[KLUG Members] NDS for Linux...disappointing

[Adam Tauno Williams]

>NDs is definitely a directory, similar to LDAP but different (read:
>proprietary). With it, an administrator can grant access to just about
>anything in the tree using the excellent tools provided by Novell. File
>and printer access are the primary resources, but other Novell products
>and user access to them are tightly wrapped around the NDS directory.
>Name any Novell product (GroupWise, Border Manager, Netscape Web Server
>for NetWare, on and on), and all of them are wrapped around NDS. So no
>matter how many servers or where they are at, my permissions to access
>any resource are in the directory. 
> 
>With NDS for Linux, (seemingly) all I can do is authenticate to the tree
>and access the NetWare resources.

Authenticate as in PAM (the login on the Linux box) or for single sign on to the
Novell network? Or both.
 
>Novell does not use SMB. With version 5, they made IP the primary
>transport. I *think* they rewrote NCP to run natively over IP versus IPX
>for this. 

Thats what I assumed,  but I know that assuming is dangerous.
 
>As for categories it augments, I had rather hoped NDS would not add to
>all that, but replace most of it.

Well, it actually can't,  at least as I understand NSS.  NSS is part of glibc
and thus almost, if not every, Linux/UNIX application.  But if it is like LDAP
you can drop it onto the top of each NSS catagory and forget about the local
files.  This is all controlled via /etc/nsswitch.conf.  This way the usernames
seen in "ls -l" etc... all come from LDAP,  only if a UID/GID (etc...) is not
found in LDAP does it fall through to the next layer,  and you can tell it not
to do that as well.

>Yes, you can do LDAP queries. (I'm doing it for an Intranet app.) I'm
>just not sure if you can write to it. Maybe I need to explore LDAP a
>little further in this regard...
>At least ConsoleOne (the java management gui) ran well. It is now
>feasible for me to run Linux as my desktop OS and manage the Novell part
>of the network. And I just might do that next week. :)
>Can OpenLDAP manage file permissions? Admittedly, I could use more
>knowledge of LDAP. 

Hmmmm.  Not any way that I can think of.  Unfortunately Linux kernel people made
the decision (stupid and shour sighted IMHO) to allow the filesystem to handle
file permissions,  and I don't see an obvious way out of that trap.  There is a
"trustee" project where you can define ACLs in a file that "hovers above" the
VFS layer.  It might be interesting to see if that could be used to apply
Directory permissions to a file.  I'll contact the author and ask.

Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW.
Grand Rapids, MI. 49505