Unfinished Business: The One Missing Piece

Listen Print Discuss

Unfinished Business: The One Missing Piece

by David HM Spector
04/28/2003

It was missing a piece.
And it was not happy.
So it set off in search
of its missing piece.
And as it rolled
it sang this song-

Oh I'm lookin' for my missin' piece
I'm lookin' for my missin' piece Hi-dee-ho, here I go,
Lookin' for my missin' piece

From The Missing Piece by Shel Silverstein

Linux is a lot like that semi-circle from Shel Silverstein's famous and endearing children's book: almost a complete circle, but not quite. With all of the incredible strides that Linux has made from the smallest embedded devices to the some of the largest supercomputers ever made, there is one piece of its complete adoption in the enterprise that's still missing--a not so little piece still to be done: integration and interoperability with Active Directory (AD).

As I type this opening paragraph I can almost hear the screams of indignation in the distance: Work with AD?! Why would anyone need to work with AD? Active Directory is not a standard! It's been embraced and extended! Who needs that? We've got LDAP and NIS and Kerberos and... Well, let's look at where we are in the grand scheme of things and see if we can disambiguate things a bit:

Linux has really reinvigorated the UNIX family of operating systems, as well as competition in the server market place. The hard work and talents of thousands of developers have made Linux an unstoppable force in the data center. They have also set the foundation for Linux (and other UNIXes) to provide credible and well-implemented alternatives to Microsoft Office on the desktop, but Microsoft still has absolutely no competition in the directory space. The directory space is the key to the desktop marketplace and the possibility of Linux's total integration in mainstream environments, because that's where all the really important metadata--the stuff that businesses run on--lives.

Enterprise Directory Services in 250 Words or Less

You're probably wondering what's the big deal about a directory. It's just LDAP, right? Sort of. It's hard to do justice in a couple of paragraphs to a topic about which no fewer than 200 books have been written, but here's a quick primer.

Directory Services under Linux/UNIX

I've drawn a pretty distinct line in the sand, and now I have to cross it. How does the scenario I've laid out relate to Linux/Unix and what's Microsoft's Active Directory got to do with all of this?

Directory services as we use them today are an outgrowth of an unlikely victory in a standards battle that took place in the mid-1980s. The academically generated IETF standards of networking (TCP/IP) and email (RFC822) battled the corporately funded International Standards Organization's (ISO) ISO Networking Stack and the X.400/X.500 email and email directory system. The details are fascinating, if not a bit tedious and out of place here. The IETF network standards were better designed in terms of implementations, but the ISO standards--especially those for email directories--were richer in terms of the data that could be stored and used effectively for email. The result was a middle of the road compromise that took the best of the ISO email directory and made it useful as a general-purpose attribute-based token storage system. The resulting protocol was the Lightweight Directory Access Protocol (LDAP).

LDAP allows the storage and retrieval of rooted trees of data where each tree represents some related and hierarchical relationship of information. How that data is stored is implementation dependent, but the syntax descriptions mechanisms for storing data and accessing data are the same regardless of the kinds of data stored. This is accomplished by the definitions of database schema that describe data to be stored in an implementation independent way. It was XML for organizational data before XML was invented.

In the UNIX world, LDAP has been typically used to store phonebook type information. In fact a quick look at Freshmeat.net and SourceForge shows that the majority of Open Source LDAP projects are about keeping phone directory info. Another common use for LDAP is for the storage of credentials for email systems (such as POP3 or IMAP) or for remote access solutions such as RADIUS.

A less common UNIX [1] use for LDAP, even though it's supported by every major Linux and UNIX vendor, is for storing user login information. Unfortunately, few people use LDAP to store esoteric information such as Kerberos keys or access control lists or to knit together all of this information into one cohesive data pool. That would decouple user, application, and rights information from the physicality of the hardware where it is stored.

Microsoft, for all of its embrace and extend philosophy, does know a good thing when it sees it. In LDAP it discovered a solution to a long standing problem since the release of Windows NT: How do you describe everything that can go on in an enterprise and manage that information without the resulting system being so fragile that it's broken by change?

With few exceptions, Active Directory is basically an LDAP engine in which Microsoft has defined every possible relationship between data and actions one can perform on a Microsoft-based platform. To make the whole thing secure from a authentication management perspective, they use Kerberos (albeit with a couple of very controversial and proprietary extensions) and Globally Unique Identifiers (GUIDs). From user-logins and groups to the storage and management of authentication tokens (Kerberos tickets and GUIDs); from the management of application information to the management of print queues, Active Directory manages it all. Administrators can replicate this information across large organizations and delegate bits of functionality and authority. This avoids the root privilege problem one typically sees under UNIX when someone needs to reconfigure a printer.

Where's the Disconnect and What Does it Mean??

Since LDAP, Kerberos, and most of the other tools that Microsoft has aggregated into Windows Active Directory were developed in the Unix world, it should be a no-brainer to integrate them under Linux/UNIX. What happened?

First, Microsoft is in a unique position. For good or ill, it controls all aspects of what goes into the operating system and how those pieces interoperate. It can lock out 3^rd parties from adding or changing how those pieces work. The result is a very well-constrained set of administrative APIs and pools of data, even in a mixed 95/98, NT, Win2000 and WinXP environment.

In the Linux/UNIX world, as Perl programmers like to say, there's more than one way to do it. Because UNIX-like systems are not a monoculture in terms of base operating systems, services, and facilities, there has never been a single set of unifying drivers that can be applied universally to every network of UNIX machines. The X Window developers once described the lack of a User Interface Standard as a difference between believers in policies versus believers in religions. In UNIX environments, there are at least 6 commonly used methods for dealing with user accounts alone (vanilla /etc/passwd, passwd+shadow, NIS, NIS+, RDB and LDAP)--all policies to choose from, no hard and fast religion that says here's how it should be done. Once you get into all of the management of peripherals like printers, address books, and remote access, your options get exponentially more complicated. Then there's interoperability with a common administrative/management framework that works and plays well with non-UNIX environments like Active Directory.

The end result? This is a problem; it's keeping Linux off of the corporate desktop because IT managers can't easily integrate Linux systems into their existing environments [2].

Also in Linux in the Enterprise:

Unfinished Business Part 2: Closing the Circle

It's a Cycle of Life Thing: Managing Linux Releases

Linux in the Enterprise at LWE 2003

CASE Tools: Large System Development

Ship in a Bottle

Why Hasn't Anyone Solved this Under UNIX?

It's a very hard problem. LDAP may be useful and powerful, but deploying it piecemeal by hand is neither for the faint of heart nor the weak of stomach. LDAP schemas (the files that tell LDAP how to parse data for a given tree of information) are not easy to develop, let alone read or write. Since there are so many different mechanisms for everything from user-login to ACLs, there is no standard set of LDAP schemas for implementers to draw from [3]. Add to this that LDAP's base configuration files are so user-unfriendly as to provoke need of deep, deep psychotherapy. In short, it's a bear to set up.

Despite being really powerful and really challenging to deploy at the same time, there are a couple partial solutions that can enable Linux/UNIX shops to take advantage of the power of an enterprise-like directory:

Sun's ONE Directory Server, formerly iPlanet, is an impressive offering. It's a full featured LDAP solution that does a lot of what Active Directory does. It has one huge failing: it is completely incompatible with AD. To be fair, Sun is trying to position this as an alternative. They provide all sorts of tools and libraries to allow Windows clients to be equal players in a Sun ONE directory environment, which is more than Microsoft does. (Then again Sun doesn't control over 95% of the worlds desktop computing market. Microsoft has few obvious economic incentives to be nice to competitors.)

Directory Administrator is a nice GUI front end to an OpenLDAP server that can be used to make a limited single-sign-on solution for a UNIX network. This makes using and administering LDAP quite a bit easier, but it works best if you already have a running LDAP implementation.

In the next part of this series we'll explore exactly what needs to be brought together to make Linux/UNIX equal players as both clients and servers in the enterprise directory-enabled space.

David HM Spector is President & CEO of Really Fast Systems, LLC, an infrastructure consulting and product development company based in New York

1. The one exception to this is Apple's implementation of Netinfo on top of LDAP, which we'll talk about in depth in Part II.

2. Purists will say Hey! PAM can talk to LDAP and therefore AD. Yeah, but try and change your password or use almost anything else served up by the directory.

