Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fedora Directory Server 1.0 Released!

Zonk posted more than 8 years ago | from the like-a-kid-with-edubuntu dept.

200

LnxAddct writes "NewsForge is reporting that the first official release of the Fedora Directory Server has been announced. This is good news for members of the open source community longing for an easy to use, enterprise class directory server. Fedora Directory Server is based off of Netscape Directory Server which Red Hat purchased a year ago and released as open source. Screenshots are available on their site." NewsForge is a Slashdot sister site.

cancel ×

200 comments

Sorry! There are no comments related to the filter you selected.

Linux Users: (-1, Troll)

master_meio (834537) | more than 8 years ago | (#14177667)

Isn't it a form of rape- forcing your operating system ideology on others? Why can't you just enjoy your niche OS without worrying about "blah blah viable desktop alternative blah blah" or "blah blah i got my grandparents to play lunix lol" or whatever it is you disgusting faggots occupy yourselves with?

What's it like- to always be as unpopular as you were in high school?

Re:Linux Users: (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14177683)

Excuse us Popular Joe, btw weren't you the busy one who had no time to humiliate yourself?

Re:Linux Users: (1)

WheelDweller (108946) | more than 8 years ago | (#14178003)

Yeah....tell CP/M, MP/M and DOS I said "Hi", and that I miss them a little. ;)

Re:Linux Users: (0)

Anonymous Coward | more than 8 years ago | (#14178431)

Yeah and you tell Windows I don't miss it!

command line (5, Interesting)

Darkon (206829) | more than 8 years ago | (#14177676)


A fancy GUI [redhat.com] is all very well, but does this come with some decent command line tools to scriptify adding and removing users and the like? One of the things that's kept my department on NIS for so long is that absolute hideous unfriendliness of the OpenLDAP tools vs useradd, usermod and friends.

Re:command line (3, Insightful)

Anonymous Coward | more than 8 years ago | (#14177768)

In short: Yes.

However, I find it interesting that you describe OpenLDAP as "absolute hideous unfriendliness" when it simply isn't that case. Granted that the ldif format isn't obvious or familiar, using the command lines tools is actually rather simple. You only need to understand how an LDAP Directory works, and how your schema of choice is laid out.

I have personall written a front end for managing userspace in OpenLDAP via bash scripts, and I can tell you that once I spen a hour reading up on ldif, it was really quite simple.

Re:command line (0, Redundant)

ZaMoose (24734) | more than 8 years ago | (#14177787)

Since it's built on top of OpenLDAP, yes, it obviously comes with ldapadd, ldapsearch and ldapmodify, just about all you need to accomplish the tasks you laid out above.

Their syntaxes are a bit confusing, but once you get them down, it's very easy to write cronjobs to populate the LDAP directory. If you're looking to migrate an existing userbase from NIS to LDAP, you should take a look at PADL's MigrationTools [padl.com] . Very useful, once you've hacked their shellscripts to match your environment.

Re:command line (3, Informative)

Anonymous Coward | more than 8 years ago | (#14177829)

It is so totally NOT built on top of OpenLDAP. In fact, it share not code with OpenLDAP at all. Thanks for playing.

Re:command line (4, Informative)

digitalhermit (113459) | more than 8 years ago | (#14177790)

The addition of a user is pretty simple... Just run ldapadd against an ldif file. To create the LDIF file is simple and you can do it with a perl script to specify username, userid and password. To create the password you can use crypt or md5. Something like:

    my @validsalt = ('a' .. 'z', 'A' .. 'Z', 0 .. 9, '.', '/');
    my $salt = $validsalt[rand(64)] . $validsalt[rand(64)];
    my $test = crypt($cleartext, $salt);

Of course, you'd also want to do some basic validation of the inputs. Then just wrap the user inputs in an LDIF template and run. It sounds a lot more difficult than it actually is.

The schema can actually validate that userid is unique, but you should check anyway and also validate the groups and gids.

Re:command line (1)

pe1chl (90186) | more than 8 years ago | (#14177921)

The main gripe is that you have to kludge all this yourself.
Every admin in the world must write his or her own script to add a user to the directory.

Why can't we have ready-made programs that perform such simple tasks?
Like useradd, for example.

Re:command line (1)

digitalhermit (113459) | more than 8 years ago | (#14178276)

LDAP itself is not *just* for authentication, though that's one of its more popular uses. That's probably why there are not so many specific auth related tools. It's a similar thing with the more decoupled Linux LVM versus, for example, AIX's tightly integrated LVM. There are GUI tools such as JXplorer and lots of Java based apps that can add/modify entries. JXplorer, for example, can define template screens so that you can view only auth relevant parts of the schema.

Re:command line (2, Informative)

aaronl (43811) | more than 8 years ago | (#14178516)

You could use the IDEALX smbldap-tools for the scripts and all. That would give you UNIX and Samba authentication and user account information, and control over groups, as well as a simple command line tool for passwords.

Re:command line (0, Troll)

Anonymous Coward | more than 8 years ago | (#14178558)

This is a shining example of someone who downloads something for free then complains about it without wanting to contribute to the community.

Why don't you code the scripts then submit them to the project to see if they can get added in the next release? Don't know how to code? LEARN

Scripting languages and LDAP (1)

dmouritsendk (321667) | more than 8 years ago | (#14177914)

Most scripting languages will have some kind of LDAP module available, like python has http://python-ldap.sourceforge.net/ [sourceforge.net] and perl has http://ldap.perl.org/ [perl.org] .

