Directory Service towards the end, and it is unclear how much Fedora has had to put resources into code cleanups and bug fixes, as opposed to adding the capabilities it is going to need.

Red Hat / Fedora Team spent about a year cleaning it up and porting it to linux, or didn't you bother to read the summary?

For this directory server to be of much interest to network administrators, this package absolutely must support two-way communication with Microsoft Active Directory's LDAP. It can support more - and it would be great if, for once, Open Source "embraced and extended" something from The Other Side...

Uh? What does it need? 3-way communication with AD? 4-way? Active Directory is just a bastardized for of LDAP, and even OpenLdap includes the bits needed to work with it. What you are saying here doesn't make any sense.

To be of interest to system admins, it needs to work with PAM and preferably one of the standard "unified" admin interfaces, like Webmin or (yes, it is still used) linuxconf, in addition to specialized tools.

What you are saying here demostrates a complete ignorance of PAM, LDAP, and directory services in general. PAM has long supported LDAP, as has the NSS libraries. Webmin and Linuxconf are two interfaces the people have added as a layer on top of existing services. Nothing NEEDS to work with them, they support whatever they want. FDS has a great GUI and that is the point. Otherwise, an LDAP service is a usefull as the schema you load and how you implement it.

I like Fedora's distro, it is simply that if they are neglectful of something they can do in a script and a makefile, and of mere patches they had already made public, then how confident can I be of their ability to maintain a very complex piece of software?

Ok, seriously, get a clue. If you are looking for assurance, pony up some cash and buy the fully supported Red Hat Directory Server. Frankly, I think the entire Fedora effort is great, but I wouldn't run any substatinal business on it. For that I pay for Red Hat.

Re:Interesting, but is it Good Enough(tm)?

[TarrySingh]

Hmm.. so pay = better? contribute, test, fedora = mindless? Then why the fawk do we have all those folks(meaning us all, dev, sysadmins,dba's etc) working on Fedora?

Re:Interesting, but is it Good Enough(tm)?

[Tony Hoyle]

AD is not just a bastardised LDAP. AD is LDAP+Kerberos+Extensions which needs to be *specifically* catered for. I'm assuming this DS supports AD otherwise it's just going to get nowhere in the corporate space.

Re:Interesting, but is it Good Enough(tm)?

[swillden]

AD is not just a bastardised LDAP. AD is LDAP+Kerberos+Extensions

Right. It's Bastardized LDAP + Bastardized KERBEROS + thoroughly proprietary extensions.

I'm assuming this DS supports AD otherwise it's just going to get nowhere in the corporate space.

Sad as it is, you may just be right.

Re:Interesting, but is it Good Enough(tm)?

[jd]

That was exactly my point, although you did a much better job of expressing it.

Re:Interesting, but is it Good Enough(tm)?

[Temkin]

Red Hat / Fedora Team spent about a year cleaning it up and porting it to linux, or didn't you bother to read the summary?

"Porting to Linux" is and of itself a mindless statement, since this is Netscape DS, aka iPlanet DS, which is an antique fork of Sun's current SJES DS, all of which have been running on Linux for better part of a decade.

It will be interesting to compare Fedora DS to Sun's current offering. Sun even provides an open source tool for this called SLAMD [slamd.com].

Re:Interesting, but is it Good Enough(tm)?

[talksinmaths]

"Porting to Linux" wasn't the best verbage the AC could have used, but it doesn't quite descend to the level of 'mindless statement'. The fedora developers have worked to make DS for Linux a better product. For example the 1.0 release uses apache + mod_nss instead of the ns-httpd server, and the performance improvement is impressive. Of course the non-Linux platforms for which they produce DS presumably also reap these benefits, but it seems to me that the primary motivation is to make a great Linux prod

Re:Interesting, but is it Good Enough(tm)?

[jd]

I'm impressed. Most troll postings have no information content. This is the first time I think I've seen a posting with less than that.

Re:Interesting, but is it Good Enough(tm)?

