[Users] Ovirt 3.1 and Samba4 AD

Yair Zaslavsky yzaslavs at redhat.com
Wed Nov 14 03:07:58 UTC 2012 


----- Original Message -----
> From: "Alon Bar-Lev" <alonbl at redhat.com>
> To: "Charlie" <medievalist at gmail.com>
> Cc: "users" <users at ovirt.org>
> Sent: Tuesday, November 13, 2012 10:46:37 PM
> Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
> 
> 
> 
> ----- Original Message -----
> > From: "Charlie" <medievalist at gmail.com>
> > To: "Itamar Heim" <iheim at redhat.com>
> > Cc: "users" <users at ovirt.org>
> > Sent: Tuesday, November 13, 2012 10:40:34 PM
> > Subject: Re: [Users] Ovirt 3.1 and Samba4 AD
> > 
> > FreeIPA is a microsoft "clone" solution.  It is an emulator for AD,
> > much like Samba4 is.  Neither of them is based on Open Standards,
> > although both are Open Source.  This is a very important
> > distinction.
> > 
> > In our test RHEVM environment, only closed-source, proprietary
> > Microsoft Active Directory could provide a fully functional user
> > provisioning interface.  We attempted OpenLDAP, FreeIPA, and Samba4
> > but after a couple of weeks the bosses got tired of the slow
> > progress,
> > threw up their hands and told us to just use Microsoft.  This
> > situation led directly to the replacement of half a dozen
> > production
> > Red Hat servers with Microsoft Hyper-V hosted Windows servers.
> > Essentially, this one shortcoming (inability to use OpenLDAP as an
> > AAA
> > source) ended up driving the abandonment of Open Source in our
> > enterprise.  We're currently in the process of replacing all our
> > FOSS
> > infrastructure in DNS, DHCP, NTP, LDAP, etc. with ADS and there's
> > nothing I can do to stop that.
> > 
> > http://en.wikipedia.org/wiki/For_Want_of_a_Nail_%28proverb%29
> > 
> > It's very unfortunate.  Law of unintended consequences I guess.  I
> > would like to help oVirt gain compatibility with standards-based
> > services like OpenLDAP, but the code's in a language I haven't used
> > and a version control system I haven't used and the wiki has no
> > LDAP
> > interaction design documents (other than the sources themselves)
> > and
> > I've got very limited free time, all of which makes it hard to
> > contribute.
> > 
> > I hope that didn't sound too much like whining.  I don't blame
> > anyone
> > outside my organization for my organization's bad decisions, I'm
> > just
> > pointing out that giving your userbase no option other than to
> > implement proprietary Directory models may have unintended
> > consequences in the field.  Why spend a lot of money pretending to
> > be
> > Microsoft when you can be Microsoft for the same or less money?
> 
> Not at all.
> I feel the same, we really need to support openldap without krb and
> with krb.

+10 here (not to say we really need to extract all our query/attribute mapping logic in such way we can further ease integration with new ldap proiders).

> 
> Alon.
> 
> > --Charlie
> > 
> > >> I know it, but is very interesting the idea to avoid Microsoft
> > >> solutions
> > >> and move to OpenSource Enviroment.
> > >
> > >
> > > we do support a few other directory solutions (like freeIPA and
> > > 389ds).
> > > 389ds needs a kerberos enhancement.
> > >
> > 
> > Kerberos should be optional.  Many organizations don't need the
> > extra
> > complexity, LDAP STARTTLS or LDAPS gives them all the security they
> > need.
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>

More information about the Users mailing list