3. There are several LDAP standards for UNIX login data and phone books. These too will be covered in Part II.

Return to the Linux DevCenter.

How do you manage entities in a heterogenous network? Is there a killer app we've missed?
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 39 of 39.

Integrating *NIX into AD
2005-12-19 08:46:30 DarrenC [Reply | View]

Sometimes its great to come back to an old conversation with new information. The missing piece of the puzzle has been integration into AD and that piece is now fixed with the work that vintela have done (a bunch of unix guys partly funded by Microsoft) to integrate *NIX into AD in a secure and kerberized way.

Why go with Sun's non kerberized directory when you have one in place already?

Microsoft Must be hurting for cash badly.
2003-07-31 06:46:20 anonymous2 [Reply | View]

Who is this rube? Dude it's ok to be a company man, but don't try to produce an article that is clearly designed to promote your only skill set and limited knowledge.

THANK YOU!!!
2003-07-22 07:18:49 anonymous2 [Reply | View]

I thought I was going mad!! How can you do an article on directory services and not even mention Novell!!! That's just messed up.

OMG!
2003-07-17 22:27:23 anonymous2 [Reply | View]

There are so many things wrong with this article I do not know where to start......

Excuse me?
2003-07-12 10:27:06 anonymous2 [Reply | View]

"but Microsoft still has absolutely no competition in the directory space."

sure, only if you exclude LDAP, IBM, Sun and of course Novell, does Microsoft have no competition.

It's more accurate to state that *Novell* has no competition in the directory space.

Why? Because unlike the other directory providors above (including Microsoft), Novell's eDirectory is cross-platform on more systems. THIS is the true crucial element in picking a directory system.

Microsoft's AD requires a complete rip-and-replace of existing network infrastructures in order to get AD working.

That and the fact AD can only scale to a 100 or so million objects.

Big deal.

Compaq got Novell eDirectory to scale to over 1.6 BILLION objects in a single tree over a year and half ago. Novell claims the 1.6 billion object limitation (in eDirectory 8.5) was removed in 8.6 and 8.7.

The U.S. Army needed a directory system to run the authentication system to allow tankers to start up their M1 Abrams tanks. Guess which directory system they selected? Hint: Not Microsoft's.

Real-World Business Case
2003-07-01 07:15:41 anonymous2 [Reply | View]

I am the directory services specialist of a 25,000 user environment (university).

Our main directory service (meta directory) is based on RedHat linux servers running Novell eDirectory.
Novell's DirXML provides connectivity and data synchronization between our meta directory and other (directory) services that are in use such as WindowsNT4, Windows2000 ADS, Oracle, SAP, and other eDirectories.

ALL of our user identity information flows through eDirectory on linux servers and has been doing so for the past couple of years.

Even though management wanted to enforce use of ADS, benchmarks and objective functionality reports convinced them to use eDirectory.

How will the follow-up on this article react to real-world business cases like this?
If the author wants more information for his research, contact me and I will provide it.

Mark van Reijn
m.i.van_reijn (at) i-groep leidenuniv nl

D.U.H.
2003-06-16 11:45:31 anonymous2 [Reply | View]

This guy is filled with buzz-words, but how long has he been in the business?? Five Years? Obviously long enough only to see the Microsoft view of the world.

There are lot's of companies trying to implement AD, but the experience is that it is very painful and does not really scale very well, and by the way- AD is NOT fully LDAPv3 compliant. And keep in mind that even if AD was any good - which it is not - it is anathema for Microsoft to integrate well with anything open source - so the whole point of Linux is missed by them.

One other comment - Read Gartner, there are certainly strong competitors to AD and Sun i.e. Novell eDirectory - Look at CNN, Lufthansa, Star Alliance, Daimler-Chrysler etc. etc. They all use eDirectory. They must know something this turkey does not!

One Missing Piece...
2003-06-13 13:58:25 anonymous2 [Reply | View]

Did the autor do any research. Novell's eDirectory has run on Linux for years. Our company's web site is directly tied into eDirectory running on a RedHat Apache server.

eDirectory is becoming the defacto standard directory service on many platforms including flavors of UNIX and Windows.

Author didn't do his homework.
2003-06-13 07:16:28 anonymous2 [Reply | View]

Active Directory is not a true directory service - a more appropriate name might be 'Active Domains' - it's more of a marketing tool to convince customers that Microsoft has a true directory service.
Novell's directory Service is the most robust on the market. It's run on Linux since 2000. It is the only major cross platform directory service - it supports Windows, Netware, Linux, Sun Solaris and Unix environments, integrating all these heterogenous systems. Redhat's directory service for their worldwide network is Novell's - I'm sure that even Mr Vaughn-Nichols knows that Redhat has a Linux server or 2. A very poorly researched article, Mr. V.N.

Novell is setting the standard !
2003-06-13 01:26:28 anonymous2 [Reply | View]

Whoever looks for anything else than Novell e-Directory clearly has no idea !
Novell is lightyears ahead of any other directory,
and development runs at an incredible pace.

I do not see any other directory picking up with Novell in the coming years in terms of functionality and stability.

How did you miss eDirectory!
2003-06-12 21:35:41 anonymous2 [Reply | View]

How can someone put so much thought and suggestions into an article without even mentioning the one product that stands above all of them. One would think you are working for Microsoft plugging their product. Do more research before saying there is no product that can do the job.

Here are two good places to look:

http://www.novell.com/products/edirectory/

http://www.computerworld.com/softwaretopics/os/story/0,10801,66409,00.html

(read the forum attached to the ComputerWorld Article. It's excellent)

Hopefully your next article will include some talk on eDirectory!

pam_ldap and Active Directory
2003-05-25 18:58:10 anonymous2 [Reply | View]

I note that pam_ldap does support changing of Active Directory passwords. However, I agree that the integration could be more complete.

***Gasp*** Sigh!!!
2003-05-16 01:31:56 anonymous2 [Reply | View]

This is truly one of the most ill researched articles I have ever read. I thought it started badly and gradually got worse. I read all the way through to find the bit where you mention Directory Services that already achieve what you want Linux to be able to do with AD.

This time LAST year there was 420 million licensed seats of Novell's e-Directory worldwide. This is a product that sits on many platforms including Linux, and many flavours of UNIX, it can perform all the functionality that was mentioned with this article (including password synchronisation) and much more. A developer can bundle a 250,000 e-directory license with his linux application that integrates into e-directory for free, which must make e-directory a very viable product with the Open-Source world of Linux.

I could go on, but I think you get the gist of my opinions. If an enterprise needs a diretory service on Linux then Novell's e-Directory is one of the options and reading others comments below there are others. So may I request that thorough research is conducted before an article such as this is published.

***Gasp*** Sigh!!!
2003-07-15 05:10:53 anonymous2 [Reply | View]

the truth is it was written somewhere in redmond

Local Exploit in 2.4.20 is Unfinished Business
2003-05-13 14:51:20 anonymous2 [Reply | View]

Sorry to be off topic but I cannot believe that the re has not been a 2.4.21 release to patch the existing hole.

If one downloads, compiles and installs the current kernel they are insecure out-of-the-box. It takes weeding through a mailing-list archive to find the patch for it. That is sad.

It's hard to claim our OS is more secure than Windows with this vulnerability hanging around.

Novell's eDirectory is the ONLY directory worth looking at
2003-05-07 10:12:36 anonymous2 [Reply | View]

Dear author,

Why don't you try doing a little bit of research before writing a document that is full of crap? Microsoft is only getting into the directory market and Novell has a near decade head start. You can install eDirectory on Linux, UNIX, Netware, Windows, etc., please tell me on what platforms AD will install? Windows only you say? That is a great solution for a mixed environment that is looking for an enterprise solution. NOT!

Do your research you putz.

IBM Directory Services
2003-05-06 19:06:07 anonymous2 [Reply | View]

You seem to have left out a lot of options.
Others have already pointed out Novell's solution, which is and has always been a better product than AD. Also IBM now has introduced their Directory Services for Linux. See http://www-3.ibm.com/software/network/directory/

Given the need for AD compatible directory services, I am sure that both IBM and Novell's recent announcements will see a LOT of active work from those companies. And they both know how to make solid software. I'm willing to bet that before year's end, we'll see two very solid, very AD compatible products for Linux.

