[K12OSN] killing Active Directory - direction needed for Samba/LDAP installer

Brian Chivers brian at portsmouth-college.ac.uk
Tue Nov 1 09:08:26 UTC 2005

Matt Oquist wrote:
> The newest version of the Samba/LDAP Installer theoretically should
> work on almost any Linux distribution, and it has been successfully
> tested with Ubuntu, K12LTSP 4.4.1, and FC4.  (The newest version is
> always at http://majen.net/smbldap/.  Updated documentation is in
> progress.)
> But any multi-site organization wishing to utilize this has a number
> of remaining problems to solve, and I'd like to see how the installer
> can be improved to deal with those problems.  In each area, we need to
> consider what Active Directory (the competition), is like.
> 1. Ease of configuration
>    Clickity-click, I want AD, clickity-click, I want users,
>    clickity-click I want trust relationships in my WAN.  Pretty GUIs
>    are available to do everything.  To be a viable alternative,
>    Samba/LDAP must be easily installable and configureable.  While
>    a GUI interface to the Samba/LDAP installer/configurer would be
>    nice, ATM I consider this to be lower in priority than some other
>    things.
> 2. Ease of management
>    Managing users and groups is easy and clicky in AD.  I'm a command
>    line buff, but most other people are not CLI buffs.  Those people
>    want GUIs, which means that management GUIs are a necessity if
>    a smallish organization without UNIX gurus is going to seriously
>    consider switching from AD to Samba/LDAP.
>    Webmin has some modules, IDEALX has the Samba Management Console,
>    and I've even heard people mention that they use Windows-based
>    applications to manage Samba/LDAP.
>    What recommendations do any of you have?  Which GUIs are the best?
>    Which ones are the easiest to configure?  Which ones are the most
>    stable?  Which ones are the most powerful?  Which ones are the
>    safest -- from a security standpoint and a newbie-administrator
>    standpoint?
>    If we can arrive upon a particular tool or set of tools that work
>    the best, I hope the Samba/LDAP installer can begin to address that
>    installation and configuration as well.  (Whatever tool is chosen
>    must be readily available as an RPM/deb, and very preferrably
>    installable with normal yum/apt repositories.)
> 3. How to do WAN configurations?
>    Here's where it will become rather obvious that I haven't done much
>    of anything with LDAP myself; I'm not even a sysadmin of more than
>    my home network so I haven't been using Samba/LDAP.  But what is
>    the best way to implement Samba/LDAP in a multi-site WAN?
>    I have a particular scenario in mind.  Suppose a given school
>    district has 10 schools on a WAN, and each school currently has its
>    own AD domain.  Each AD domain trusts all the others, so each user
>    can log in at each school with her own regular username and
>    password.
>    I realize that AD is just LDAP and Kerberos with some Embrace
>    & Exteeeeeeend applied, but based on how the Samba/LDAP Installer
>    works and my rather superficial understanding of LDAP itself, it
>    seems like giving each school its own base DN (analogous to the
>    different AD domains) is probably a needlessly complex approach.
>    Instead, would it be better to give the entire district one
>    Samba/LDAP domain, e.g. "DISTRICT", and then create a group of
>    users for each school?  Each school would then have a slave
>    Samba/LDAP server and a file server.  The home directories would be
>    structured like this:
>    /home/schoola/<users>
>    /home/schoolb/<users>
>    /home/schoolc/<users>
>    /home/schoold/<users>
>    And each school's fileserver would NFS mount each other school's
>    local userspace so that wherever you are in the district, things
>    should look exactly the same.
>    If you log in outside of your normal site, then things will be
>    slower for you as your home directory is accessed across the WAN.
>    But everything else should be the same.
>    This would make user migration (from school to school) a snap, as
>    users can simply be dropped from one group and added to another,
>    and home directories can be rsynced from school A to school B.  (I
>    guess the users would need to have their homedir paths modified as
>    well.)
>    Is this a good approach?  Is there any reason it wouldn't work?  Is
>    there a better approach that would be this simple?
> If we could develop the Samba/LDAP Installer to make it drop-dead easy
> to configure and manage multi-platform, multi-site user authentication,
> I think we will have taken a great step forward.
> I look forward to all your great advice.  :)
> Thanks,
> Matt
> --
> Open Source Software Engineering Consultant
> http://majen.net/
> ------------------------------------------------------------------------
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>

The two tools I use to manage our Samba/LDAP and LAM (Ldap Account Manager) and JXplorer 
(http://pegacat.com/jxplorer/) which is Java based and makes manipluating LDAP really easy. I still 
use the cli for the initial generation of users but I reading the LAM mailing list they have a 
module for this that will create the homedirs so you as well.

I've played with the idealx modules and GOSA (https://gosa.gonicus.de/). Idealx is quite nice but I 
have issues with it's speed but I expect if I spent some time on it that would be solved. GOSA is 
really flashy but you need to add a few schema's to openldap and seems a little overkill for me.

I've got phpldapadmin installed but it coughs with the number of users I have (approx 1200)

It would be quite nice if the installer could offer the option to setup the machine as a BDC / 
SlaveLDAP server. I've setup several machine as slave's and it's reduced the load on our main LDAP 
server hugely. If you'd like to read what I've done have a look at


    The views expressed here are my own and not necessarily 
                the views of Portsmouth College             

More information about the K12OSN mailing list