[SATLUG] Whatever happened to the Novelle LDAP Application?
brad at shub-internet.org
Thu Jul 31 14:19:18 CDT 2008
Frank Huddleston wrote:
> Back in 1999-2000, I remember a Novelle rep came to my place of work
> and demonstrated a Novelle LDAP Directory Server application that
> offered single sign-on, etc. for "everything", including Windows (which
> was NT 4.0 at the time). It was kind of like Active Directory before AD,
> and didn't just work with Windows.
Novell GDS -- Global Directory Server. By all accounts, it actually works
well and scales better than most other LDAP servers, or servers with an LDAP
interface, including the Microsoft AD stuff. It's also supposed to be more
compatible with other LDAP clients than Microsoft AD.
But it is commercial software, and pretty expensive at that.
> And, more specifically relevant to this LUG, does anyone use something
> like this (I guess by that I mean some kind of directory) in their
> configuration? Does OpenLDAP do this kind of thing, if properly configured?
OpenLDAP can do just about anything you want it to, if you use the right
schema and you configure it correctly. The latest versions of OpenLDAP will
outperform any other LDAP or LDAP-like product from any other vendor,
including Novell GDS.
> And more broadly: what do you all use to enable interoperability
> between your machines? NIS maybe?
NIS can't fall through to LDAP, and vice-versa. You would use one or the other.
But PAM (Pluggable Authentication Modules) can be configured to use both.
We don't use it directly here at UT for our Unix and Linux servers, because
if the LDAP server goes away then so do all of the accounts on it, and we're
We do have a little Perl script that was developed to dump all the
appropriate information out of LDAP and put that into the local /etc/passwd
files, called "ldap2auth". It's pretty simple, and you should be able to
fairly easily re-create it. Most of the magic that we have in our version
of the script is a result of legacy things that are local to our systems
here and you shouldn't have the same problems.
Of course, another potential alternative is to run a slave LDAP server on
each machine, and have them all use themselves for authentication data, as
well as being able to fall back on the network. Then the only problem is
that you need a few local accounts to work during the process that you are
bootstrapping the local LDAP server, in case the local LDAP server gets
wedged, or whatever.
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
More information about the SATLUG