LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Is RHDS a good alternative to AD in Linux world? (https://www.linuxquestions.org/questions/linux-software-2/is-rhds-a-good-alternative-to-ad-in-linux-world-874624/)

Rike255 04-12-2011 03:00 PM
Is RHDS a good alternative to AD in Linux world?
 
A couple years ago I tried to enable LDAP/Kerberos sign-on from Active Directory 2003. Ran into a whole bunch of issues (mostly related to our Red Hat ES3 servers).

I'm going to start looking into this again. We still have our old Red Hat ES3 servers (along with AS4 and 5.5).

So my options are basically this:
- Try again to integrate with Active Directory
- Setup an RHDS server (completely separate from AD)
- Setup an RHDS server and sync with AD

I'm looking for a simple method that is reliable. Integrating with AD left a bad taste because of all the weird issues we ran into but I was trying to integrate using LDAP and Kerberos (and as I understand it we can authenticate using LDAP only) . I need to be able to restrict access to groups of users and groups of servers which I know is possible in RHDS.

I've read a few documents from Red Hat about RHDS and it sounds like a good product, but there aren't many impressions from actual users on the internet.

Thanks!

acid_kewpie 04-12-2011 03:08 PM
rhds is pretty ropey, it's a very old product that's been sold onwards to various different companies over the years and each one has patched it up and moved it on. I mean it works OK, and is enterprise grade, but it breaks and is very tricky to fix again. Or at least, or extensive multi-layered deployments of it are. You can use replication plugins - passsync I think it's called - which run as a serivce on your AD servers (or actually any windows domain member) which will replicate data into DS to allow full integration of relevant data between the two directories, and separate data for unrelated parts, e.g. uids. UID generation was not possible on the 8.0 systems we were using, so that required an additional external script for uid generation, which kinda undermines the product in various conceptual ways.

IF you already have AD working, then you will probably get better results using samba to join the domain rather than a separate / partially integrated DS system, but if it's a blank canvas, I'd say DS is fine, although note that 389DS is the "open" fork of the project and worth looking at too. openldap is also generally "fine" and a lot easier to deal with and more forgiving.

Rike255 04-12-2011 03:20 PM
Very interesting information, thanks.
AD is currently running (used to authenticate to the windows environment), but I don't really know what Samba is. I'll take a look at 389 DS too.

acid_kewpie 04-12-2011 03:35 PM
You're a unix admin and don't know what samba is?? blimey.

so join domains with samba and (i think) use a simple ldap install like openldap to store uid maps for samba. job done.

Rike255 04-12-2011 04:29 PM
I'm what you'd call a "new" unix admin. ;)


All times are GMT -5. The time now is 03:38 AM.