So even if Fedora's directory server doesn't offer any console tools (i dont know if it does), it won't be any problem making scripts manipulating its data. Take a look at this example on howto remove a record, its from the python-ldap site, and it isn't exactly overly-complex to use from the looks of it :-)

import ldap
try:
        l = ldap.open("127.0.0.1")
        l.protocol_version = ldap.VERSION3
        username = "cn=Manager, o=anydomain.com"
        password = "secret"
        l.simple_bind(username, password)
except ldap.LDAPError, e:
        print e

deleteDN = "uid=anyuserid, ou=Customers,ou=Sales,o=anydomain.com"
try:
        l.delete_s(deleteDN)
except ldap.LDAPError, e:
        print e

FANCY gui? (1)

/ASCII (86998) | more than 8 years ago | (#14177945)

You thought that those screenshots look fancy? My first thought on looking at those screenshots was 'How could they make such a butt ugly theme the default for Swing applications?'. It combines the worst apects of Motif and Windows95.

Re:FANCY gui? Looks like the old Netscape DS GUI (1)

kalmite (89186) | more than 8 years ago | (#14178076)

Actaully this is the same exact GUI that was used for Netscape Directory server back in WinNT 4 days... so the question is why didn't RH change change the GUI to something using Gnome/KDE. Looks like they just took the old product and released it.

Re:FANCY gui? (1)

AlphaSys (613947) | more than 8 years ago | (#14178084)

I thought the same thing. The answer is they really didn't do anything revolutionary to the UI they bought from Netscape. Netscape's server products were actually pretty OK under the hood, but they never sold because they were even uglier in the UI than the current Redmond offerings of the time. Tsk, tsk.

Re:FANCY gui? (0)

Anonymous Coward | more than 8 years ago | (#14178463)

Oh please. Netscape's server products never sold because the CLIENT (Netscape Communicator) had an ugly UI. Nobody gives a rats ass about pretty GUIs for system administrators, and the stuff that came with Exchange 5 was hardly a thing of beauty.

Re:FANCY gui? (1)

kopykat (934673) | more than 8 years ago | (#14178454)

figures!a GUI perfect application that requires a minimal of 39 patches on a one year comparison between linux and windows and the real rhetoric is in why it would take an average of 139 patches in test conditions to keep a server secure and the joke is "butt ugly!" how about the real number of patches that would be required to keep any server running and secure...! i guess in 2007 the new joke is its a kopykaT!

Re:command line (1)

labratuk (204918) | more than 8 years ago | (#14178140)

Thankyou. This is the first thing I noticed too. Obviously something that hasn't changed since its netscape days when they needed to be able to show something to PHBs who made purchasing decisions. A big dumb 'START SERVER' button. Please god let them unix-ise the software in the next few versions.

Re:command line (1)

LnxAddct (679316) | more than 8 years ago | (#14178616)

Don't worry, all the command line tools are there too, a nice GUI never hurt anyone though:)
Regards,
Steve

Re:command line (1)

illumin8 (148082) | more than 8 years ago | (#14178775)

A fancy GUI is all very well, but does this come with some decent command line tools to scriptify adding and removing users and the like? One of the things that's kept my department on NIS for so long is that absolute hideous unfriendliness of the OpenLDAP tools vs useradd, usermod and friends.

Have you heard of ldapadd and ldapmodify? These tools are available from OpenLDAP or from pretty much any OS that is LDAP capable. I know you're probably just trolling but it's quite obvious you've never used LDAP or you'd know that it's trivially simple to add or modify entries using these command line tools.

2nd post (-1, Offtopic)

sqwishy (927732) | more than 8 years ago | (#14177678)

2nd post ^_^

wow (5, Insightful)

know1 (854868) | more than 8 years ago | (#14177681)

redhat bought something usefull and made it open source? that's one of the most amazingly good things i've heard this week. i thought open source was all about using software made for free. it's so great to see a xcompany making a living off open source to buy something usefull the community needs and give it out for free. i'm a debian man myself, but keep up the good work redhat!

Re: wow (4, Informative)

Dolda2000 (759023) | more than 8 years ago | (#14177777)

This isn't exactly the first time RedHat has done something like this. Last year, they also bought Sistina and released GFS for free. I think they have done other such things as well, but I can't remember any off the top of my head.

Not the first time. (4, Informative)

ebuck (585470) | more than 8 years ago | (#14177920)

As another poster has already stated, it's not the first time that RedHat has bought something and then changed the license to an open-source license.

However, this story is just a bit more complicated.

RedHat open-sourced all of the code they could, which was quite a bit, but originally just the main directory daemon, ns-slapd, a few shared libraries and command-line tools were open source. The real news here is that the last of the "other" bits have finally been re-written under a new (open-source) license.

That's part of the motivation for resetting the release nubmer; note that this is verison "1.0" instead of (grumbles about memory) 8 or 9?

So now, it is a 100% open source solution, no more binary-only rpms.

Re:wow (2, Informative)

TheRaven64 (641858) | more than 8 years ago | (#14178029)

As another poster pointed out, Sun have done this with other things as well. One example that I suspect a lot of /.ers are familar with is Cygwin - bought be RedHat and open sourced. They are also not the only company to do this. Sun bought a German outfit called Star Division and released their flagship product as open source, and continue to supply most of the developer time to it. You might have used that too.

Sun paid $88,000,000 for Star Office. (1)

Futurepower(R) (558542) | more than 8 years ago | (#14178749)

I remember reading that Sun paid $88,000,000 for Star Office, that became Open Office. Sun still charges for support for Star Office, and my guess is that Sun has made a profit on its investment in Star Office, even though an open source version is free.

wow-Cathedral leaks. (0)

Anonymous Coward | more than 8 years ago | (#14178394)

"it's so great to see a xcompany making a living off open source to buy something usefull the community needs and give it out for free."

Come on Maya! Come on VST. Come on Macromedia MX. Come on ProE.