In fact I think they'll turn around Microsoft's embrace & extend strategy by making a better AD than AD. Though admittedly, that won't be difficult since AD is basically crap.

Active Directory
2003-05-06 18:48:38 anonymous2 [Reply | View]

Active Directory is a piece of crap and to have a linux box on it would make linux look bad. Since my company went to it we have had constant problems and some of them really weird.

?
2003-05-06 12:29:20 anonymous2 [Reply | View]

"Microsoft still has absolutely no competition in the directory space"

Yeah right. Tell that to the 250 some odd million users who log into Sun ONE Directory Servers via multudinous Web based systems everyday.

The Samba team is working on ADS functionality
2003-05-06 10:46:11 anonymous2 [Reply | View]

The Samba team is working on this functionality - see this link for the roadmap and status right now:
http://de.samba.org/samba/devel/roadmap-3.html

And see a description the goal of this development:

http://de.samba.org/samba/devel/

And this excerpt from the text:

"...
What does the Samba Team plan to do to integrate Samba servers into native Windows 2000 domains?
The Samba Team hope to gain more volunteers to help with this effort. There are basically three areas of functionality in regards to this. The ball has already started rolling with some research done by IBM's Linux Technology Center.

A Kerberos 5 client implementation in Samba that understands the proprietary MS PAC
A UNIX based Kerberos 5 KDC that can issue Windows 2000 PACs
The ability to read data from an Active (i.e. LDAP) Directory Server via the authorization credentials (TGT) received from the Windows 2000 Domain KDC
Of course, Samba is currently able to continue to operate in a Windows 2000 domain assuming that the domain supports Windows NT 4.0 File and Print servers. The new ADS (Active Directory) work has gained us much in the ability to act as a server in an ADS domain, but nothing in becoming a PDC."

The solution is eDirectory from Novell
2003-05-06 01:25:31 anonymous2 [Reply | View]

Novell has supported this for years

Why leave out eDirectory?
2003-05-05 17:53:10 anonymous2 [Reply | View]

eDirectory is the current leader in enterprise directories for Linux . . . either this guy has something against Novell or he just didn't do his homework.

Further, Novell's DirXML product will synchronize eDirectory data stored on a Linux server with Active Directory data stored on a Windows server, so Novell provides the infrastructure for integrating Linux into a Windows network.

There you go.

Why leave out eDirectory?
2003-06-03 07:27:53 anonymous2 [Reply | View]

There's a problem with this:

"Novell's DirXML product will synchronize eDirectory data stored on a Linux server with [AD] data *stored on a Windows server...*"

We want Linux/UNIX and legacy Windows desktops to connect to UNIX/Linux servers, so what's the point in giving companies an incentive to buy another Micro$oft server? Any Linux/UNIX directory service, if it is to be compatible with AD, needs to be able to run AD *itself*.

Why leave out eDirectory?
2003-06-13 06:41:21 anonymous2 [Reply | View]

AD is a service that runs on WINDOWS ONLY. Why would you want to build a crappy implementation of a directory for LINUX. Yes I know...thouse legacy windows desktops just like to talk to other windows boxes

The game plan is install eDirectory, but the problem is the only real CIFS piece at the moment is SAMBA and does not integrated with eDirectory....solution NetWare 7.0 + ZENworks for Linux all coming very soon!

Integrated system install and home directories.
2003-04-30 01:56:28 anonymous2 [Reply | View]

Perhaps it would be possible to take some of the enhancements embodied in NDS/AD and therefore make Linux even more useful in Education/Corporate set-ups. What I’m thinking of is integrating, as well as logon authentication, package management, home directory allocation etc., network based client install as well.

Even for small business networks this may be useful, as a blank machine can be commissioned by selecting its role and therefore the appropriate operating system configuration and applications be automatically installed. Backup could also be set-up as part of the standard install and controlled by the directory.

