Re: Directory enabled distribution
> Currently we have the ability to setup systems with LDAP based ns (ie,
> passwd, account, hosts, aliases...NIS in a nutshell) and utilities to
> utilize that. Pam_ldap enables authentication through the LDAP server
> and nss_ldap enables lookups from native libc calls to the LDAP
> server for hosts password info, group info, shadow info and more.
> There is also a php3 module now that allows for direct access to an
> LDAP server from scripts.
>
> I am also working on are migration scripts that make it easy to enable
> things like nsLDAP. Basically it works like ypconfig (NIS) to enable
> master/slave servers and configure clients. There will also be admin
> tools for setting up accounts in the LDAP server and accessing
> information.
>
Some key things are deciding on directory objectclasses - do we need a
debianPerson ? (n.b.) - as a quick aside it might be good to have an empty
/usr/local/etc/openldap/slapd.oc.conf included after the system slapd.oc.conf
Local system administrators could define their own directory objects there
and we (you) could track the RFCs for standard objects in the system version.
(by the way the /etc/openldap/slapd.conf should default to no world read
access as it contains the rootdn password - and administators should change
the rootdn password - maybe the postinst should make it something random)
> What I would like to see is other packages that have LDAP compile time
> capability start packaging a seperate .deb. For example Exim has compile
> time options to enable lookups though LDAP for alias and host information
> (among other things). Something like an exim-ldap package would be very
> nice to have.
>
Sendmail builds and works well with the openldap libraries (and the built
executable will work quite happily on systems without ldap).
There is an LDAP authentication module for squid which works very well. It
is a separate program, so does not need any changes to squid.
> One thing I would like to note is that there are 2 ldap packages in the
> dist now. Umich-LDAP is the original LDAP implementation, it works
> well, but the source has not been maintained in some years. The
> OpenLDAP package which I maintain is under current development and is
> going to implement LDAPv3 in the near future. So if you do package a
> package that links to libldap, I suggest using this library.
>
I agree - though I think it is a good exercise to have two ldap packages
in the system - perhaps Netscape will release their Directory server for
Linux and we would be able to easily switch between that and openldap.
> If we can make this an additional goal for potato, we will be able to
> mark ourselves the FIRST completely directory enabled distribution
> (not just Linux either, all OS's), I don't think there are any other
> systems that enable LDAP to this extent (NT 5 doesn't count, it's still
> beta, plus their LDAP is "embraced and extentended").
>
At work many of our systems are Netware Directory Services based, and it shows
that directory enabled operating systems are the way to go for managing
thousands of users across hundreds of servers. LDAP is still a long way
behind NDS in many areas (e.g. replication) and NDS is already built in to
most of the Netware applications, but LDAP is now developing very quickly
and, as an open standard, has more long term potential.
John Lines
Reply to: