On Wed, 2008-01-09 at 17:31 -0600, Les Mikesell wrote: > Craig White wrote: > > > > LDAP is simply a set of protocols. > > So is X. It makes as much sense to make an LDAP server default to doing > nothing as it would to present a grey X frame when you log in. ---- I'm not certain where you're going with this. ---- > > > There is no set usage for doing > > anything at all. In fact, what it was designed to do represents an > > insignificant percentage of its current actual usage. > > But there are clients in the distribution that expect certain configuration. ---- but there is no 'certain configuration' unless you are running Windows clients and Windows LDAP server. Perhaps that is what you want. ---- > > You seem to think that there should be some pre-configuration performed. > > Describe it then. If you could describe it, you could bugzilla an RFE. > > We might have something to actually discuss. > > What did you do to make it so fedora clients could authenticate to the > server? I'd want that, plus samba authentication for the same set of > users with the same passwords - and if Macs work with the same config, > so much the better. Would it break anything to ship with the schema you > are using as the default? ---- First off, there is no Red Hat tool capable of providing a single password for both Posix and Windows users (userPassword and sambaNTPassword)...at least not that I am aware of. Out of the box, you cannot get what you want from Fedora/Red Hat. Secondly, just from the point of picking the basedn, there is no prescribed way. The first configuration detail, you got a big problem. Thirdly, there is absolutely no schema for Macs that I am aware of that is available from anywhere but Apple. The way schema's work is that the LDAP server comes with their basic schema files and then you can add the samba schema (from samba packages), any address book client schema that you choose and any other schema that suits your purpose. For example, Horde/IMP has the option for you to store user prefs in LDAP...that of course requires a schema. They also have a schema for each user's free/busy calendars. Fourthly, you'd have to figure out your Certificate Authority and distribute that to all the clients (unless you want clients doing authentication across the LAN unencrypted). I'm sure you're not suggesting that each computer with Fedora installed merely accept the default certificate. Fifthly, are you using SASL, kerberos, TLS, SSL? How can you standardize when there isn't a standard methodology? Sixthly, are you using programs that are only capable of communicating with LDAPv2? Must we enable? Are you allowing anonymous binds? Seventhly, which users are allowed to see which attributes? Are you going to use rootbinddn for everything? Doesn't it make sense to have a less than all powerful 'root' user to attach to samba/postfix/cyrus/etc? Lastly, you are assuming that the point of LDAP is authentication which was not what it was designed to do. They recently added things like password policy to openldap and fedora but neither is fully mature. LDAP authentication is hardly a mature product. There is absolutely no standardization whatsoever and if Red Hat actually declared that there was a Red Hat way, I'd hate to see the shitstorm over that. I think your energies would be better spent railing because Fedora / Red Hat scripts don't provide automatic backup, checkpoints, etc. because the LDAP data is much more fragile than /etc/passwd (actually, I'm speaking of OpenLDAP because I believe that Fedora-DS actually does). ---- > >>> Again, if you think something is wrong with the way they distributing > >>> the software, bugzilla an RFE > >> Having made it work, you are the expert... Do you think it could be > >> done better? Or is there some reason that the configuration used in one > >> place can't work in another? > > ---- > > I'm happy with the way it is, otherwise I would have filed an RFE > > How long did it take to get it to where you were happy with it, and why > is it necessary for everyone to repeat that process? ---- It isn't necessary at all. You can buy Windows and have it their way. If you want to make an omelet, you have to break some eggs. Took me several weeks before I could trust myself and thus a network that relied upon me to troubleshoot/maintain it. LDAP really requires flexibility, not the rigidity that you think it needs. If you jump into a package like OGO (OpenGroupware), you are going to have to conform to their way or be prepared to severely adapt. Who knows what each installation is trying to accomplish? Your statements presuppose that there is a correct way to do these things...there isn't. Again, it's an erector set and it's just one of many pieces for authentication which probably also include installation/configuration of padl stuff, kerberos, SASL, SSL, and so much else. Each setup is unique. Craig