Re:wow (5, Informative)

LnxAddct (679316) | more than 8 years ago | (#14178736)

Heh, you severly underestimate Red Hat's contribution to the community:) Read this [fedoraproject.org] for a truncated list of contributions they've made. Some other products they've purchased and released include GFS [redhat.com] , Cygwin [cygwin.com] , and eCos [sourceware.org] . They also contribute more code to the kernel than any other entity and in large part maintain and extend glib and GCC (they have a few people on the GCC board and contribute huge amounts of code, in fact many of the newest features in GCC 4.0.x you can thank Red Hat for). Here [sourceware.org] is another list, but that list is only for projects hosted from that site, so its not complete either, but suffice it to say that Red Hat does a staggering amount for the community, its kind of a shame when people bash them.
Regards,
Steve

when rpm just wont do (0)

ali3nxx (830931) | more than 8 years ago | (#14177692)

anvil ~ # rpm2targz fedora-ds-1.0-2.FC4.i386.opt.rpm
found gzip magic bytes
    trying to decompress with gzip... OK

anvil ~ # uname -a
Linux anvil 2.6.14-hardened #1 SMP Fri Dec 2 03:24:32 CST 2005 x86_64 AMD Opteron(tm) Processor 246 AuthenticAMD GNU/Linux
anvil ~ # cat /etc/gentoo-release
Gentoo Base System version 1.6.13

overall looks very promising. I'm looking forward to picking it apart and integrating it into my test ldap setup!

+ Kerberos ? (5, Informative)

ratatask (905257) | more than 8 years ago | (#14177713)

One of the net things is if you couple together Kerberos [mit.edu] with LDAP - much like a windows network
with Active Directory.
Does the Fedora DS intergrate those two neatly, single sign on is neat, but OSS provides
no turnkey solutions for this (yet).

Re:+ Kerberos ? (3, Insightful)

Dolda2000 (759023) | more than 8 years ago | (#14177807)

but OSS provides no turnkey solutions for this (yet).
Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these. Updating your LDAP, Kerberos, NSS and PAM configs manually isn't exactly hard as it is. If you want to make it easy to set up multiple workstations with this setup, just use Kickstart (or a shell script on NFS...).

Really, I'm not trying to troll here, I'm just really not seeing what this need to click a single button for every possible setup comes from. Rather than trying to provide every possible setup from the start, as Microsoft does (and which much of the complexity in Windows derives from), isn't it better to have a generic solution that can be tailored to one's specific need, instead?

Re:+ Kerberos ? (1)

cerberusss (660701) | more than 8 years ago | (#14177923)

I've never understood why people need "turnkey solutions" for things like these.

It's one possible measure for the amount of care that's put in the product. You can say this doesn't go for this particular product, but lots of times adoption of a product starts with someone who has 15 minutes of spare time.

If the product doesn't show a few nice things within those 15 minutes, it just might be possible it's not looked further into.

I'm not saying this is the correct procedure to evaluate an important piece of software like an LDAP server, but I'm certain this scenario really happens.

Re:+ Kerberos ? (2, Insightful)

CRC'99 (96526) | more than 8 years ago | (#14177947)

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these.

Yeah, because it's not like this is a well used 'feature' in Windows Domains in just about every large company...

Re:+ Kerberos ? (5, Insightful)

moreati (119629) | more than 8 years ago | (#14178009)

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these.


Largely, I think it boils down to - 'because they don't understand the technology as we do'. Take a simple, high level requirement: identity management. You or I might see that in terms of the components: such as a directory, an authentication service, creation & removal scripts, some means of replication, monitoring scripts etc.

A $notnerd sees the requirement as a black box, they don't care about the internals. They've probably been told by some techie/salesman that it will address some problem they have. For this person turnkey seems perfect, $company sells $product which is billed as an 'identity managment solution'. A magic black box solution to a black box problem, their work is done - now it is IT's problem.

Updating your LDAP, Kerberos, NSS and PAM configs manually isn't exactly hard as it is. If you want to make it easy to set up multiple workstations with this setup, just use Kickstart (or a shell script on NFS...).


To you it isn't, but what happens when you leave? It's much easier to recruit someone to maintain a push button solution, than a partly bespoke ecology of components and scripts. Often the solution and the ecology are similar in complexity, but the solution hides that behind a GUI and glossy marketting material.

Purchasers often chose to spend their money on specialised software (solutions), hopefully saving time. We often choose to spend our time customising general purpose software, hopefully saving money.

Alex

Re:+ Kerberos ? (2, Interesting)

Dolda2000 (759023) | more than 8 years ago | (#14178321)

A $notnerd sees the requirement as a black box, they don't care about the internals. They've probably been told by some techie/salesman that it will address some problem they have. For this person turnkey seems perfect, $company sells $product which is billed as an 'identity managment solution'. A magic black box solution to a black box problem, their work is done - now it is IT's problem.
I agree completely with that, but my main point is that I think that this "turnkey solution" should be a separate product -- an analogy to metapackages (like GNOME), if you will. This metapackage, which would be the already existing components plus shrink-wrapped config files, could then be sold to corporate purchasers as an "identity management solution". Optimally, it should be tailored to each company. My point is that it should not be part of the directory server, and probably not even part of the Fedora Core distribution.

Maybe it should be part of RHEL, but I'd still see these kinds of turnkey solutions as something that should really be a consultant task. Each company or organization has disparate requirements and therefore, I think each case should be examined individually. I think that in general, open source software should remain the kind of general solution that it is today, and not implement 10+ buttons for each individual scenario. It might be a good idea that Red Hat could produce a number of specialized RHEL distros for the most common scenarios, but RHEL and FC themselves should remain generic.

To you it isn't, but what happens when you leave? It's much easier to recruit someone to maintain a push button solution
Most commonly, the experienced administrator would develop more or less a "push button solution", in the form of a collection of scripts to handle the most common tasks. Thus, when I quit, the next admin could just push the buttons I've prepared for myself. If he doesn't want to dive deeper, he probably shouldn't have to. Of course, it cannot be enough emphasized that the admin who develops a system should document it properly. The thing is, the "push button solution" developed locally will handle any particularities of the organization it was developed by and for, while general turnkey solutions (is that an oxymoron?) will always leave deficiencies since they cannot be tailored to the needs of the organization it will be used by.

