LDAP Series Part V - Getting a Grip on Directory Service Modeling

I have an observation I'd like to disclose about the Open Source community: We tend to leap into all kinds of things before we have all the facts and/or information necessary to make intelligent decisions. We criticize other communities, laugh at things like directory services from the two major NOS players, talk about all our great applications, etc. We hang on to old notions about what makes Linux tick. Sorry, but that model ESR defined doesn't fit any more. The community natter appears to come mostly from people who lack deep technical skills and knowledge of enterprises.

While Linux has garnered a major part of the UNIX market, it has not made much progress in the enterprise management field. Without directory services to create a serious model of an enterprise, Linux will continue to remain a great application server. Under Novell, Linux will become a nice kernel for the Netware proprietary stack.

I'm also concerned about the technology leader, Red Hat. Their inability to utilize the assets purchased from AOL demonstrates a lack of vision. With Directory and Certificate servers, Red Hat has the ability to provide Identify Management, user management and a more secure network environment. It needs to move quickly because its competitor, Novell, has Open Enterprise Server and that puppy provides outstanding enterprise tools.

Where to Start

An LDAP directory service provides the framework for enterprise management. Open Source LDAP servers need numerous features to compete and evolve into an identity management system. Running OpenLDAP or Fedora Directory Server from the command line may work for some but without a visual model and the ability to replicate across an enterprise transparently OSS LDAP stagnates. Also, the lack of a visual tool keeps OSS advocates from learning how to use OpenLDAP as an enterprise directory. FDS has a visual interface that's outdated and doesn't provide features useful across the enterprise.

Learning OpenLDAP and/or FDS starts with what seems like unnecessary root level orientation. The model focuses on setting up the top of the tree. That may appear like a place to start if you’re a complete geek who loves to fool around the hacking hardware code. It doesn't do much for an administrator.

Admins need the ability to focus on Organization Units (the ou) and model their organizations in the directory sever. We need to manage departments, people and resources across an enterprise. I want to see a set of organizational units under the auspices of a root server and I want to manage my mail, dns, dhcp, web services, shares, users and security. But unless you have lots o' bucks for Novell, the typical admin cannot do that.

An emerging OSS Organizational Model?

Unfortunately and maybe fortunately, Novell needs a low cost competitor. I suspect that such a development group will emerge as a startup. I'd like to see such an effort come from the Debian community. It's even OK with me if the Ubuntu team puts it together. I believe the effort will require a large team of dedicated developers who can finish a project.

I don't expect Red Hat to do this. Red Hat is already stretched thin meeting its low cost business model. Additionally, for perhaps the first time, Red Hat may have problems competing with Novell. As a side note, I can see the latter going after the best people at Red Hat as long as Novell does a Chris Stone with their monkey managers. I wouldn't work for either of those chimps.

Also expect Redmond's Open Source Software Lab to work with Novell to allow it into the forest. Redmond lacks some serious management tools. For example, have you ever attempted to run any command to see who is logged on to a server in a MS enterprise? Run any command you wish and you won't see what we can do with a simple command like “who

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

gpinventory

Alan's picture

The application to see whos logged on to a machine(s) is called gpinventory. also does alot of other useful functions

Any decent sys admin would know about this tool if they did there homework. yes, it would of been better if this was bundled by default, but it's only a download away and can be run from and xp machine.

I do think there is a need for a competing directory services that is free and global for linux and windows, but isn't that a very similar function samba 4 will bring, and ldap backend that is supported?
It will be interesting what policy funtions it will bring, as the nt4 policy editor and registry editing is not an ideal way of doing things, as the funtions AD has where polices can be removed is pretty useful. unfortunatly, samba4 is a wait and see aplication, so only time will tell with the true functionality it will bring.
might be worth request group policy functionality to the samba team.

Fooled again

Tom Adelstein's picture

From MS Download center:

Group Policy Inventory (GPInventory.exe) allows administrators to collect Group Policy and other information from any number of computers in their network.

alan wrote:

Any decent sys admin ...

ok big guy,

We're still attempting to find a MS command equivalent to "who"

who [options] [file] who am i

Show who is logged into the system. With no options, list the names of users currently logged in, their terminal, the time they have been logged in, and the name of the host from which they have logged in. An optional system file (default is /etc/utmp) can be supplied to give additional information.

We need to belittle people all the time

Tom Adelstein's picture

Alan writes:

Any decent sys admin would know about this tool if they did there homework.

actually, one of the best admins I know gave me this bit of information - a gold partner. So, I should tell him he didn't do his home work. Should I call him a jerk? Maybe, just maybe, he should stop teaching and throw away all his certifications.

Merry Christmas

the joy of writing

Alan's picture

sorry, i didn't mean for it to come across that way... thats one of the most unfortunate things about non-verbal communication...it can get interprated in so many ways. i wasn't meaning this in a negative way and i did take the way you said it as "command" not "command line", to me command is anything run in the run box. again im sorry.

With xp and a 2000 AD infratructure.. MS were never really geared for the command line. more tools appeared for 2003, but there still not great at it.

the powershell, the new scripting thing from MS can do similar functionality with "Get-WmiObject -Class Win32_ComputerSystem -Property UserName -ComputerName COMPUTER"
but thats nothing near as nice as a single command, unless you encase it in a batch file of .vbs script. and this may not look at terminal client sessions.

MS current OS's as a whole are really just geared for GUI operation, so in a sense it is a semi futile quest to find such an utility. bit pants in comparison to *nix, but isn't that why more and more are adopting open source?

asked samba

Alan's picture

I asked tridge in #samba-technical about group policy functionality and he said he is looking to implement it although its not been a priority.

He also said he is working on a "when it's ready" POV for samba4, so if anyone wants to speed things up, they can always get involved with samba development.

From this, it feels like this will meet the requirements of your article, might be worth interviwing the samba team on this.

LDAP

Trent Murray's picture

I am constantly disappointed at the quality of comments made by some of our readers.

It would be nice to see discussion without a condescending comment or chest beating.

I hope that future readers who choose to comment to Linux Journal article s also take the time to choose their words a bit more selectively so that readers can benefit from the information shared without having to wade through paragraphs of flaming and unnecessary chest beating.

Engaging in squabbling in a public forums make linux professions look like amateurs and in my opinion only serve to undermined the spirit of the information shared.

LDAP

Anonymous's picture

Well articulated. My sentiments exactly.

-Tom

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix