[Users] Ovirt 3.1 and Samba4 AD

Alon Bar-Lev alonbl at redhat.com
Tue Nov 13 20:46:37 UTC 2012 


----- Original Message -----
> From: "Charlie" <medievalist at gmail.com>
> To: "Itamar Heim" <iheim at redhat.com>
> Cc: "users" <users at ovirt.org>
> Sent: Tuesday, November 13, 2012 10:40:34 PM
> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
> 
> FreeIPA is a microsoft "clone" solution.  It is an emulator for AD,
> much like Samba4 is.  Neither of them is based on Open Standards,
> although both are Open Source.  This is a very important distinction.
> 
> In our test RHEVM environment, only closed-source, proprietary
> Microsoft Active Directory could provide a fully functional user
> provisioning interface.  We attempted OpenLDAP, FreeIPA, and Samba4
> but after a couple of weeks the bosses got tired of the slow
> progress,
> threw up their hands and told us to just use Microsoft.  This
> situation led directly to the replacement of half a dozen production
> Red Hat servers with Microsoft Hyper-V hosted Windows servers.
> Essentially, this one shortcoming (inability to use OpenLDAP as an
> AAA
> source) ended up driving the abandonment of Open Source in our
> enterprise.  We're currently in the process of replacing all our FOSS
> infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's
> nothing I can do to stop that.
> 
> http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29
> 
> It's very unfortunate.  Law of unintended consequences I guess.  I
> would like to help oVirt gain compatibility with standards-based
> services like OpenLDAP, but the code's in a language I haven't used
> and a version control system I haven't used and the wiki has no LDAP
> interaction design documents (other than the sources themselves) and
> I've got very limited free time, all of which makes it hard to
> contribute.
> 
> I hope that didn't sound too much like whining.  I don't blame anyone
> outside my organization for my organization's bad decisions, I'm just
> pointing out that giving your userbase no option other than to
> implement proprietary Directory models may have unintended
> consequences in the field.  Why spend a lot of money pretending to be
> Microsoft when you can be Microsoft for the same or less money?

Not at all.
I feel the same, we really need to support openldap without krb and with krb.

Alon.

> --Charlie
> 
> >> I know it, but is very interesting the idea to avoid Microsoft
> >> solutions
> >> and move to OpenSource Enviroment.
> >
> >
> > we do support a few other directory solutions (like freeIPA and
> > 389ds).
> > 389ds needs a kerberos enhancement.
> >
> 
> Kerberos should be optional.  Many organizations don't need the extra
> complexity, LDAP STARTTLS or LDAPS gives them all the security they
> need.
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list