Re:+ Kerberos ? (0)

Anonymous Coward | more than 8 years ago | (#14178519)

The thing is, the "push button solution" developed locally will handle any particularities of the organization it was developed by and for, while general turnkey solutions (is that an oxymoron?) will always leave deficiencies since they cannot be tailored to the needs of the organization it will be used by.

More like the 'push button solution' developed locally will support completely pointless customizations that were implemented only due to ignorance or unwillingness to comform to standards. An equally valid and probably more valid solution could have been had with a general turnkey solution.

Re:+ Kerberos ? (1)

ratatask (905257) | more than 8 years ago | (#14178018)

Ok, so "turnkey" was a bit overstatement. "be able to do it for the common admin" atleast.
To do this today, you need to be a wizard. With Red Hat/Fedora it's been a little easier -
They have the system-config-auth tool. Which works. Hand editing the pam config to make this workable on a debian box wasn't ... fun.
here [bayour.com] is how you set up LDAP+Kerberos.
It is sorcery.

Re:+ Kerberos ? (1)

Tony Hoyle (11698) | more than 8 years ago | (#14178027)

Even for the 'common admin' it has to look like an AD server for the Windows workstations, otherwise it'll get passed over. That means having ldap+kerberos built in from the first install.

Common signon for Linux machines is all very well, but you've been able to do that with NIS for years.

Re:+ Kerberos ? (2, Insightful)

drsmithy (35869) | more than 8 years ago | (#14178165)

Maybe this is just me, but I've never understood why people need "turnkey solutions" for things like these.

Because it makes deploying them easier, quicker, cheaper and less dependant on a particular individual's (or individuals') knowledge.

Re: Who needs turnkey (2)

BenFranske (646563) | more than 8 years ago | (#14178716)

I think it's because the domain of technical knowledge is so great that it's really quite difficult to grasp it all. If you're a small or medium sized company you may not have someone who really understands Kerberos and LDAP. Your sysadmins may know everything in the world about mailservers, webservers, DNS servers, DHCP servers and database servers but very little about AAA servers, Kerberos and LDAP. Look at the security community which is still farily young. People are already starting to specialize into wireless secuirty, WAN security, LAN security, etc. What you need the turnkey solutions for are the areas you are still learning but don't grasp.

If you have a 250 person company you may have three sysadmins, six developers and two managers in IT. I've worked at companies like that and they're pretty common. The three sysadmins need to keep the phones, network, servers, printers and any other hardware running. Chances are they aren't experts at running every kind of server and might have some difficulty with getting a non-turnkey solution for the areas they're less famailiar with up and running. It also needed to be up and running last week. One of the realities of buisness is that you often need to make do with the staff and their existing knowledge which means a lot of turnkey solutions which usually means Microsoft.

Re:+ Kerberos ? (1)

adrian.henke (852642) | more than 8 years ago | (#14177872)

I set up OpenLDAP as backend for the heimdal kerberos, so i guess you can do the same with FDS even though its not an official feature.

Why the Hell isn't this on the front page? (0, Redundant)

Zombie Ryushu (803103) | more than 8 years ago | (#14177720)

Why the Hell isn't this on the front page?! Because it damn well should be!

How many people have been agonizing over fixing problems and having good frontends to OpenLDAP? Directory Services are a Front line, in the Trenches issue! Not to be taken lightly!

Re:Why the Hell isn't this on the front page? (-1, Offtopic)

TheRaven64 (641858) | more than 8 years ago | (#14178035)

Maybe you've set your config so that Linux stuff is never on the front page? I have it set to 'best' - the default - and it was on my front page...

Re:Why the Hell isn't this on the front page? (-1, Offtopic)

hritcu (871613) | more than 8 years ago | (#14178096)

Why would anybody care about them?

Re:Why the Hell isn't this on the front page? (0)

Anonymous Coward | more than 8 years ago | (#14178252)

it's on the front page now, and thank goodness for that: i wouldn't have seen it otherwise. my boss & i are having a hell of a time with directory troubles (we are upgrading a nt 4.0 server/w98 workstation network we inherited --the previous IT staff jumped ship) and even though we probably can't use this (already spent fifty gazillion dollars on licences for other software) it's nice to see this out there.

woof im kinda stoned so i dont even really know why im posting this

Get Carter. (1)

Chaffar (670874) | more than 8 years ago | (#14177735)

The example they used in the screenshots [redhat.com] is the same one used here! [66.102.9.104] There must be a deeper meaning to this blatant plagiarism. I mean, even the phone number is the same... Yep, definitely a terrorist plot in the making somewhere here...

Gentoo package? (4, Interesting)

nighty5 (615965) | more than 8 years ago | (#14177748)

Anyone know if there is a gentoo package for this? - Even if it's not the most up to date.

I've searched used such strings as "ldap", "nss", "directory" etc - but nothing comes up too interesting.

Re:Gentoo package? (1)

Pecisk (688001) | more than 8 years ago | (#14177799)

My pick is is not yet ported - so you can try to contribute a ebuild! It is your chance to shine! :)

More seriously, I will check out depencies. As I have rather big interest in this product, I will check out If I can't contribute an ebuild.

Re:Gentoo package? (1)

sveinungkv (793083) | more than 8 years ago | (#14177812)

Not yet, [gentoo.org] but since the release of 1.0 hit slashdot, I guess it will come soon... ;)

Re:Gentoo package? (0)

Anonymous Coward | more than 8 years ago | (#14177866)

> Not yet, but since the release of 1.0 has hit slashdot, I guess it will come soon... ;)

Grammar Nazi, as requested :) I find it hard to explain, but you need "has" to show that it's happened. It's only a very very minor mistake.

Re:Gentoo package? (0, Troll)

mikaelhg (47691) | more than 8 years ago | (#14177934)

Anyone know if there is a gentoo package for this?

This isn't a toy, it's an actual useful enterprise software package people use on production servers.