[illumin8]

The first problem is that Netscape probably didn'tadd much to their Directory Service towards the end, and it is unclear how much Fedora has had to put resources into code cleanups and bug fixes, as opposed to adding the capabilities it is going to need.

To really understand this move by Redhat, it has to be taken into context with last weeks news about Sun open sourcing their enterprise applications, one of which is iPlanet Directory Server. iPlanet Directory Server and Redhat's both forked from the same N

Re:Interesting, but is it Good Enough(tm)?

[jd]

If that is the case, it's rather worse than I expected. I've been assuming that they've kept reasonable pace with comparable products, though given all the cruft in Netscape Navigator on its release, I was partly concerned Red Hat might have been forced to lag behind, just to get the code into acceptable shape.

My main fears were largely concerning how well they tracked highly non-standard variants that are built into key products that the corporate market simply won't do without. Because things like AD are

Re:Interesting, but is it Good Enough(tm)?

[jd]

I've been using Linux from the days it came on two floppies and couldn't even support X. I used 386BSD before then. I was building my own LANs in the early 1980s, probably before many Slashdot posters had even used a computer. No, I think I know what I'm talking about.

RPC? DCE? You are -way- behind the times, there, and no sane person alive is going to use protocols with such horrible latency. Have you seen how many layers RPC needs to go through? It was great when it was about the only thing out there, but

Re:Interesting, but is it Good Enough(tm)?

[chrome]

jd++ !!

About the console

[Sk0yern]

Have anyone else noticed how slow the console is on a RedHat Enterprise 3 server?
Its like you press a button, then you have to wait for 10 seconds before anything is happening. On Enterprise 4, everything is about 50 times faster, maybe even more.
The main difference here should be 2.4 kernel versus 2.6 kernel, but what makes the console that much faster on 2.6?

Re:About the console

[croddy]

No, I haven't noticed this at all on RHEL 3.

Re:About the console

[Anonymous Coward]

User error, hit any person at keyboard to continue.

It is probably trying to do some kind of lookup, ipv6 or your nameservice, you did configure your /etc/nsswitch.conf to look at the nameserver, not the local ldap server (recursive lookups are bad ! )

Re:About the console

[flosofl]

Have anyone else noticed how slow the console is on a RedHat Enterprise 3 server?

Hmm... my airmchair diagnosis is that you may be suffering from a PEBKAC issue.

I keed! I keed!

ldap schmel-dap

[Anonymous Coward]

My employer recently tried to "enchance" our application to authenticate to an LDAP directory rather than our traditional backend security server. Wow, is LDAP ever NOT the tool for that job.

There are so few standards around LDAP authentication that it is impossible to support "LDAP" - you have to support MS Active Directory, Oracle Info Server, Novell eDir, etc..

For example, there is no standard way to handle password expiration. Every directory does it differently. There is no standard location or hashing algorithm for user passwords, nor is there any sort of standard password policy (password complexity rules, maximum retries until lockout, etc)

So we basically had to rewrite support for all these things that we already had in a modular fashion so now administrators are stuck configuring "the AD plugin", or "the OIS plugin".. ... but anyway, LDAP thinks it's all that and a bag of potato chips, but I'm here to tell you it is NOT.

Re:ldap schmel-dap

[deep44]

For example, there is no standard way to handle password expiration. Every directory does it differently. There is no standard location or hashing algorithm for user passwords, nor is there any sort of standard password policy (password complexity rules, maximum retries until lockout, etc)

RFC 2307 - using LDAP to provide a Network Information Service.

Almost everything you touched on is covered in that RFC. So the standards exist, but Microsoft/Oracle/etc chose not to adhere to them by creating their ow

Re:ldap schmel-dap

[deep44]

Yes, anybody can submit an RFC, but the IETF decides which ones to accept as official RFCs. Joe Random's weblog would probably not qualify.

Additionally, who cares if it's not an official standard? The original poster said that LDAP is flawed because Microsoft AD, Oracle, and Novell all use different schemas within their directory products. That has nothing to do with LDAP (the protocol), and everything to do with the design choices those companies made.

