[K12OSN] killing Active Directory - direction needed for Samba/LDAP installer
Matt Oquist
moquist at majen.net
Tue Nov 1 01:54:33 UTC 2005
The newest version of the Samba/LDAP Installer theoretically should
work on almost any Linux distribution, and it has been successfully
tested with Ubuntu, K12LTSP 4.4.1, and FC4. (The newest version is
always at http://majen.net/smbldap/. Updated documentation is in
progress.)
But any multi-site organization wishing to utilize this has a number
of remaining problems to solve, and I'd like to see how the installer
can be improved to deal with those problems. In each area, we need to
consider what Active Directory (the competition), is like.
1. Ease of configuration
Clickity-click, I want AD, clickity-click, I want users,
clickity-click I want trust relationships in my WAN. Pretty GUIs
are available to do everything. To be a viable alternative,
Samba/LDAP must be easily installable and configureable. While
a GUI interface to the Samba/LDAP installer/configurer would be
nice, ATM I consider this to be lower in priority than some other
things.
2. Ease of management
Managing users and groups is easy and clicky in AD. I'm a command
line buff, but most other people are not CLI buffs. Those people
want GUIs, which means that management GUIs are a necessity if
a smallish organization without UNIX gurus is going to seriously
consider switching from AD to Samba/LDAP.
Webmin has some modules, IDEALX has the Samba Management Console,
and I've even heard people mention that they use Windows-based
applications to manage Samba/LDAP.
What recommendations do any of you have? Which GUIs are the best?
Which ones are the easiest to configure? Which ones are the most
stable? Which ones are the most powerful? Which ones are the
safest -- from a security standpoint and a newbie-administrator
standpoint?
If we can arrive upon a particular tool or set of tools that work
the best, I hope the Samba/LDAP installer can begin to address that
installation and configuration as well. (Whatever tool is chosen
must be readily available as an RPM/deb, and very preferrably
installable with normal yum/apt repositories.)
3. How to do WAN configurations?
Here's where it will become rather obvious that I haven't done much
of anything with LDAP myself; I'm not even a sysadmin of more than
my home network so I haven't been using Samba/LDAP. But what is
the best way to implement Samba/LDAP in a multi-site WAN?
I have a particular scenario in mind. Suppose a given school
district has 10 schools on a WAN, and each school currently has its
own AD domain. Each AD domain trusts all the others, so each user
can log in at each school with her own regular username and
password.
I realize that AD is just LDAP and Kerberos with some Embrace
& Exteeeeeeend applied, but based on how the Samba/LDAP Installer
works and my rather superficial understanding of LDAP itself, it
seems like giving each school its own base DN (analogous to the
different AD domains) is probably a needlessly complex approach.
Instead, would it be better to give the entire district one
Samba/LDAP domain, e.g. "DISTRICT", and then create a group of
users for each school? Each school would then have a slave
Samba/LDAP server and a file server. The home directories would be
structured like this:
/home/schoola/<users>
/home/schoolb/<users>
/home/schoolc/<users>
/home/schoold/<users>
And each school's fileserver would NFS mount each other school's
local userspace so that wherever you are in the district, things
should look exactly the same.
If you log in outside of your normal site, then things will be
slower for you as your home directory is accessed across the WAN.
But everything else should be the same.
This would make user migration (from school to school) a snap, as
users can simply be dropped from one group and added to another,
and home directories can be rsynced from school A to school B. (I
guess the users would need to have their homedir paths modified as
well.)
Is this a good approach? Is there any reason it wouldn't work? Is
there a better approach that would be this simple?
If we could develop the Samba/LDAP Installer to make it drop-dead easy
to configure and manage multi-platform, multi-site user authentication,
I think we will have taken a great step forward.
I look forward to all your great advice. :)
Thanks,
Matt
--
Open Source Software Engineering Consultant
http://majen.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/k12osn/attachments/20051031/e227fd7c/attachment.sig>
More information about the K12OSN
mailing list