Hence, probably not very high priority to Gentoo packagers.

Re:Gentoo package? (1)

ScytheBlade1 (772156) | more than 8 years ago | (#14178534)

Nice troll. Very very obvious, but nice.

That said, it is an enterprise software package, which makes a good portion of those who use gentoo just pop up and go "Oooooooohhhhhhhhhhhhhhhhhhhh........."

I'd say give it a week and it'll be there.

Re:Gentoo package? (0)

Anonymous Coward | more than 8 years ago | (#14178546)

I'd say give it a week and it'll be there.

And then another week for everybody else to compile it. :o) /me ducks

Re:Gentoo package? (1)

wampus (1932) | more than 8 years ago | (#14178718)

If only there was a "-1: I just set up a directory server on Gentoo, for money" moderation.

Interesting, but is it Good Enough(tm)? (2, Insightful)

jd (1658) | more than 8 years ago | (#14177755)

In and of itself, LDAP started off as a partial implementation of the X.500 directory services - partial being the bits that people generally found useful. The LDAP specification has changed over time, reflecting a better understanding of what people actually needed - together with the fact that as systems became more powerful, people generally needed rather more out of services.


The first problem is that Netscape probably didn'tadd much to their Directory Service towards the end, and it is unclear how much Fedora has had to put resources into code cleanups and bug fixes, as opposed to adding the capabilities it is going to need.


The second problem is that there needs to be an Open Source system compatible with (and preferably better than) Microsoft's Active Directory. The LDAP side of that is absolutely critical. For this directory server to be of much interest to network administrators, this package absolutely must support two-way communication with Microsoft Active Directory's LDAP. It can support more - and it would be great if, for once, Open Source "embraced and extended" something from The Other Side...


To be of interest to system admins, it needs to work with PAM and preferably one of the standard "unified" admin interfaces, like Webmin or (yes, it is still used) linuxconf, in addition to specialized tools. It needs both. Specialized but simple command-line tools are great for doing batch tasks or quick tasks, which will be the bulk of routine tasks. More complex tasks, changing configuration files, etc, are often easier in a unified interface. For extremely precise operations, user interfaces hide too much detail, so for those you often do have to use some hefty command-line and probably a text editor for control and config files.


In other words, you've three distinct classes of operation and distinct types of interface for each. The "best" tools are ones which provide all three interface types and make it easy to develop others.


The last problem I'm seeing is that computing has moved on since Netscape ruled the world. Unified Parallel C is beginning to look like a serious rival to classical C, and even classical C compilers are gaining parallel support in the form of OpenMP (now included in a development branch of GCC). Fedora can't even keep their parallel patches in sync with the kernel. For that matter, their development repository is rarely synchronized, even though that's just a dependency chain they can follow from the SRPMs.


(Don't get me wrong - I like Fedora's distro, it is simply that if they are neglectful of something they can do in a script and a makefile, and of mere patches they had already made public, then how confident can I be of their ability to maintain a very complex piece of software?)

Re:Interesting, but is it Good Enough(tm)? (5, Interesting)

Anonymous Coward | more than 8 years ago | (#14177796)

I'm sorry, what the hell are you talking about? That was the most mindless post I have ever seen.

The first problem is that Netscape probably didn'tadd much to their Directory Service towards the end, and it is unclear how much Fedora has had to put resources into code cleanups and bug fixes, as opposed to adding the capabilities it is going to need.

Red Hat / Fedora Team spent about a year cleaning it up and porting it to linux, or didn't you bother to read the summary?

For this directory server to be of much interest to network administrators, this package absolutely must support two-way communication with Microsoft Active Directory's LDAP. It can support more - and it would be great if, for once, Open Source "embraced and extended" something from The Other Side...

Uh? What does it need? 3-way communication with AD? 4-way? Active Directory is just a bastardized for of LDAP, and even OpenLdap includes the bits needed to work with it. What you are saying here doesn't make any sense.

To be of interest to system admins, it needs to work with PAM and preferably one of the standard "unified" admin interfaces, like Webmin or (yes, it is still used) linuxconf, in addition to specialized tools.

What you are saying here demostrates a complete ignorance of PAM, LDAP, and directory services in general. PAM has long supported LDAP, as has the NSS libraries. Webmin and Linuxconf are two interfaces the people have added as a layer on top of existing services. Nothing NEEDS to work with them, they support whatever they want. FDS has a great GUI and that is the point. Otherwise, an LDAP service is a usefull as the schema you load and how you implement it.

I like Fedora's distro, it is simply that if they are neglectful of something they can do in a script and a makefile, and of mere patches they had already made public, then how confident can I be of their ability to maintain a very complex piece of software?

Ok, seriously, get a clue. If you are looking for assurance, pony up some cash and buy the fully supported Red Hat Directory Server. Frankly, I think the entire Fedora effort is great, but I wouldn't run any substatinal business on it. For that I pay for Red Hat.

Re:Interesting, but is it Good Enough(tm)? (0)

Anonymous Coward | more than 8 years ago | (#14177905)

One year porting to linux?
I think that the mindless post is your post.

There was Netscape Directory Server for Linux many years ago. By example a link:
http://www.openldap.org/lists/openldap-software/20 0201/msg00054.html [openldap.org]

Please inform before sending thse e-mails

I think that Java Directory Server is a better product, and a more mature product. And this is free. (It is based on Netscape Directory Server). I think it is pointless the move of RedHat with Netscape products. I think that they give free, because Sun gave it free.
(Look at http://www.sun.com/ [sun.com] Java Enterprise System, it includes directory server and provisioning, etc)
They can't charge for a product, if there is a better and free alternative.

Regards.

Re:Interesting, but is it Good Enough(tm)? (1)

TarrySingh (916400) | more than 8 years ago | (#14177926)

Hmm.. so pay = better? contribute, test, fedora = mindless? Then why the fawk do we have all those folks(meaning us all, dev, sysadmins,dba's etc) working on Fedora?

Re:Interesting, but is it Good Enough(tm)? (1)

Tony Hoyle (11698) | more than 8 years ago | (#14178049)

AD is not just a bastardised LDAP. AD is LDAP+Kerberos+Extensions which needs to be *specifically* catered for. I'm assuming this DS supports AD otherwise it's just going to get nowhere in the corporate space.

Re:Interesting, but is it Good Enough(tm)? (3, Interesting)

Temkin (112574) | more than 8 years ago | (#14178087)

Red Hat / Fedora Team spent about a year cleaning it up and porting it to linux, or didn't you bother to read the summary?



"Porting to Linux" is and of itself a mindless statement, since this is Netscape DS, aka iPlanet DS, which is an antique fork of Sun's current SJES DS, all of which have been running on Linux for better part of a decade.

It will be interesting to compare Fedora DS to Sun's current offering. Sun even provides an open source tool for this called SLAMD [slamd.com] .

Re:Interesting, but is it Good Enough(tm)? (2, Informative)

talksinmaths (199235) | more than 8 years ago | (#14178832)

"Porting to Linux" wasn't the best verbage the AC could have used, but it doesn't quite descend to the level of 'mindless statement'. The fedora developers have worked to make DS for Linux a better product. For example the 1.0 release uses apache + mod_nss instead of the ns-httpd server, and the performance improvement is impressive. Of course the non-Linux platforms for which they produce DS presumably also reap these benefits, but it seems to me that the primary motivation is to make a great Linux product.

Re:Interesting, but is it Good Enough(tm)? (0)

Anonymous Coward | more than 8 years ago | (#14178121)

The last problem I'm seeing is that computing has moved on since Netscape ruled the world. Unified Parallel C is beginning to look like a serious rival to classical C, and even classical C compilers are gaining parallel support in the form of OpenMP (now included in a development branch of GCC). Fedora can't even keep their parallel patches in sync with the kernel.

As another poster already did the rest I will take a poke at this. But your whole post smacks that you are a simplton click kiddie with a low level of experience in Linux/UNIX/POSIX. There is nothing preventing you from using pThreads and parallel process right now and complile it in Linux, BSD, Solaris, AIX or HP-UX. In fact, add RPCs with DCE and you can securely do this between them on a very large scale. Netscape never ruled the world, just a part of it. Go back to C#.

Re:Interesting, but is it Good Enough(tm)? (2, Interesting)

illumin8 (148082) | more than 8 years ago | (#14178802)

The first problem is that Netscape probably didn'tadd much to their Directory Service towards the end, and it is unclear how much Fedora has had to put resources into code cleanups and bug fixes, as opposed to adding the capabilities it is going to need.

To really understand this move by Redhat, it has to be taken into context with last weeks news about Sun open sourcing their enterprise applications, one of which is iPlanet Directory Server. iPlanet Directory Server and Redhat's both forked from the same Netscape code base. The difference is that Sun has invested 3-4 years of heavy development time, improving features involving 4-way multi-master replication across WAN links and many other things. It seems like Redhat just dusted off the 5 year old-code, rewrote some of the encumbered bits, and released something that's probably equivelant to Netscape Directory Server 4.0. Sun is up to iPlanet Directory Server 5.2 and has been innovating.

I think this is a move by Redhat to counter the move Sun made last week in opening up their directory server product.

Java Enterprise System from Sun is better product (0)

Anonymous Coward | more than 8 years ago | (#14177784)

I think that Java Enterprise System is a best product, it includes directory server and provisioning software, and a lot more of software that integrates with Directory Server.
And it is free. See http://www.sun.com/ [sun.com]

I think that the Fedora directory Server is late, and it is based on old versions of Netscape Directory Server.

Re:Java Enterprise System from Sun is better produ (2, Informative)

allenw (33234) | more than 8 years ago | (#14178061)

... and will be opened as well. [slashdot.org] I can't help but think that RH rushed this out the door to counter Sun.

But does anyone really want an older version that's likely been untouched for years?

Re:Java Enterprise System from Sun is better produ (1, Informative)

Anonymous Coward | more than 8 years ago | (#14178683)

Better - how exactly, care to explain? Last I saw both started from same code base a few years ago and today both have more or less the same feature set (Heck even the screen shots are a proof that the admin console is 95% the same). And you have the Fedora Directory sources with you today - so if you find (like me) that the Sun Directory works only with RHEL 3 and 4 (it comes with a installer binary which is built to install RPM packages and doesn't work with anything other than RHEL) then you are much better off with downloading the Fedora DS sources and making a change or two to get it to run on your fav distro.

And it's definitely not a "older version untouched for years" - it's been in active development since all the years and that's how the feature set is almost same as Sun's version and it's ported to compile with fully open source software - they spent a year on that. And these are mature commercial products with more features than anyone might require at a time and so the development rate is slow and limited to bug fixes most times. Years have passed by since Sun has added a significant feature to it's DS - remember the last release supported only Redhat 7.2 until recently!

As far as support goes, you can buy it from Redhat or Sun as the case may be but then we aren't comparing products there - I don't know how Redhat support for the DS would be but I have used Sun support for their DS and it wasn't exactly extraordinary - we had to live with the problems.

So, what was your point again?

Re:Java Enterprise System from Sun is better produ (1)

canuck57 (662392) | more than 8 years ago | (#14178141)

I think that the Fedora directory Server is late, and it is based on old versions of Netscape Directory Server.

Yes, it is late. Plus I find it disturbing some parts of it have special licensing concerns. And being version 1.0.... hopefully they will write this code out in time.

But it's strengths are that being based on the Netscape server gives it a boost in functionality over Open LDAP. I often wondered why Open LDAP seemed to almost stall in it's development.

So I will still be using Sun One Directory Server but do plan to watch this development carefully.

Re:Java Enterprise System from Sun is better produ (1)

talksinmaths (199235) | more than 8 years ago | (#14178884)

I find it disturbing some parts of it have special licensing concerns.