Re:ldap schmel-dap

[Zphbeeblbrox]

Instead of trying to interface with all those why not create your own schema that the purchasers can import into the variouse directory types. Surely you could set it up so that you didn't have to use the proprietary protocols. Then your clients could just import that schema into their particular directory service. You could even link it into the current accounts with a little creative scripting I think. (not sure on that one though haven't messed with LDAP much yet Though I'm starting to)

Re:ldap schmel-dap

[batkiwi]

Authentication in LDAP should be handled by a double-bind.

First you bind as a read-only user to grab the user's DN from whatever they pass in (if they type an email address, you query that field to return their DN). Failure of this query means they entered an incorrect username/alias.

Second, you take that DN and the password the user provided and attempt a second bind against LDAP. Failure to bind means they entered the wrong password.

Was there a particular reason you couldn't use this method?

Re:ldap schmel-dap

[batkiwi]

Ahh, got it. Shouldn't your ldap system handle password expiration/etc, and not your app, though?

Maybe you had quite specific requirements, and I WILL agree that password stuff is NOT handled uniformly in LDAP, which is why I use the bind method.

Sam Carter

[Andrewkov]

I'm Sam Carter, please stop using my name in screen shots!

Re:Sam Carter

[fons]

I feel your pain.

Kind regards
John Doe

I a n00b with a question

[jim_v2000]

Is a directory server something like MS ActiveDirectory?

Re:I a n00b with a question

[szo]

No, the other way around.

Re:I a n00b with a question

[tweek]

Actually Active Directory is a combination of LDAP and Kerberos. That's a simply definition but it will suffice.

In general directory servers are based around the OSI X.500 model and DAP.

A good bit of info is here:
http://www.kingsmountain.com/ldapRoadmap.shtml [kingsmountain.com]

FYI you can thank the amazing team at University of Michigan for LDAP. Go Blue!

Open Bottom?

[Doc Ruby]

I'm running Open-Xchange, an OSS groupware suite that, among other features, can transparently replace (mostly) Microsoft Exchange. OX uses OpenLDAP, though it can (in theory) use any LDAP directory server, including the FDS. OX uses Postgres as its default RDBMS for its data tier, but OpenLDAP stores its data internally. OX has some limits on its integration of directory data, because the rest of the app can't connect to the OpenLDAP storage - that means some sync issues, and some data is defacto read-only

Older Java Enterprise System Directory Server

[orpheus2000]

This is pretty funny, since this Fedora DS looks like pre-5.2 Netscape/iPlanet/SunONE/Java Enterprise System (thank you Sun for all the naming) Directory Server... which was just announced to be released for free and open-sourced by Sun this week.

Remember that Java Enterprise System is concurrently developed for Solaris SPARC, Solaris x86, and generic Linux ( and sometimes gets RPMS for the latest stable RH Enterprise). DS 5.1 and before had horrible problems with replication and the Java console was dog sl

Re:Older Java Enterprise System Directory Server

[mikefe]

Another post in reply to yours said much of what I was going to, but let me add another little tidd-bit.

A few months ago, I went to a UUASC-OC meeting about directory services (which happens to be at the Sun office in Irvine, CA) and the main feature that DS 5.2 adds over 5.1 is "push" based updating when there is a change, instead of updating on a fixed schedule.

BSD ?

[nurb432]

Any chance this thing will run on Fbsd?

MacOS Port?

[tji]

Anyone kow of any efforts to get this working on MacOS?

I am currently using OpenLDAP, which is fine if you're willing to make the effort to learn the details and differences of OpenLDAP. Fedora DS would be much easier to manage, extend the schema, etc.

Hey, its iPlanet 5.1 rebranded!

[FLoWCTRL]

Thank you Sun Microsystems!

Re:Hey, its iPlanet 5.1 rebranded!

[cant_get_a_good_nick]

Technically, it's not the sun stuff, it's Netscape, via AOL. Sun still distributes iPlanet 5.2, and it's pretty old and clunky. Sun's source cut hasn't been updated much sun took it over, and it currently only runs on RH 7.3 (with the evil 2.96 compiler).