This may already have been solved for Linux as a complete solution detailed above, does anyone have details or links to open source projects trying to do the same?

samba 3.0 and winbind
2003-04-29 14:50:20 anonymous2 [Reply | View]

actually samba 3.0 can do this with winbind.... but it is still in alpha... so i guess everyone will have to wait

Can't I do it now?
2003-04-29 13:03:41 anonymous2 [Reply | View]

I think I'm confused. If I really want to integrate with AD, can't I do it now? Isn't AD really just LDAPv3 (-ish) and Kerberos v5 (-ish)? Can't I just Kerberize my Linux workstations and servers, and use something like NSS_LDAP to use the group/userfield information, and call myself integrated with AD? What pieces can I still not get from AD with this implementation?

Most replies are picking nits
2003-04-29 12:20:05 nygard [Reply | View]

Whether we quibble about the meaning of "competition" or viable alternative products, the fact remains that AD is a huge powerhouse in the enterprise. Ignoring it doesn't help. Criticizing it (valid or otherwise) doesn't help. It is there because IT managers are buying it, and they're going to keep on buying it.

Right now, the one single thing that keeps me from using Linux on my desktop is authentication against the corporate directory. If we can bridge that gap, it only opens doors.

I'm very much looking forward to the next part of this article.

Most replies are picking nits
2003-07-12 10:20:55 anonymous2 [Reply | View]

Just because someone purchases Windows 200x Server does not automatically mean they are purchasing AD for use as well.

On the other hand, Novell has sold hundreds of millions of nodes of eDirectory separately from NetWare for use on Windows, Linux and Solaris.

Most replies are picking nits
2003-06-13 16:33:11 anonymous2 [Reply | View]

"the fact remains that AD is a huge powerhouse in the enterprise"

Huge powerhouse in the enterprise? You're in fantasyland.

The author does not know what he's talking about when it comes to Directory Services and should do some research (unless he's an MS shill) to re-write the article. Novell has over 1 billion licenses in the enterprise, is the fastest growing DS in the market and is multi-platform with 10 years of evolution behind it.

I know personally of 3 multi-billion dollar companies who looked at AD and decided against it due to either immaturity, cost, or lack of functionality....they're sticking with eDirectory and DirXML. Most "enterprises" are multi-platform and cannot migrate completely to Windows (2000 or 2003 server, 2000 or XP desktop). AD is not a "powerhouse" and is more often avoided than not...people would even rather stay on NT 4 domains (even when unsupported) than try to move to the immature bloatware that is AD. Just look at the extremes MS is going through to get people to migrate off NT4 (they extend support, they make upgrade offers, they're re-writing Licensing 6, etc.).

Get serious.

Most replies are picking nits
2003-06-12 21:50:58 anonymous2 [Reply | View]

If you want to authenticate Linux to a corporate network look at eDirectory as a corporate directory. It has many advantages over AD including partitioning, replication and synchronization. Check it out. With nSure Resource you can even sync your AD, MS Domains, LDAP, Exchange, Notes, SAP, Peoplesoft, SQL, LDAP and ... Password and accounts. Imaging enabling and disabling accounts at one location.

Remember eDirectory works with and on:

IBM AIX
Linux 8.0
Microsoft Windows NT 4.0
Microsoft Windows 2000 Server and Advanced Server
Novell NetWare 5.x and 6
Sun Solaris

I would say it is complete Corporate Network and not just limited to Windows.

Hope this isn't too nit picky:-)

Most replies are picking nits
2003-11-12 14:37:48 anonymous2 [Reply | View]

AD is the 800 Lbs gorilla from what I've seen. I've been looking for a job for over a year and have seen a 10 to 1 ratio of AD to *nix jobs and at least a 50 to 1 ration of AD to Novell jobs. You can say Novell has so many licenses and all that but the real world just doesn't support your argument.

The point of the article was that the Linux community has not made a good enough effort to comingle with AD based on ADs popularity. Novell eDirectory is not really from the Linux community and it isn't free either. It may be a viable alternative but it isn't from the Linux community.

Put on your IT Director or CIO hat (if YOU can imagine ever attaining such a position) at think about how many vendors you want to manage. Obviously, you want interoperability between the various OSes you run and it would be great if you can reduce costs by reducing the amount of admin overhead. Now someone suggests adding in Novell or IBM products to make MS, Linux, and Unix all play nice. Great, now you have to hire another skillset to make it all work and cross train your existing admins... Doesn't jump out as a huge money saver does it.

