Using Penrose (or similar software) to solve our LDAP needs

Kenneth Holter kenneho.ndu at gmail.com
Tue Nov 11 10:15:45 UTC 2008 

Hello list.


We've been trying to deploy Red Hat Directory Server (RHDS) in our
organization, but are not so sure it's integration with Active Directory
(AD) suits our needs. Let me briefly outline our situation:

AD is well deployed within our organization, but we're in need of a
directory server for our Red Hat Linux servers. The directory server should
first and foremost allow for user authentication when connecting through
SSH, but other applications will also be integrated with the directory
server. The AD admins is not very keen on us Linux admins modifying or
installing applications on their AD boxes, so a directory server deployment
should take this into account. Also, we *probably* don't need to sync
passwords. Lastly, our linux directory server will be synced to a dedicated
"linux OU" on the AD side.

We've played around with RHDS for a while, but the integration with AD
(using Windows Sync) doesn't seem to meet our requirements. For example,
since attributes such as posix-stuff must be entered manually (or scripted)
on a per user basis, some of the benefits of syncing with AD seems
diminished, and it seems easier just managing everything on the RHDS side
alone without syncing with AD.

But since we very much would like to sync with AD, we thought we'd maybe go
for another directory server, hoping that syncing with AD will be
more seamless. We got pointed to Penrose (
http://docs.safehaus.org/display/PENROSE/Home), and I' thought I'd hear if
anyone have any experience with this software to see if it might be the
right choice for us.

So does anyone have enough experience with Penrose to advice us on whether
it might be a good solution for us? And is Penrose supported by Red Hat?

I've done some reading on the Penrose home page, and found some other issues
maybe someone can clear up:

   - Is there support for unidirectional sync with AD (that is, sync users
   from AD to Penrose, but not the other way around)? Maybe using Penrose as a
   proxy or pass through authentication for AD might solve this.
   - If integrated with AD, and still assuming a one way sync from AD to
   Penrose, can one create new users directly on Penrose?

Any input on this subject will be greatly appreciate. And please comment
on other software products that may suit our needs.


Regards,
Kenneth Holter

More information about the redhat-list mailing list