On 10/27/2010 11:12 AM, Orion Poplawski wrote:
I'd be very interested to know what tools people are using to
accounts in the directory server. Currently we are using a modified version
of fdstools because we have a Posix + Samba environment, but would be
interested in other solutions that may be out there.
I use GIR (Generalized Identity Replicator)--originally developed with
Sun DS about 8 years ago. It was designed initially as a meta-directory
server integrating Oracle users, flat passwd updates for non-LDAP hosts,
Netscape/Sun/Redhat DS, AD and more. It has very simple and easy to use
user management. I just updated it and deployed it at a large
government site. I believe there are some features newer to Fedora DS
that it could use (like triggered updates), but right now it also
handles things like groups and whatnot so AD sensitive applications also
have the values they are looking for.
It is OSS, and I need to release a new version. It is written in Perl,
uses an Abstract API for easy extensibility of unique data stores (if
you are into perl programming), has an encrypted message bus, so if
something is down it'll keep retrying to make an update, etc. It uses a
Currently, one GIR system manages three discrete directory structures,
and synchronizes accounts with AD (limited to just locked/disabled
status for now). When you change a user's information/groups/etc in GIR
it replicates to all directories (because we don't use passwords in AD
it does not replicate there, but it could, if we did).
If you are interested in rolling up your sleeves, I could get you the
3.0 version. It should run without much effort in Redhat/Centos, just
contact me offline.
Oh, and because I'm still not happy with where FreeIPA is at yet, I
actually have a simple, simple mechanism of creating a "host" computer
account, and joining linux hosts using one account per host, instead of
a general proxy account. There is a script "join-domain" that does all
the LDAP config stuff, plus creates the host password (randomly
generated) and inserts it into the tree. This largely came about because
the built-in redhat auth scripts are broken when using only SSL with
private CA certs, and I had to keep rewriting the ldap.conf file anyway,
so why bother with the core OS stuff when it is broken. It is really
just an interim solution until FreeIPA matures, but it is better than
one generic proxy account for all hosts, and it is way better than
anonymous binding (we also run our entire environment encrypted).