Ubuntu Directory Service: Canonical Calls for Help
Canonical is developing a Directory Services strategy that could help Ubuntu Server Edition compete (and integrate) more effectively with Microsoft, Windows Server and Active Directory. In addition to a relationship with Likewise Software, Canonical is seeking external experts to help accelerate some Directory Services efforts.
First, some background: WorksWithU reached out to Canonical after multiple readers expressed the need for the company to formulate an Ubuntu Server Edition directory services strategy.
Canonical’s Response
Canonical replied to my inquiry last night. According to Nick Barcet, Canonical’s Ubuntu Server product manager:
“OpenLDAP is our LDAP implementation of choice in Ubuntu Server Edition. Around it we are putting together the base configuration and tools that we need to offer a better “out of the box” experience. In 8.10 we implemented a method for schema update to be automatically replicated to multiple OpenLDAP instances in the network. 9.04 should implement the basis of certificate management as well as a saner default DIT.”
Ubuntu 9.04, code-named Jaunty Jackalope, is scheduled to debut April 23. Here’s a first look at the operating system.
Help Wanted
Still, Barcet concedes Canonical is juggling multiple priorities at the moment — which means a full-blown directory service isn’t a top priority at the company. He wrote:
“So, while this is not our top priority, it is something we are very conscious about and progress is only limited by the resources we have. If some of your readers would have some spare time to help us in that direction, they would be more than welcome.”
Barcet offered the following blueprints for readers to check out:
Key Partner: Likewise
In addition to Canonical’s own directory service efforts, Barcet pointed to Likewise Software as a key partner that makes Ubuntu easlier to integrate with Active Directory.
I must concede: It’s been more than a decade since I covered directory services (Active Directory, Novell Directory Services) for InformationWeek, so my knowledge on the topic is rusty at best.
But I have to wonder: Why didn’t Novell make eDirectory (the successor to NDS) a free or low-cost de facto standard in the Linux market — so that everyone (Novell, Red Hat and Canonical) could compete more effectively against Windows Server?
I’ve sent a note to Novell seeking their perspective.
WorksWithU is updated multiple times per week. Don’t miss a single post. Sign up for our RSS and Twitter feeds (available now) and newsletter (coming in 2009).
WorksWithU on Identi.ca
WorksWithU on Twitter
WorksWithU's RSS Feed
Perhaps you should look at the FreeIPA project. Red Hat bought the directory server that was developed by Netscape and Sun and is building a comprehensive identity management platform around it in the Fedora community.
Gordon: I will check it out. Thanks for the recommendation. I remember the earlier work from Netscape/Sun.
@Joe
Thanks for pushing this with Ubuntu.
I still don’t understand why Ubuntu hasn’t got this higher on their priority list for their server product. I understand that cloud computing is ‘in’, but there is such a huge userbase of disgruntled or impartial Windows SBS users that the Ubuntu Server team should be tapping in to!
Hi I’m Anuradha from Sri Lanka, I also posted couple of mails to the Ubuntu-Server team (I’m reading the mails from the ubutu-server mailing list) proposing to start a Ubuntu Directory Server so that we can use it directly in our production servers. Currently we are interconnecting several tools and implementing the centralized directory authentication systems using cople of GNU/Linux distros. So I’ll be a happy tester if they start this project any soon.
. Hope we all can work together to make this project a success one day. Cheers!
Some great comments above. Please forward this to Canonical.
Instead of calling for help, canonical should be joining the other team that already has a working implementation of this stuff (already mentioned by Gordon Messmer). The freeipa guys have a single sign-on (SSO) multimaster replicated ldap kerberos solution. It works right now (version 1.2.1) for just authentication (or in freeipa parlance, identity). In version 2 (which is expected in april/may this year) there will be a first implementation of policy and auditing.
So Canonical, do not request help, go help yourselves and your clients by implementing the next enterprise ready authentication platform for unix
Hey Joe, eDirectory IS free (as in no cost) – you can get a 250,000 object license from Novell here : http://www.novell.com/products/edirectory/customer_license.htm
I don’t know why Novell doesn’t publicise this because it’s been available for years – If I recollect we took up this offer in 2002! Typical Novell marketing – they’ve got what is far and away the best directory service and nobody knows about it.
Zac @5: Yes, I will make sure Canonical sees all of the comments above.
Matt @7: Thanks for the eDirectory tip. At the least, you’d think Novell would do some viral marketing on this? I’m checking in with Novell, mainly for an eDirectory briefing for our readers on http://www.TheVARguy.com. But I will ask if/how eDirectory can discover/manage Ubuntu systems.
Maybe it’s time to consider switching to Fedora DS,and support that development instead?
Leif: I plan to do a follow-up article on Fedora DS, and Novell has confirmed that they’ll give me an update on eDirectory. So stay tuned for an updated directory services article with more perspectives in the next few days.
In the meantime, thank you (and other readers who posted comments) for some great ideas on how to push this story forward.
I think is very important to include policy in any Linux Directory Server . This is the major feature in my opinion in Active Directory because LDAP, Kerberos and DNS not is new in Linux
If there’s anything in FreeIPA that requires a particular LDAP server in order to function, then it’s doing something non-standard and needs to be fixed. Just because you like the features in FreeIPA, it doesn’t follow that you have to switch your base directory server in order to use it.
This is what I have been saying 100 times on Ubuntu fourms etc. Ubuntu really needs to make a client server system like Windows XP and 2003 server with AD.
I wish someone could track down Banyan and see if they would open source Banyan Vines. It ran on Unix, was full LDAP. Using a client like Novell does you could do file, print and email no problem with Windows and Unix clients! That is what someone like Ubuntu needs.
They could really break into the office server market if they could support Linux and Windows machines. Who cares about AD. If they could make their own that could do the functions of AD and their Directory Services could scale like AD then who would need AD (It would have to be as easy as AD though)
As far as edirectory, it is a free download and can install on more then Suse linux but its a PAIN to install and a PAIN to admin. If they had an easy interface like AD does and it was easy to install on Red Hat or Ubuntu that would be great. Problem is that its one of the only thing that Novell still makes money on. Take that away and Novell goes away.
@ Joe Panettieri:
The problem even using edirectory in Novell’s small business server is that its a pain to use. To try to get it and Samba working right out of the box is a mess. In Novells set up you get functions to do edirectory management of LDAP and also Samba, but you also have the default functions of those same tasks to do the same functions using Yast. In the end to get it to work you wind up with a mix and match of the two. Not good for administration.
Also edirectory is powerful, but not as easy to understand as AD. AD is weaker but strong enough to power a large company (We use it here in the Federal Government) and it’s easy to figure out AD.
Someone here also mentioned GPO’s. GPO’s are a key leg up with Windows and AD. To be able to push out security, lock down or unlock down machines etc from a central location with the use of fine grain policies are a powerful tool.
Web SSO functionality with SAML providers could be a killer addition…specially out-of-the-box integration with Google Apps using SAML could be a first step for effective directory service relavent in the SaaS and PaaS model for Application Consumption…
My team can help in doing this…
Why isn’t Canonical, and other Linux distributers, working hard on supporting SAMBA4? SAMBA4 will give native support for Microsofts’ protocol. AD is so much more than LDAP. Something one must adjust to when attacking the Microsoft desktop.
Anyhow, to embrace, extend and extinguish the Microsoft stronghold on the desktop, one must be able to just drop in an Linux workstation/desktop . And it must JUST WORK.
Hi,
Interesting article, I have been looking around to have a single integrated system for identity management and authentication.
Noticed that nobody mentioned node directory.
http://nodedirector.bigsister.ch/
It is a slightly heavy interface, but has quite a few features and provides a nice web interface to access LDAP objects.
I shall leave it up to you, make the final judgement.
Thank you
Regards
Sushil Suresh.