On Thu, 2005-03-24 at 11:59, Craig White wrote: > > Yes, you have it straight. Red Hat, the most popular distribution, or > > so they would like to claim, does not provide a standard solution so > > everyone else is forced to make up their own, resulting in versions > > that aren't likely to interoperate. It makes about as much sense > > as making every user hand code their own sendmail.cf following their > > own interpretation of the RFC's. > ---- > give Red Hat some credit - they finally migrated off the terribly > ancient openldap 2.0.27 that was in RHEL 3 into the 2.2.13 (still out of > date) in RHEL 4 and FC-3 That's the odd part. All the pieces are there, but they are still useless unless someone puts them together in a standard way. > > Who, other than Red Hat is in a position to fix this? > ---- > seems to me that LDAP is a much larger technology and has implications - > uses in a large variety of OS's and hardware. My experience tells me > that most of the larger users/consumers of LDAP is not on Linux but on > various Unix systems. If it came up running on RH/fedora the situation would reverse overnight. The people who need weird schemas can hire their armies of developers to build them. Most people need just what the clients included in their distribution know how to query plus perhaps a replacement for their ancient windows NT domain controller. All easily canned stuff. > > Good defaults are what makes things work. I don't know how to > > write a device driver and I'm happy that I don't need to. I wish it > > were the same for LDAP. > ---- > your view and my view of 'good defaults' for LDAP are likely gonna > differ. I don't know of any 'good defaults' for LDAP > ---- Let's leave out the people who already have X.500 and focus on small networks who have more than one fedora/RH box and want to use NFS with auto-mounted home directories and perhaps one or more windows boxes that need access to those same home directories. That probably describes most small businesses and a lot of homes these days. The 'good default' for this is basically the idealx setup but already done instead of having to correctly follow pages of instructions. > I know that you don't believe this but the standard base for users and > groups is in /etc/passwd and /etc/group (and obviously by > implication /etc/shadow) That was a good idea back in the days when a company could only afford one computer and did not use network file systems that depended on consistent uids. Now I'd guess that most of the people on this list have more than one personal computer, reinstall the OS on some of them frequently, and would like to not have to deal with keeping parts of those files in sync when their OS update may need other parts to be different on certain machines. > They's been including various utilities for NIS but no one complains > that they don't have turnkey solutions for NIS administration. Does anyone use NIS after reading about its insecurity? That might explain the lack of complaints. > There's little difference with LDAP - if you actually created a DSA, > created a container for 'users' put in the attributes necessary for > users to authenticate, it still wouldn't work. LDAP doesn't do things > necessary such as create user home directories, keep track of UID's and > GID's to keep adding them sequentially, make their home directories, set > their shell, etc. That's another layer of infrastructure. If you start > to consider all of the layers of infrastructure that you will need to > get going, you will find that much of the time, you aren't really > talking about LDAP, you are talking about the integration of other > technologies. You keep describing the precise reasons that we need a standard default solution even though you don't seem to make that conclusion. There probably was a time when unix had no wrapper that combined the concepts of creating user authentication and matching facilities like home directories and mailboxes. Somebody fixed that - it's time to do it again. > LDAP is entirely off the table for a distribution unless it chooses to > make it so - and the only way that they can do it is to detail a finite > lists of services that are to be integrated and build it out. Recognize > though that should a distribution take this approach, all of the > services thus built out will have to have customized configurations too. But there are clients already in the distribution - just no server to match. > There may be a point where Red Hat does try to provide an integrated > setup - more specifically a turnkey setup of LDAP - but it isn't likely > to be functional beyond a certain point, interchangeable with other OS's > and other needs/implementations and thus, will be of value only to those > that want to point and click administrate. If the most popular distribution ships a working server based on existing standards or RFC's then it would be up to everyone else to match up or have a good justification for their differences. If you were really opposed to shipping something that sort-of works and fixing it up over subsequent releases you probably wouldn't be on this mailing list. -- Les Mikesell les@xxxxxxxxxxxxxxxx