Re: [Users] Ovirt 3.1 and Samba4 AD

From: "Charlie" <medievalist(a)gmail.com&gt; To: "Itamar Heim" <iheim(a)redhat.com&gt; Cc: "users" <users(a)ovirt.org&gt; Sent: Tuesday, November 13, 2012 10:40:34 PM Subject: Re: [Users] Ovirt 3.1 and Samba4 AD FreeIPA is a microsoft "clone" solution. It is an emulator for AD, much like Samba4 is. Neither of them is based on Open Standards, although both are Open Source. This is a very important distinction. In our test RHEVM environment, only closed-source, proprietary Microsoft Active Directory could provide a fully functional user provisioning interface. We attempted OpenLDAP, FreeIPA, and Samba4 but after a couple of weeks the bosses got tired of the slow progress, threw up their hands and told us to just use Microsoft. This situation led directly to the replacement of half a dozen production Red Hat servers with Microsoft Hyper-V hosted Windows servers. Essentially, this one shortcoming (inability to use OpenLDAP as an AAA source) ended up driving the abandonment of Open Source in our enterprise. We're currently in the process of replacing all our FOSS infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's nothing I can do to stop that. http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29 It's very unfortunate. Law of unintended consequences I guess. I would like to help oVirt gain compatibility with standards-based services like OpenLDAP, but the code's in a language I haven't used and a version control system I haven't used and the wiki has no LDAP interaction design documents (other than the sources themselves) and I've got very limited free time, all of which makes it hard to contribute. I hope that didn't sound too much like whining. I don't blame anyone outside my organization for my organization's bad decisions, I'm just pointing out that giving your userbase no option other than to implement proprietary Directory models may have unintended consequences in the field. Why spend a lot of money pretending to be Microsoft when you can be Microsoft for the same or less money?

--Charlie >> I know it, but is very interesting the idea to avoid Microsoft >> solutions >> and move to OpenSource Enviroment. > > > we do support a few other directory solutions (like freeIPA and > 389ds). > 389ds needs a kerberos enhancement. > Kerberos should be optional. Many organizations don't need the extra complexity, LDAP STARTTLS or LDAPS gives them all the security they need. _______________________________________________ Users mailing list Users(a)ovirt.org http://lists.ovirt.org/mailman/listinfo/users