To All, I am going to try my hand at setting up an ldap server. I have looked at what is available and would like to ask your opinions as to what is a good one to have. openldap, centos-ds, and freeipa seem to be high on everyone's list. Which one do you like, and does it have a good setup tutorial I could use. So far the tutorials I have looked at seem out of sync with the curent versions of ldap servers. Greg Ennis
Gregory P. Ennis wrote:> > openldap, centos-ds, and freeipa seem to be high on everyone's list. > Which one do you like, and does it have a good setup tutorial I could > use. So far the tutorials I have looked at seem out of sync with the > curent versions of ldap servers.I've just deployed OpenLDAP and finally shutdown NIS here at work (the damn thing was running for literally more than a decade). FreeIPA was not an option at all, it would a pain to us to try to integrate our current environment on it. If you are going to start from scratch, take a serious look at it. Although I think it is too RH/Fedora driven to my taste. I've setup a test environment with CentOS-DS (RH DS) and it worked fine, we did not require all the fancy stuff it provides. We decided to not go ahead with it because a) The CentOS DS packaging is not "official" yet (we are lazy and just want the "official" stuff) b) To enable simple bind having the password on Kerberos you need to recompile the package enabling a plugin called 'PAM passthrough' to authenticate against PAM. This plugin is considered experimental and RH disables it. I requested on the CentOS bug tracker[1] to enable it but I don't believe it is going to happen. RH DS has very good documentation and by looking at the wiki it supports some MS Active Directory stuff (not relevant to us either). So we decided to go with OpenLDAP. Easy setup of simple bind with Kerberos (using saslauthd), no need to recompile the package shipped by CentOS/RHEL and a big user base. The official documentation is usable but to solve some problems searching on Google and the project's mailling lists archives you can easily find answers. Regards, Miguel [1] http://bugs.centos.org/view.php?id=3719
Am 11.09.09 18:46, schrieb Gregory P. Ennis:> openldap, centos-ds, and freeipa seem to be high on everyone's list. > Which one do you like, and does it have a good setup tutorial I could > use.FreeIPA is not an LDAP server (and has an unclear future). CentOS-DS has all the documentation Red Hat has thrown at the Red Hat DS. As a general LDAP tutorial, I liked the LDAP guide for Rocket Scientists: http://www.zytrax.com/books/ldap/ Ralph
On 09/11/2009 11:46 AM, Gregory P. Ennis wrote:> To All, > > I am going to try my hand at setting up an ldap server. I have looked > at what is available and would like to ask your opinions as to what is a > good one to have. > > openldap, centos-ds, and freeipa seem to be high on everyone's list. > Which one do you like, and does it have a good setup tutorial I could > use. So far the tutorials I have looked at seem out of sync with the > curent versions of ldap servers.We currently use openldap/samba for our directory services. It uses the older NT type (or mixed mode) authentication, but so far almost anything that requires windows authentication works fine. The CentOS DS is likely better, and certainly supports more Active Directory things ... and we might well use it as a replacement for openldap/samba. I am also using smbldap-tools from here: https://gna.org/projects/smbldap-tools/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 253 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20090911/339300e9/attachment.sig>
Am 12.09.2009 um 00:43 schrieb Johnny Hughes:> On 09/11/2009 11:46 AM, Gregory P. Ennis wrote: >> To All, >> >> I am going to try my hand at setting up an ldap server. I have >> looked >> at what is available and would like to ask your opinions as to what >> is a >> good one to have. >> >> openldap, centos-ds, and freeipa seem to be high on everyone's list. >> Which one do you like, and does it have a good setup tutorial I could >> use. So far the tutorials I have looked at seem out of sync with the >> curent versions of ldap servers. > > We currently use openldap/samba for our directory services. > > It uses the older NT type (or mixed mode) authentication, but so far > almost anything that requires windows authentication works fine. > > The CentOS DS is likely better, and certainly supports more Active > Directory things ... and we might well use it as a replacement for > openldap/samba. > > I am also using smbldap-tools from here: > > https://gna.org/projects/smbldap-tools/This may really be the fault of the underlying SMB-protocol, but for me, every implementation of LDAP+Samba that I have seen has "HACK!" written in big bold letters all over it. FreeIPA is really cool. It solves the problem that most LDAP-implementations have: the password is in the directory. FreeIPA integrates LDAP and Kerberos the way Windows AD does it for Windows - but this time for Unix. Unfortunately, its development wasn't that active over the last year. From the mailinglist-archives, it seems they want to release something towards the end of the year (and finally update the web- page...) Rainer