[K12OSN] killing Active Directory - direction needed for Samba/LDAP installer
Brian Chivers
brian at portsmouth-college.ac.uk
Tue Nov 1 09:08:26 UTC 2005
Matt Oquist wrote:
> The newest version of the Samba/LDAP Installer theoretically should
> work on almost any Linux distribution, and it has been successfully
> tested with Ubuntu, K12LTSP 4.4.1, and FC4. (The newest version is
> always at http://majen.net/smbldap/. Updated documentation is in
> progress.)
>
> But any multi-site organization wishing to utilize this has a number
> of remaining problems to solve, and I'd like to see how the installer
> can be improved to deal with those problems. In each area, we need to
> consider what Active Directory (the competition), is like.
>
> 1. Ease of configuration
> Clickity-click, I want AD, clickity-click, I want users,
> clickity-click I want trust relationships in my WAN. Pretty GUIs
> are available to do everything. To be a viable alternative,
> Samba/LDAP must be easily installable and configureable. While
> a GUI interface to the Samba/LDAP installer/configurer would be
> nice, ATM I consider this to be lower in priority than some other
> things.
>
> 2. Ease of management
> Managing users and groups is easy and clicky in AD. I'm a command
> line buff, but most other people are not CLI buffs. Those people
> want GUIs, which means that management GUIs are a necessity if
> a smallish organization without UNIX gurus is going to seriously
> consider switching from AD to Samba/LDAP.
>
> Webmin has some modules, IDEALX has the Samba Management Console,
> and I've even heard people mention that they use Windows-based
> applications to manage Samba/LDAP.
>
> What recommendations do any of you have? Which GUIs are the best?
> Which ones are the easiest to configure? Which ones are the most
> stable? Which ones are the most powerful? Which ones are the
> safest -- from a security standpoint and a newbie-administrator
> standpoint?
>
> If we can arrive upon a particular tool or set of tools that work
> the best, I hope the Samba/LDAP installer can begin to address that
> installation and configuration as well. (Whatever tool is chosen
> must be readily available as an RPM/deb, and very preferrably
> installable with normal yum/apt repositories.)
>
> 3. How to do WAN configurations?
> Here's where it will become rather obvious that I haven't done much
> of anything with LDAP myself; I'm not even a sysadmin of more than
> my home network so I haven't been using Samba/LDAP. But what is
> the best way to implement Samba/LDAP in a multi-site WAN?
>
> I have a particular scenario in mind. Suppose a given school
> district has 10 schools on a WAN, and each school currently has its
> own AD domain. Each AD domain trusts all the others, so each user
> can log in at each school with her own regular username and
> password.
>
> I realize that AD is just LDAP and Kerberos with some Embrace
> & Exteeeeeeend applied, but based on how the Samba/LDAP Installer
> works and my rather superficial understanding of LDAP itself, it
> seems like giving each school its own base DN (analogous to the
> different AD domains) is probably a needlessly complex approach.
>
> Instead, would it be better to give the entire district one
> Samba/LDAP domain, e.g. "DISTRICT", and then create a group of
> users for each school? Each school would then have a slave
> Samba/LDAP server and a file server. The home directories would be
> structured like this:
> /home/schoola/<users>
> /home/schoolb/<users>
> /home/schoolc/<users>
> /home/schoold/<users>
> And each school's fileserver would NFS mount each other school's
> local userspace so that wherever you are in the district, things
> should look exactly the same.
>
> If you log in outside of your normal site, then things will be
> slower for you as your home directory is accessed across the WAN.
> But everything else should be the same.
>
> This would make user migration (from school to school) a snap, as
> users can simply be dropped from one group and added to another,
> and home directories can be rsynced from school A to school B. (I
> guess the users would need to have their homedir paths modified as
> well.)
>
> Is this a good approach? Is there any reason it wouldn't work? Is
> there a better approach that would be this simple?
>
>
> If we could develop the Samba/LDAP Installer to make it drop-dead easy
> to configure and manage multi-platform, multi-site user authentication,
> I think we will have taken a great step forward.
>
> I look forward to all your great advice. :)
>
> Thanks,
> Matt
>
> --
> Open Source Software Engineering Consultant
> http://majen.net/
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> K12OSN mailing list
> K12OSN at redhat.com
> https://www.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
The two tools I use to manage our Samba/LDAP and LAM (Ldap Account Manager) and JXplorer
(http://pegacat.com/jxplorer/) which is Java based and makes manipluating LDAP really easy. I still
use the cli for the initial generation of users but I reading the LAM mailing list they have a
module for this that will create the homedirs so you as well.
I've played with the idealx modules and GOSA (https://gosa.gonicus.de/). Idealx is quite nice but I
have issues with it's speed but I expect if I spent some time on it that would be solved. GOSA is
really flashy but you need to add a few schema's to openldap and seems a little overkill for me.
I've got phpldapadmin installed but it coughs with the number of users I have (approx 1200)
It would be quite nice if the installer could offer the option to setup the machine as a BDC /
SlaveLDAP server. I've setup several machine as slave's and it's reduced the load on our main LDAP
server hugely. If you'd like to read what I've done have a look at
http://www.chivers.info/Samba3-OpenLDAP-slave-server-config.html
Brian
---------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
More information about the K12OSN
mailing list