From the 1.0 release announcement page [redhat.com] :
All source code is open source, not just the core DS engine
This wasn't the case with the prior version, but AFAIK Redhat has now made good on their promise to open source the entire product.

About the console (2, Interesting)

Sk0yern (783174) | more than 8 years ago | (#14177788)

Have anyone else noticed how slow the console is on a RedHat Enterprise 3 server?
Its like you press a button, then you have to wait for 10 seconds before anything is happening. On Enterprise 4, everything is about 50 times faster, maybe even more.
The main difference here should be 2.4 kernel versus 2.6 kernel, but what makes the console that much faster on 2.6?

Re:About the console (1)

croddy (659025) | more than 8 years ago | (#14177879)

No, I haven't noticed this at all on RHEL 3.

Re:About the console (2, Informative)

Anonymous Coward | more than 8 years ago | (#14177903)

User error, hit any person at keyboard to continue.

It is probably trying to do some kind of lookup, ipv6 or your nameservice, you did configure your /etc/nsswitch.conf to look at the nameserver, not the local ldap server (recursive lookups are bad ! )

ldap schmel-dap (3, Interesting)

Anonymous Coward | more than 8 years ago | (#14177821)

My employer recently tried to "enchance" our application to authenticate to an LDAP directory rather than our traditional backend security server. Wow, is LDAP ever NOT the tool for that job.

There are so few standards around LDAP authentication that it is impossible to support "LDAP" - you have to support MS Active Directory, Oracle Info Server, Novell eDir, etc..

For example, there is no standard way to handle password expiration. Every directory does it differently. There is no standard location or hashing algorithm for user passwords, nor is there any sort of standard password policy (password complexity rules, maximum retries until lockout, etc)

So we basically had to rewrite support for all these things that we already had in a modular fashion so now administrators are stuck configuring "the AD plugin", or "the OIS plugin".. ... but anyway, LDAP thinks it's all that and a bag of potato chips, but I'm here to tell you it is NOT.

Re:ldap schmel-dap (2, Insightful)

deep44 (891922) | more than 8 years ago | (#14177891)

For example, there is no standard way to handle password expiration. Every directory does it differently. There is no standard location or hashing algorithm for user passwords, nor is there any sort of standard password policy (password complexity rules, maximum retries until lockout, etc)
RFC 2307 - using LDAP to provide a Network Information Service.

Almost everything you touched on is covered in that RFC. So the standards exist, but Microsoft/Oracle/etc chose not to adhere to them by creating their own one-off schema.

I'm not saying they were wrong to do that, but don't blame the LDAP protocol because you had problems using it to interface with AD.

Re:ldap schmel-dap (0)

Anonymous Coward | more than 8 years ago | (#14178330)

An RFC can be written by anyone. It is a Request For Comment. Nothing more, nothing less. A small group of people that write an RFC are not policy makers. This is not a standard. By convention, people may adhere to it like it was one, simply as a matter of convenience, but at best that would make it a de facto standard. This RFC is not a standard in any sense of the word. It may as well be a weblog post on Joe Random's site.

Re:ldap schmel-dap (2, Insightful)

deep44 (891922) | more than 8 years ago | (#14178499)

Yes, anybody can submit an RFC, but the IETF decides which ones to accept as official RFCs. Joe Random's weblog would probably not qualify.

Additionally, who cares if it's not an official standard? The original poster said that LDAP is flawed because Microsoft AD, Oracle, and Novell all use different schemas within their directory products. That has nothing to do with LDAP (the protocol), and everything to do with the design choices those companies made.

Re:ldap schmel-dap (1)

Zphbeeblbrox (816582) | more than 8 years ago | (#14178146)

Instead of trying to interface with all those why not create your own schema that the purchasers can import into the variouse directory types. Surely you could set it up so that you didn't have to use the proprietary protocols. Then your clients could just import that schema into their particular directory service. You could even link it into the current accounts with a little creative scripting I think. (not sure on that one though haven't messed with LDAP much yet Though I'm starting to)

Great (0)

TarrySingh (916400) | more than 8 years ago | (#14177822)

So I can kick the Windows ADS out of the door?

Re:Great (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14177851)

"So I can kick the Windows ADS out of the door?" - by TarrySingh (916400) on Sunday December 04, @07:39AM

You can most likely, I do not see why not!

After all, this is just another example of you Linux people have duplicated/imitated/copied yet another concept from the Windows world so you can do something already doable in Windows!

(This goes on from both sides though - e.g. -> Windows via Terminal Services (ala watered-down licensed technology from Citrix) does what X has been doing for year on UNIX, which is remotely runnable applications & desktops. Directory Services aren't original to Windows either - Novell had them before Windows & Citrix did via NDS (Novell Directory Services))

BUT, other things (like thread-use & especially/specifically @ the kernelmode level) is another one that Linux bit off of Win32 OS, & @ the kernel level so that SMP (more than 1 cpu) was possible for the OS to use in Linux (it already had usermode "threads" that ran off a single kernelmode thread round-robin) & so Linux could 'scale to enterprise class use' as an OS.

Again - this ALL seems to be a game of copy-cat/knockoff from ALL OS families, stealing one another's features!

APK

P.S.=> Personally, I dno't really care if one OS family takes another's features (although you hear it here constantly that MS innovates & creates nothing, which partially is true, they DO license technology from others OR buy entire companies out for their technologies), as long as we, as the consumers, get those nice features in whatever OS it is we all use... apk

Re:Great (0)

Anonymous Coward | more than 8 years ago | (#14178069)

Netscape Directory Server predated Windows Active Directory and followed Netware Directory.

Re:Great (0)

Anonymous Coward | more than 8 years ago | (#14178138)

I didn't include Netscape's offerings, but I did mention that "NDS" (novell directory services) & how it predated Windows' AD (active directory) offering.

