Win2K and LDAP
|
| Author | Content |
|---|---|
| gus3 Nov 28, 2007 9:33 AM EDT |
This whole comment prefixed with "If I Remember Correctly": Win2K on the network requires the use of Windows Active Directory for just about all resource management. Users, passwords, shares, databases, registries, all involve LDAP somewhere. If you try to code around it, and your system conks out, don't expect help from Microsoft. Given Microsoft's propensity to cram their half-cocked implementation of just about anything down their customers' throats, why would Linux and Open Source want to play catch-up with them on anything? (And as an aside, what can LDAP or Windows Dir Svcs do that NIS, NSF, and normal Unix administration can't?) |
| cabreh Nov 28, 2007 10:09 AM EDT |
Now, I'm a Linux user personally who is trying to convince the organization I work with to move to Linux. Just so you understand my true position and don't call me a troll because of what I'm about to say. What does Active Directory give you? How about a single place to do everything. In a GUI to boot. Without having to figure out how to set up LDAP, NIS, Kerberos and so on. I have been tasked with trying to prove that switching to Linux for most things (other than our legacy - must have items like the finance departments software) is viable. Considering that most of the admins in our organization are Windows only admins this gets tricky. Of course if someone can point me to a HOWTO that those admins could use to provide the following I'd love to see it. Single sign-on, roaming profiles that work when you move from the office in one part of Europe to the head office in the US for a visit. That gives you all your shared drives/folders/directories without admin intervention. I also have to convince them to replace Exchange. This isn't a real problem. But Exchange does tie in rather closely with AD and you get the shared folders and everything rather easily. Please say it's as easy as you are implying. And that there are instructions that even a Windows admin could follow. In a gui maybe? Or at least in one place. Rick. |
| techiem2 Nov 28, 2007 10:30 AM EDT |
I don't know about a super easy to use setup (I'm actually not totally sure how ours works), but here we are using samba as a domain controller and openldap for all our accounts.
I don't think we're using roaming profiles, but not sure.
We do have the user's directory on the fileserver map to a drive in windows and have all the loads configured to use that as the My Documents dir.
Fortunately, we weren't using exchange, so the switch over to Horde from the previous proprietary mail system wasn't too hard. I would love to see a howto also, as I'd like to do a similar setup from scratch myself to learn on/play with (I can't exactly go hacking around in the college's ldap database....). |
| jdixon Nov 28, 2007 10:32 AM EDT |
Rick: Authenticating a Linux box to Active Directory looks fairly simple. A quick Google search for Linux Active Directory integration should give you a number of hits. As far as I could tell, single sign on and roaming profiles don't seem to be supported though, which isn't all that surprising. You can probably achieve an equivalent to roaming profiles by having the user's home directory be a network directory rather than stored on the local machine. You can also get the same effect by using thin clients and having the accounts run from a server. Searching for LTSP howto will give you more information than you probably want, as will perusing the ltsp website at http://www.ltsp.org. Tuxchick probably knows more about this than most of us. She may be able to offer some advice, though she'll probably take a shower afterwards. I don't think she likes Active Directory. :) From what I've read, Novell's SLED and Xandros seem to have the best Active Directory integration out of the box. Either of them may be able to provide you with information about what they offer if you ask. |
| hkwint Nov 28, 2007 1:16 PM EDT |
Maybe try sadms: "sadms is GUI based and automatically configures Samba, Kerberos and LDAP from a single screen." Look here http://sadms.sourceforge.net/ and here for an article: http://pcquest.ciol.com/content/linux/2005/105010303.asp |
| cabreh Nov 28, 2007 10:18 PM EDT |
I guess my problem is that I'm looking to replace AD totally, otherwise we are stuck with the license costs. We would like to reduce that as much as possible. But at the same time I'm being told that we have to provide all the bells and whistles that the users (but mostly the admins) are used to having. I have done my googling and know that I could set up Samba as a domain controller and such. But I haven't found a way to get this to work in an international organization that demands their profiles/login setups be available wherever they travel. If I can't save them money by dumping almost all the Windows boxes, they will see no incentive to move to Linux. Too bad Novell's directory service isn't open source. Guess I'll have to wait a few more years to get this organization changed over. I've been preaching Linux since 1994, but they just don't want to hear it. |
| Sander_Marechal Nov 28, 2007 11:20 PM EDT |
Quoting:I also have to convince them to replace Exchange. I suggest you take a look at Zarafa. It's a Linux-based Exchange replacement. It's not FOSS but a *lot* cheaper than Exchange. And it works with standard protocols to boot (IMAP, POP, CalDav, etcetera) so you're no longer tied to Outlook for the client. You can still use Outlook if you want of course. We're currently testing it at my company (close to 100 people) and so far we're really happy with it. See http://zarafa.com/ |
| jdixon Nov 29, 2007 3:06 AM EDT |
