[KLUG Members] Speak of the devil

[Adam Tauno Williams]

> On LDAP/Kerberos:
> http://linux.oreillynet.com/pub/a/linux/2003/07/07/enterprise.html

Sigh.

My LDAP document, and several others, exist specifically to answer the problem
posed by the above author.  Yet he (as most journalist) apparently never
bothered to go see if any solutions to his theoretical problem exist.

MIT Kerberos V and OpenLDAP integrate seemlessly.  Setup and forget, really.

Users, Hosts (DNS), Groups,  IP (DHCP), mail routing, etc... all in one
directory (just like AD), really.  It is how I got to the screen to write this
message, how the MTA determined where/how/if to send the message, how the client
I'm typing this on got it's IP address, .....

There is a problem with tools.  But the Samba team has a guy working with the
Directory Administrator project (which produces a really nice GUI, even with
drag-n-drop group membership) to be sure that when Samba 3.0 is released that DA
supports it from Day #1.

And "NIS encapsulated in LDAP", because the file is named nis.schema?  NIS and
posix-LDAP authentication for UNIX/LINUX clients both use a similair schema -
like the layout of /etc/passwd - color me shocked.  posix-LDAP authentication
has no more to do with 'encapsulating NIS' than rhinos have to do with whales.

"Access control lists are not yet generally/widely implemented"

That is true, and rather shocking given Linux people's supposed emphasis on
security and infinite configurability.

"parameters simple and activate available schemas without forcing the
administrator to become either an expert in LDAP or Kerberos."

Wrong.  The admin needs to get of his/her $&^@* and learn how these things work.
 That is what he/she is *PAID* for.  Otherwise we'll just have a bunch of Linux
based networks that are as crappy as the current-standard Windows network that
is admin'd by some useless MCSE.  

The current set of Migratation Scripts that have shipped with every OpenLDAP
package since RedHat 7.2 will happily convert your flat files into LDIF for
loading into a DSA; with very little fuss.  And it is documented, on oh, say
100+ web sites.

"Next, from the perspective of making a Linux enterprise directory AD
compatible, is frankly to dissect Active Directory's schema and implement the
proprietary bits under Linux."

Hasn't looked in the Samba 3.0 changelog or devel threads has he.  There is
already a lot of Active Directory server stuff there.  This is coming along
faster than most anyone expected.

"non-portable and lock in their customers, as they did with their extensions to
Kerberos."

Samba 3.0 betas can already decode the PAC, it isn't a problem.

"Linux vendors need to ship fully configured LDAP and Kerberos servers with
their distributions with full-fledged database back ends, not just a DBM-style
library,"

He should go over to the OpenLDAP list and say this.  They'll be happy to rip
him a new one.  An RDBMS' data model is fundamentally different than LDAP's. 
There isn't any good reason to struggle with some mapping of schemas.    Lots of
people who disagree have brought this up on those lists and gone away convinced
it was a bad idea.  [And I'd hardly call Sleepycat "just a DBM-style library"].