Re: [Users] Ovirt 3.1 and Samba4 AD

From: "Alon Bar-Lev" <alonbl(a)redhat.com&gt; To: "Charlie" <medievalist(a)gmail.com&gt; Cc: "users" <users(a)ovirt.org&gt; Sent: Tuesday, November 13, 2012 10:46:37 PM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD ----- Original Message ----- > From: "Charlie" <medievalist(a)gmail.com&gt; > To: "Itamar Heim" <iheim(a)redhat.com&gt; > Cc: "users" <users(a)ovirt.org&gt; > Sent: Tuesday, November 13, 2012 10:40:34 PM > Subject: Re: [Users] Ovirt 3.1 and Samba4 AD > > FreeIPA is a microsoft "clone" solution. It is an emulator for AD, > much like Samba4 is. Neither of them is based on Open Standards, > although both are Open Source. This is a very important > distinction. > > In our test RHEVM environment, only closed-source, proprietary > Microsoft Active Directory could provide a fully functional user > provisioning interface. We attempted OpenLDAP, FreeIPA, and Samba4 > but after a couple of weeks the bosses got tired of the slow > progress, > threw up their hands and told us to just use Microsoft. This > situation led directly to the replacement of half a dozen > production > Red Hat servers with Microsoft Hyper-V hosted Windows servers. > Essentially, this one shortcoming (inability to use OpenLDAP as an > AAA > source) ended up driving the abandonment of Open Source in our > enterprise. We're currently in the process of replacing all our > FOSS > infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's > nothing I can do to stop that. > > http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29 > > It's very unfortunate. Law of unintended consequences I guess. I > would like to help oVirt gain compatibility with standards-based > services like OpenLDAP, but the code's in a language I haven't used > and a version control system I haven't used and the wiki has no > LDAP > interaction design documents (other than the sources themselves) > and > I've got very limited free time, all of which makes it hard to > contribute. > > I hope that didn't sound too much like whining. I don't blame > anyone > outside my organization for my organization's bad decisions, I'm > just > pointing out that giving your userbase no option other than to > implement proprietary Directory models may have unintended > consequences in the field. Why spend a lot of money pretending to > be > Microsoft when you can be Microsoft for the same or less money? Not at all. I feel the same, we really need to support openldap without krb and with krb.

Alon. > --Charlie > > >> I know it, but is very interesting the idea to avoid Microsoft > >> solutions > >> and move to OpenSource Enviroment. > > > > > > we do support a few other directory solutions (like freeIPA and > > 389ds). > > 389ds needs a kerberos enhancement. > > > > Kerberos should be optional. Many organizations don't need the > extra > complexity, LDAP STARTTLS or LDAPS gives them all the security they > need. > _______________________________________________ > Users mailing list > Users(a)ovirt.org > http://lists.ovirt.org/mailman/listinfo/users > _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users