(See my original post to verify, thanks)

Many others here noted even earlier ones than Novell's NDS &/or Microsoft's AD, e.g.-> like X500 & LDAP offerings as well!

Both predate both your & my examples from both.

My point is/was, that it's ALL really examples of 1 saying:

"There's very little original thought if any"

(This whole field's 'imitate & improve upon' really imo. Don't you all agree? One 'knock-off' job after another! And, I don't really care either, as long as we all get better/easier/faster tools to do our jobs with & to enjoy as end-users)

APK

Re:Great (0)

Anonymous Coward | more than 8 years ago | (#14178315)

You DO realise that Fedora Direcory Server IS Netscape Directory Server, right?

Re:Great (1)

jooon (518881) | more than 8 years ago | (#14178067)

I think Samba 4 (even though it is not released yet) is closer to kicking Windows ADS out of the door than this, even though this is good to have for other reasons. The problem is that Windows ADS is more than a LDAP-server and even if we have all the parts, LDAP, Kerberos, CIFS, DNS, etc. getting them to work together to be completely compatible with Active Directory Server seems to be very hard.

se$x with a 3oll (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14177827)

fi>rst organization same year, BSD

Great job! (1)

harris s newman (714436) | more than 8 years ago | (#14177884)

This is a banner day for the open source community!

One service at a time....

Sam Carter (2, Funny)

Andrewkov (140579) | more than 8 years ago | (#14178136)

I'm Sam Carter, please stop using my name in screen shots!

Re:Sam Carter (0)

Anonymous Coward | more than 8 years ago | (#14178505)

I'm Andrewkov, please stop using my name as a Slashdot login.

So who is catching up with who ? (0)

Anonymous Coward | more than 8 years ago | (#14178283)

I hear people in IT community (well, mostly Linux community) that Sun is making drastic moves, they lose control and soon it'll be all over because they don't innovate. But who is actually catching up with who ? If you look at those screenshots then I merely see the same as my Java Enterprise Directory Server (current version 5.2).

Don't believe me? Well, take a look here [sun.com] for a glimpse at the administration portal and here [sun.com] to see a little more directory server action.

Now I wonder... Sun released lots of their source code and suddenly the first Enterprise directory server is released on the Linux market. And you still say Sun is doing the catching up here? ;-)

Re:So who is catching up with who ? (1)

spike42 (795924) | more than 8 years ago | (#14178845)

the first Enterprise directory server on Linux was
Novell Edirectory (then called NDS)
That was more than six years ago!

Kerberos? (0)

Anonymous Coward | more than 8 years ago | (#14178313)

So does it also use kerberos or at least offer an easy way to incorporate it or does one need to fiddle with this manually, if desired?

Nice to see (1)

jbellows_20 (913680) | more than 8 years ago | (#14178348)

Looking at the screenshots, this looks like the best way of managing users for the Linux community. What I'm still waiting to see is an implementation of User and Computer policies allowing for mass management of systems. I know there are ways to kinda do this using rsync or scp and cron, but we don't need a hack we need a real solution.

Same thing as sun's directory server (0)

Anonymous Coward | more than 8 years ago | (#14178363)

So what is the difference between this and Sun's Directory server? The screenshots are the same exact thing only instead of Sun it say Redhat where before both products said Netscape. Sun already has it ported to linux so what is the big deal? Also SUN is open sourcing the JES stack from slashdot's posting last week so the their's will be open source too. So where's the beef?

Sun's directory server: http://www.sun.com/software/products/directory_srv r_ee/index.xml [sun.com]

Does fedora have a version of proxy server to use with it? As without that load blanacing/fail over is a pain as the app if forced to hold the interlligence.

Secondly the huge market is identity mangement, so does fedora's product intergrate with Identity manager/siteminder/ ie is it FULL version 3 compliant?

Inquiring minds would like to know!!!

Also if anyone wants i can mark up benchmarks next week off slamd to get it going..

HOPEFULLY REDHAT KNOCKED OUT o=NETSCAPEROOT too thats embarrassing for sun i bet, but that graphical gui is dependent on it...

I a n00b with a question (1)

jim_v2000 (818799) | more than 8 years ago | (#14178488)

Is a directory server something like MS ActiveDirectory?

Re:I a n00b with a question (1)

szo (7842) | more than 8 years ago | (#14178729)

No, the other way around.

Re:I a n00b with a question (1)

duncanmacvicar (701237) | more than 8 years ago | (#14178744)

No. MS ActiveDirectory is something like a directory server.

Re:I a n00b with a question (1)

tweek (18111) | more than 8 years ago | (#14178750)

Actually Active Directory is a combination of LDAP and Kerberos. That's a simply definition but it will suffice.

In general directory servers are based around the OSI X.500 model and DAP.

A good bit of info is here:
http://www.kingsmountain.com/ldapRoadmap.shtml [kingsmountain.com]

FYI you can thank the amazing team at University of Michigan for LDAP. Go Blue!

yeah. cool. but what about the new logo? (0)

Anonymous Coward | more than 8 years ago | (#14178491)

the new fedora logo [capstrat.com] apparently hasn't yet made it into the project's releases. oh well.

Open Bottom? (1)

Doc Ruby (173196) | more than 8 years ago | (#14178695)

I'm running Open-Xchange, an OSS groupware suite that, among other features, can transparently replace (mostly) Microsoft Exchange. OX uses OpenLDAP, though it can (in theory) use any LDAP directory server, including the FDS. OX uses Postgres as its default RDBMS for its data tier, but OpenLDAP stores its data internally. OX has some limits on its integration of directory data, because the rest of the app can't connect to the OpenLDAP storage - that means some sync issues, and some data is defacto read-only by both server apps and clients.

There are posted techniques for pointing OpenLDAP at MySQL instead of itself, which seem to offer a way to point at Postgres. Does FDS let me easily point at Postgres for all persistent storage? Or even at Oracle (as OX could do)? Where's the HOWTO?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?