Most replies are picking nits
2003-06-12 21:50:56 anonymous2 [Reply | View]

If you want to authenticate Linux to a corporate network look at eDirectory as a corporate directory. It has many advantages over AD including partitioning, replication and synchronization. Check it out. With nSure Resource you can even sync your AD, MS Domains, LDAP, Exchange, Notes, SAP, Peoplesoft, SQL, LDAP and ... Password and accounts. Imaging enabling and disabling accounts at one location.

Remember eDirectory works with and on:

IBM AIX
Linux 8.0
Microsoft Windows NT 4.0
Microsoft Windows 2000 Server and Advanced Server
Novell NetWare 5.x and 6
Sun Solaris

I would say it is complete Corporate Network and not just limited to Windows.

Hope this isn't too nit picky:-)

OpenLDAP directory not a goer?
2003-04-29 11:50:42 anonymous2 [Reply | View]

Hmm, I didn't need psychotherapy, deep or shallow, but we authenticate all our students (5,000 accounts) on our laboratory computers using OpenLDAP on a dual P-III.

Are you telling me that I did the impossible? I didn't know I was in that league till today.

nicku(at)vtc edu hk

Are you INSANE? Where's NDS/eDirectory?
2003-04-29 11:01:05 anonymous2 [Reply | View]

What rock have YOU been living under? How in the world can you say "but Microsoft still has absolutely no competition in the directory space" with a straight face? THE enterprise directory service is Novell's eDirectory - and it ALREADY runs on Linux, and it ALREADY supports PAM & LDAP.

I'd like to add some more sane comments here, but this article has me furious over its revisionist view of directory and metadirectory history.

the mac seems to do this well
2003-04-29 07:41:12 jannino [Reply | View]

I Guess its going to get talked about in the next installment of this, but as I understand it, MacOS X can use its own NetInfo, LDAP, AD, and a few other things to get directory information to manage all sorts of things.

I recently set up Posffix and Courier-IMAP with virtual accounts stored in LDAP. After seeing so many different poorly documented ways to do it, I finally went with a toll called Jamm because they documented the setup well and provided the needed management user interface so I can deligate account management to others who aren't sys admins.

For better and often worse, Microsoft did clear up the tower of babel of different LDAP schemas and tools to make one cohesive system called AD. But Apple has also done something similar for its platform in a more open flexible way.

The beauty of UNIX is you can do things very a-la-carte, picking what is best for you and integrating it together yourself. But there are also lots of people who want it to just work and want someone else to have already figured that bit out. There's room for both.

I think AD support for Linux is a good answer for helping it integrate into exsisting enterprises, but Linux (or the distributions) should come up with an alternative, open, cohesive standard for doing the same things.

Novell and Open Source
2003-04-28 22:19:47 GerardM [Reply | View]

The NDS product from Novell is the one to aim for not that bastard of standards called M\AD. NDS has better functionality and it does better conform to standards.

When you produce an innovative use of NDS, you can get a license from Novell to use NDS for many users in your product. This does not exclude OS products !

Novell has a tradition helping Open Source projects like OpenLDAP and it is currently hosting projects. They contributed crucial technology to kick-start things and they provide software and open standards to the community.

IBM's directory server 4.1 is available at no cost.
OpenLDAP is since 20030410 available in the stable 2.1.17 version.

Conclusion, the functionality in the article refers to is needed and to some extend available, but AD is not the role model here, NDS is.

Thanks,
Gerard

Novell and Open Source
2003-05-05 16:43:22 anonymous2 [Reply | View]

Make that IBM Directory Server 5.1 :)
Downloading right now. Thanks for the tip. Hope Novell has an eval but if this ids or Novell's are any good, stronge chance that w'll initiate the move to Linux and exit one convicted M$ and their tax :)

Novell eDirectory has had this functionality or a few years
2003-04-28 20:59:00 arberya [Reply | View]

I have been working with eDirectory (Novell) on Solaris, Tru64, Linux, Windows 2000 & Netware for a few years. The eDirectory install on the Solaris & Linux installs the PAM providers and allows for full single sign on between hosts, amongst other benefits. All user metadata is stored in eDirectory. I also work with Active Directory for a global company. Let me just say that ADS has a long way to go to get to the current standard of eDirectory.