> I guess my problem is that I'm looking to replace AD totally, otherwise we are stuck with the license costs. What it sounds like they're asking for is a complete rip and replace without changing any of their current procedures or having to retrain their people. Which is, of course, impossible. They wouldn't ask that for any other new system they plan on installing. Even if it easily integrated into their existing systems or replaced a current one, there would still be changes and training required. Just ask them how complicated it's going to be to move to Vista and Office 2007. It's also a bad idea as far as business operations go. The disruption from a rip and replace is massive. The business may find itself completely unable to operate for several days or weeks at a time. It's far better to simply start using Linux in the places you can and keep using Windows where you can't. That keeps disruption and retraining to a minimum. That said, one of the best examples of a company completely switching to Linux from Windows, in so far as that's possible, is Novell. They have a white paper on their migration at: http://www.novell.com/collateral/4621400/4621400.html A quick glance at it indicates that it documents what they did, the problems they encountered, and the solutions they came up with. You should probably take a look at it, and (if you like it) you can give copies to the people you're trying to convince. |
| cabreh Nov 29, 2007 6:07 AM EDT |
jdixon: Thanks for that link. I'll read it and pass it onto the IT director. And yes, they are asking to retain their current functions. Maybe with the Novell document I can get them at least thinking about what they don't need. Right now we are in a real budget crunch and it's the best time for me to push Linux as an inexpensive alternative. Being a non-profit depending on donations can make us hard up for spending cash at times. This is one of those periods. Also the really low US dollar has hit us badly since most of our support is from North America. Rick. |
| Abe Nov 29, 2007 6:52 AM EDT |
@CabrehQuoting:I guess my problem is that I'm looking to replace AD totally, Here is a link to the first part of a good article by, who else, Carla Schroder about LDAP. I thought it would give you a pretty good idea about LDAP. http://www.enterprisenetworkingplanet.com/netsysm/article.ph... I think LDAP could replace AD without all it hassles and complications. |
| cabreh Nov 29, 2007 9:02 AM EDT |
Abe: I was already setting up a server for LDAP. And I had seen that article. Figured I'd wait at least for part two since another HOWTO I was trying to follow didn't really work out for me. I'm thinking LDAP and Kerberos may be a way to go. If I can get it documented well enough for the other admins. |
| bigg Nov 29, 2007 9:03 AM EDT |
Edit: I thought I was linking to a similar article from Linux-Watch, but it was just linking to the same story as LXer. |
| tuxchick Nov 29, 2007 9:27 AM EDT |
That's a good article, bigg. Active Directory is a steaming pile with a deceptively-pretty interface. Just like all of MS' crudware. Novell has long had superior directory services; I still wonder why Novell has made a career out of being a chronic loser and victim to Microsoft. That takes real talent and dedication. Fedora Directory Server is a mature powerhouse. But, as the article says, it's a well-kept secret, and raw OpenLDAP is frightening to behold. Can anyone think of any FOSS projects that pay proper attention to polish and usability? |
| Abe Nov 29, 2007 9:35 AM EDT |
Quoting:I think this new article is relevant, and not good newsThe guy brings up a good point, OTOH, he either totally ignored or forgot about Samba. Samba 3.x can join and access AD, but doesn't share in the administration process of AD. Samba 4.x, which in Alpha1, is being developed to join and participate in AD as if it is a Windows AD Controller. I believe they will succeed in this effort simply because they already can join into MS Domain as PDC. When they accomplish AD compatibility, any enterprise could use a pure Samba for Linux or mixed with MS AD transparently. If a single group can do this, it is the Samba team. They have a long history and experience in doing that. Novell, due to their deal with MS, lost their key Samba developer. |
| Sander_Marechal Nov 29, 2007 2:36 PM EDT |
Quoting:at the same time I'm being told that we have to provide all the bells and whistles that the users (but mostly the admins) are used to having. You could just show them Exchange/sharepoint 2007/2008/Vista (whichever it is). It's all commandline based through the Windows Powershell. So whatever your company picks, it's going to loose the flashy GUI stuff anyway and will need to retrain the IT staff to use CLI instead. |
| rijelkentaurus Dec 01, 2007 6:12 AM EDT |
What about OpenDS? Anyone try that out yet? http://opends.org/ |
| wjl Dec 01, 2007 9:31 AM EDT |
Guys/ladies, have you ever heard of Univention? LDAP and single sign-on is their business. And the CEO Peter Ganten wrote one of the first Debian books AFAIR. They also offer an integrated replacement of Exchange, based on Kolab I think. Their site is at http://univention.de/english.html regards, wjl |
| cabreh Dec 03, 2007 6:01 AM EDT |
Just to keep you informed: We are going to have Novell give us an appraisal for a complete solution. We have used Groupwise in the past when it was owned by WordPerfect (back in our AIX days). So, it's sort of a known commodity for some users. And looking at their Small Business offering it sounds like they could supply us on a larger scale with what we want. We'll see. And how much as well. Rick. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!