RedHat bought the source from AOL, and actually made some changes. It runs on AS3.0, and multiple master is up to 4 nodes. We're switching from iPlanet to FS 1.0, we have it in Dev now.

I'd like to see this in SuSE

[kimvette]

I'd like to see this in SuSE (Retail as well as Open). SuSE does have some LDAP management tools but it's not really an alternative to Microsoft's Active Directory yet (blasphemy, I know, but it's hard to argue against point-and-click management of a hierarchical directory service). This is something Linux sorely needs - a strong directory and centralized authentication service that is easy to deploy AND manage, and if a Windows client will work with it, it will be very, very hard to justify paying for Win

good! 1 step closer to an Active Directory killer

[totro2]

This project is nothing less than a breakthrough. Why? There is no "one good LDAP schema". Yet that's what virtually everybody wants.

This project is to LDAP what the Dublin Core is to Zope. It's a common standard that a larger system can be built on (for example, providing complex functionality like Active Directory). Yes, OpenLDAP conforms to the LDAP standard, but a common, standardized LDAP schema that provides a basis for an Active Directory Killer is an even more important standard that everyb

Re:Great

[Anonymous Coward]

"So I can kick the Windows ADS out of the door?" - by TarrySingh (916400) on Sunday December 04, @07:39AM

You can most likely, I do not see why not!

After all, this is just another example of you Linux people have duplicated/imitated/copied yet another concept from the Windows world so you can do something already doable in Windows!

(This goes on from both sides though - e.g. -> Windows via Terminal Services (ala watered-down licensed technology from Citrix) does what X has been doing for year on UNIX, whi

Re:Great

[spauldo]

After all, this is just another example of you Linux people have duplicated/imitated/copied yet another concept from the Windows world so you can do something already doable in Windows!

Not quite. We haven't actually duplicated, as far as I can tell, Active Directory service yet. Samba 4 is trying to do that, I think. I may be wrong about AD not being duplicated yet though.

Either way, Microsoft took LDAP (an established standard which Sun was already gearing up to use for authentication due to the

Re:Java Enterprise System from Sun is better produ

[allenw]

... and will be opened as well. [slashdot.org] I can't help but think that RH rushed this out the door to counter Sun.

But does anyone really want an older version that's likely been untouched for years?

Re:Java Enterprise System from Sun is better produ

[canuck57]

I think that the Fedora directory Server is late, and it is based on old versions of Netscape Directory Server.

Yes, it is late. Plus I find it disturbing some parts of it have special licensing concerns. And being version 1.0.... hopefully they will write this code out in time.

But it's strengths are that being based on the Netscape server gives it a boost in functionality over Open LDAP. I often wondered why Open LDAP seemed to almost stall in it's development.

So I will still be using Sun One Directo

Re:Java Enterprise System from Sun is better produ

[hyc]

OpenLDAP didn't stall, RedHat just continued to ship the same antiquated release years after it was decommissioned by everyone else. OpenLDAP has gotten a ton of undeserved bad press over the past 5 years largely thanks to RedHat never updating the version they bundled.

Re:Nice to see

[jbellows_20]

A real solution would be a policy engine, an actual application that read policies from an enterprise server then took those policies and applied them to the workstation. Take that and give it an interface (whether gui or tui) to allow the management of the different policies. I've looked around and there isn't much. Zenworks from Novell is supposed to be able to do this but haven't had time to setup a test system to see what it can do. As much as one might hate Microsoft, he/she has to admit that their Ent

Re:Why would anyone want to suffer like this?

[trolleywobbles]

You know, I resent that. I've had a lot of experience with both Fedora and Gentoo, and I don't think you have any idea what you're talking about. Both (especially Gentoo) are very maleable distros, and it's just sad you have to rely on your precious package manager to apt-get anything done. The reason you have to compile everything for Gentoo is that it enables much more cross-platform software and programming. But I wouldn't expect you to understand any of this. Just let your Ubuntu lull you into a fa