[K12OSN] killing Active Directory - direction needed for Samba/LDAP installer

Matt Oquist moquist at majen.net
Tue Nov 1 01:54:33 UTC 2005


The newest version of the Samba/LDAP Installer theoretically should
work on almost any Linux distribution, and it has been successfully
tested with Ubuntu, K12LTSP 4.4.1, and FC4.  (The newest version is
always at http://majen.net/smbldap/.  Updated documentation is in
progress.)

But any multi-site organization wishing to utilize this has a number
of remaining problems to solve, and I'd like to see how the installer
can be improved to deal with those problems.  In each area, we need to
consider what Active Directory (the competition), is like.

1. Ease of configuration
   Clickity-click, I want AD, clickity-click, I want users,
   clickity-click I want trust relationships in my WAN.  Pretty GUIs
   are available to do everything.  To be a viable alternative,
   Samba/LDAP must be easily installable and configureable.  While
   a GUI interface to the Samba/LDAP installer/configurer would be
   nice, ATM I consider this to be lower in priority than some other
   things.

2. Ease of management
   Managing users and groups is easy and clicky in AD.  I'm a command
   line buff, but most other people are not CLI buffs.  Those people
   want GUIs, which means that management GUIs are a necessity if
   a smallish organization without UNIX gurus is going to seriously
   consider switching from AD to Samba/LDAP.

   Webmin has some modules, IDEALX has the Samba Management Console,
   and I've even heard people mention that they use Windows-based
   applications to manage Samba/LDAP.

   What recommendations do any of you have?  Which GUIs are the best?
   Which ones are the easiest to configure?  Which ones are the most
   stable?  Which ones are the most powerful?  Which ones are the
   safest -- from a security standpoint and a newbie-administrator
   standpoint?

   If we can arrive upon a particular tool or set of tools that work
   the best, I hope the Samba/LDAP installer can begin to address that
   installation and configuration as well.  (Whatever tool is chosen
   must be readily available as an RPM/deb, and very preferrably
   installable with normal yum/apt repositories.)

3. How to do WAN configurations?
   Here's where it will become rather obvious that I haven't done much
   of anything with LDAP myself; I'm not even a sysadmin of more than
   my home network so I haven't been using Samba/LDAP.  But what is
   the best way to implement Samba/LDAP in a multi-site WAN?

   I have a particular scenario in mind.  Suppose a given school
   district has 10 schools on a WAN, and each school currently has its
   own AD domain.  Each AD domain trusts all the others, so each user
   can log in at each school with her own regular username and
   password.

   I realize that AD is just LDAP and Kerberos with some Embrace
   & Exteeeeeeend applied, but based on how the Samba/LDAP Installer
   works and my rather superficial understanding of LDAP itself, it
   seems like giving each school its own base DN (analogous to the
   different AD domains) is probably a needlessly complex approach.
   
   Instead, would it be better to give the entire district one
   Samba/LDAP domain, e.g. "DISTRICT", and then create a group of
   users for each school?  Each school would then have a slave
   Samba/LDAP server and a file server.  The home directories would be
   structured like this:
   /home/schoola/<users>
   /home/schoolb/<users>
   /home/schoolc/<users>
   /home/schoold/<users>
   And each school's fileserver would NFS mount each other school's
   local userspace so that wherever you are in the district, things
   should look exactly the same.

   If you log in outside of your normal site, then things will be
   slower for you as your home directory is accessed across the WAN.
   But everything else should be the same.

   This would make user migration (from school to school) a snap, as
   users can simply be dropped from one group and added to another,
   and home directories can be rsynced from school A to school B.  (I
   guess the users would need to have their homedir paths modified as
   well.)

   Is this a good approach?  Is there any reason it wouldn't work?  Is
   there a better approach that would be this simple?


If we could develop the Samba/LDAP Installer to make it drop-dead easy
to configure and manage multi-platform, multi-site user authentication,
I think we will have taken a great step forward.

I look forward to all your great advice.  :)

Thanks,
Matt

--
Open Source Software Engineering Consultant
http://majen.net/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/k12osn/attachments/20051031/e227fd7c/attachment.sig>


More information about the K12OSN mailing list