[Users] Ovirt 3.1 and Samba4 AD
Charlie
medievalist at gmail.com
Tue Nov 13 20:40:34 UTC 2012
FreeIPA is a microsoft "clone" solution. It is an emulator for AD,
much like Samba4 is. Neither of them is based on Open Standards,
although both are Open Source. This is a very important distinction.
In our test RHEVM environment, only closed-source, proprietary
Microsoft Active Directory could provide a fully functional user
provisioning interface. We attempted OpenLDAP, FreeIPA, and Samba4
but after a couple of weeks the bosses got tired of the slow progress,
threw up their hands and told us to just use Microsoft. This
situation led directly to the replacement of half a dozen production
Red Hat servers with Microsoft Hyper-V hosted Windows servers.
Essentially, this one shortcoming (inability to use OpenLDAP as an AAA
source) ended up driving the abandonment of Open Source in our
enterprise. We're currently in the process of replacing all our FOSS
infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's
nothing I can do to stop that.
http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29
It's very unfortunate. Law of unintended consequences I guess. I
would like to help oVirt gain compatibility with standards-based
services like OpenLDAP, but the code's in a language I haven't used
and a version control system I haven't used and the wiki has no LDAP
interaction design documents (other than the sources themselves) and
I've got very limited free time, all of which makes it hard to
contribute.
I hope that didn't sound too much like whining. I don't blame anyone
outside my organization for my organization's bad decisions, I'm just
pointing out that giving your userbase no option other than to
implement proprietary Directory models may have unintended
consequences in the field. Why spend a lot of money pretending to be
Microsoft when you can be Microsoft for the same or less money?
--Charlie
>> I know it, but is very interesting the idea to avoid Microsoft solutions
>> and move to OpenSource Enviroment.
>
>
> we do support a few other directory solutions (like freeIPA and 389ds).
> 389ds needs a kerberos enhancement.
>
Kerberos should be optional. Many organizations don't need the extra
complexity, LDAP STARTTLS or LDAPS gives them all the security they
need.
More information about the Users
mailing list