LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Unfinished Business: The One Missing Piece (O'ReillyNet)

[Posted April 29, 2003 by ris]

In this O'ReillyNet article David HM Spector explores the history and current state of directory services, and explains why it's important to interoperate with Active Directory. "Linux has really reinvigorated the UNIX family of operating systems, as well as competition in the server market place. The hard work and talents of thousands of developers have made Linux an unstoppable force in the data center. They have also set the foundation for Linux (and other UNIXes) to provide credible and well-implemented alternatives to Microsoft Office on the desktop, but Microsoft still has absolutely no competition in the directory space. The directory space is the key to the desktop marketplace and the possibility of Linux's total integration in mainstream environments, because that's where all the really important metadata--the stuff that businesses run on--lives."
(Log in to post comments)

Unfinished Business: The One Missing Piece (O'ReillyNet)

Posted Apr 29, 2003 18:45 UTC (Tue) by einstein (subscriber, #2052) [Link]

um...

nds?

Is OpenLDAP really not a goer?

Posted Apr 29, 2003 18:54 UTC (Tue) by nicku (subscriber, #777) [Link]

Hmm, I didn't need psychotherapy, deep or shallow, but we authenticate all our students (5,000 accounts) on our laboratory computers using OpenLDAP on a dual P-III.

Are you telling me that I did the impossible? I didn't know I was in that league till today.

Unfinished Business: The One Missing Piece (O'ReillyNet)

Posted Apr 29, 2003 19:24 UTC (Tue) by penguinista (guest, #308) [Link]

Guys,
The solutions you mentioned (nds, openldap) are separate solutions that may or may not play well with Active Directory. I think the commentary in the article is describing the problem of interoperating with Active Directory. For large organizations with a mixed environment and trying to do things like single sign on, password management, etc. this is important to solve.

Unfinished Business: The One Missing Piece (O'ReillyNet)

Posted Apr 29, 2003 19:59 UTC (Tue) by Peter (guest, #1127) [Link]

The solutions you mentioned (nds, openldap) are separate solutions that may or may not play well with Active Directory. I think the commentary in the article is describing the problem of interoperating with Active Directory.

Well, it's all LDAP (even AD), so if you use LDAP client tools you should be able to browse and edit the data regardless.

Now, if you have an existing AD installation, then yeah, Unix tools will not easily interoperate - although, AD does support both NIS and the NT4 domain model, either of which can be used by a Linux client workstation (using NIS and Samba Winbind, respectively).

Likewise, Windows client OSes can all use the NT4 domain model, which is well supported by both Samba and Samba-TNG - both of which include LDAP backends.

So I guess the argument here is "my directory server doesn't talk to your directory server" which is, of course, a symmetric problem, not a Linux problem. (:

Unfinished Business: The One Missing Piece (O'ReillyNet)

Posted Apr 30, 2003 9:36 UTC (Wed) by libra (guest, #2515) [Link]

It is true that we lack something in the field of authentication, single sign on administration and sharing of information. But it is completely false to say that we need AD. AD may be a solution in the windows environment, but is such only because Microsoft do nothing to promote really open standards and widely compatible solutions (to give an example I'm amazed to see in IIS 6 that authentication with "passport" is an option, but there is no option for authentication through ldap, that alone would deserve an anti-trust action).

The truth is that I know no good solution today to federate authentications parameters. The only two nearly good solution I know are :
- LDAP (without association with kerberos in any way)
- "Liberty Alliance" maybe, once I've seen it implemented somewhere and working

The trouble today with LDAP are :
- The standard does not seem to support authentication through use of certificates (principle of public/private key)
- There is no standard on the client side to store, protect, manage, use certificates anyway
- Not every application support authentication through LDAP, and Microsoft products are first on the list of such products

For all this reason we are using AD instead of LDAP, but as AD is not a standard, is not open, is based on an obscure and badly designed architecture and does not allow us to do what we really need, we just use it to store user accounts without even trying to customize or further administer it. It is out of our purpose, and wouldn't add any value to the business we are running. When a true standard will arise then we will invest on it (at least I think so) but right now we use AD as we were using NTLM, just to wait for something good to use instead.

So my point is to say again that what we lack is a standard (certainly based on LDAP extensions and clients supporting this standard) and not AD. Waiting for this standard we may use AD, but we know it is not a solution, simply it is all we have today, and this is more than half due to Microsoft attitude not to promote LDAP instead.

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds