[Date Prev][Date Next] [Thread Prev][Thread Next]
Re: [K12OSN] killing Active Directory - direction needed for Samba/LDAP installer
- From: Brian Chivers <brian portsmouth-college ac uk>
- To: "Support list for opensource software in schools." <k12osn redhat com>
- Subject: Re: [K12OSN] killing Active Directory - direction needed for Samba/LDAP installer
- Date: Tue, 01 Nov 2005 09:08:26 +0000
Matt Oquist wrote:
The newest version of the Samba/LDAP Installer theoretically should
work on almost any Linux distribution, and it has been successfully
tested with Ubuntu, K12LTSP 4.4.1, and FC4. (The newest version is
always at http://majen.net/smbldap/. Updated documentation is in
But any multi-site organization wishing to utilize this has a number
of remaining problems to solve, and I'd like to see how the installer
can be improved to deal with those problems. In each area, we need to
consider what Active Directory (the competition), is like.
1. Ease of configuration
Clickity-click, I want AD, clickity-click, I want users,
clickity-click I want trust relationships in my WAN. Pretty GUIs
are available to do everything. To be a viable alternative,
Samba/LDAP must be easily installable and configureable. While
a GUI interface to the Samba/LDAP installer/configurer would be
nice, ATM I consider this to be lower in priority than some other
2. Ease of management
Managing users and groups is easy and clicky in AD. I'm a command
line buff, but most other people are not CLI buffs. Those people
want GUIs, which means that management GUIs are a necessity if
a smallish organization without UNIX gurus is going to seriously
consider switching from AD to Samba/LDAP.
Webmin has some modules, IDEALX has the Samba Management Console,
and I've even heard people mention that they use Windows-based
applications to manage Samba/LDAP.
What recommendations do any of you have? Which GUIs are the best?
Which ones are the easiest to configure? Which ones are the most
stable? Which ones are the most powerful? Which ones are the
safest -- from a security standpoint and a newbie-administrator
If we can arrive upon a particular tool or set of tools that work
the best, I hope the Samba/LDAP installer can begin to address that
installation and configuration as well. (Whatever tool is chosen
must be readily available as an RPM/deb, and very preferrably
installable with normal yum/apt repositories.)
3. How to do WAN configurations?
Here's where it will become rather obvious that I haven't done much
of anything with LDAP myself; I'm not even a sysadmin of more than
my home network so I haven't been using Samba/LDAP. But what is
the best way to implement Samba/LDAP in a multi-site WAN?
I have a particular scenario in mind. Suppose a given school
district has 10 schools on a WAN, and each school currently has its
own AD domain. Each AD domain trusts all the others, so each user
can log in at each school with her own regular username and
I realize that AD is just LDAP and Kerberos with some Embrace
& Exteeeeeeend applied, but based on how the Samba/LDAP Installer
works and my rather superficial understanding of LDAP itself, it
seems like giving each school its own base DN (analogous to the
different AD domains) is probably a needlessly complex approach.
Instead, would it be better to give the entire district one
Samba/LDAP domain, e.g. "DISTRICT", and then create a group of
users for each school? Each school would then have a slave
Samba/LDAP server and a file server. The home directories would be
structured like this:
And each school's fileserver would NFS mount each other school's
local userspace so that wherever you are in the district, things
should look exactly the same.
If you log in outside of your normal site, then things will be
slower for you as your home directory is accessed across the WAN.
But everything else should be the same.
This would make user migration (from school to school) a snap, as
users can simply be dropped from one group and added to another,
and home directories can be rsynced from school A to school B. (I
guess the users would need to have their homedir paths modified as
Is this a good approach? Is there any reason it wouldn't work? Is
there a better approach that would be this simple?
If we could develop the Samba/LDAP Installer to make it drop-dead easy
to configure and manage multi-platform, multi-site user authentication,
I think we will have taken a great step forward.
I look forward to all your great advice. :)
Open Source Software Engineering Consultant
K12OSN mailing list
K12OSN redhat com
For more info see <http://www.k12os.org>
The two tools I use to manage our Samba/LDAP and LAM (Ldap Account Manager) and JXplorer
(http://pegacat.com/jxplorer/) which is Java based and makes manipluating LDAP really easy. I still
use the cli for the initial generation of users but I reading the LAM mailing list they have a
module for this that will create the homedirs so you as well.
I've played with the idealx modules and GOSA (https://gosa.gonicus.de/). Idealx is quite nice but I
have issues with it's speed but I expect if I spent some time on it that would be solved. GOSA is
really flashy but you need to add a few schema's to openldap and seems a little overkill for me.
I've got phpldapadmin installed but it coughs with the number of users I have (approx 1200)
It would be quite nice if the installer could offer the option to setup the machine as a BDC /
SlaveLDAP server. I've setup several machine as slave's and it's reduced the load on our main LDAP
server hugely. If you'd like to read what I've done have a look at
The views expressed here are my own and not necessarily
the views of Portsmouth College
[Date Prev][Date Next] [Thread Prev][Thread Next]