[ Purposely changing this response to 303 ]

On Wed, Sep 21, 2016 at 7:09 AM, Mark Clarke <m...@jumpingbean.co.za> wrote:
> I wouldn't say NSS/389/Dogtag has been widely adopted outside RedHat yet
> - it very well might be an emerging technology but its not something
> every sys admin needs to know. If its included  at an "awareness level"
> then ok - but until it gets wide spread adoption, and mind share, I
> can't agree that it should be covered in any more details.

Putting even "mixed environments" aside, and all that SSSD enables
(for any LDAP, although most only use it with IPA), given the key
Samba people involved with SSSD/IPA developments ...

This final comment I cannot believe ...

> To be frank I think there the coverage in 303 is overboard.

The 303 Exam expends quite a lot of time on OpenLDAP replication, and
other things.

You say 389/IPA coverage in 303 is overboard.  If I wanted to actually
introduce "my opinion" (instead of just experience), I'd say OpenLDAP
replication coverage is overboard.  Anyone needing multi-master
replication is using the iPlanet lineage ... and has been for 15+
years.  ;)

I.e., I cannot help "Linux enthusiasts" if they've never touched the
iPlanet stack, and aren't familiar with its inherent multi-master
replication.  It's always been 2-way from day 1, then 4-way in version
6, and now 20-way in version 9 (aka 389 1.3).

To be frank ...

I honestly just wish "Linux enthusiasts" were aware that Netscape
hired Howe, Good and Smith themselves from Michigan in 1996, and why.
This also explains why there's been no release since 1996.  ;)  [1]

For those of us who have managed not just the Certificate System, but
even Gecko browser (Navigator, Mozilla, Firefox, et al.) attributes,
even some GNOME, in iPlanet and other LDAP servers, it's obvious.
Netscape wanted to manage both security, especially key, distribution
as well as client attributes, in LDAP.

Mind you this not only _pre-dates_ AD by 3 years (and OpenLDAP 2
years), but it is part of the reason _why_ Microsoft _also_ took the
Michigan LDAP code too.  It wasn't all just about Novell Directory
Server / eDirectory, although that was a major reason.  Microsoft was
pushing MS IE hard, and even made it part of the core Windows library
set in 1997.  The reason?

Microsoft too wanted to manage the clients in their future directory server too.

Red Hat acquired all iPlanet assets in 2004.  Red Hat releases as much
source code as they could from iPlanet version 7.1 at the time, for
anyone to use.  Other distros didn't show any interest, despite
multi-master replication and other things that OpenLDAP didn't have at
the time.

Red Hat also rewrote what they could not, and the resulting codebase
became the "clean" and "100% open source" 389 codebase by 2005.
Again, anyone could have adopted it, including Network Security
Services (NSS), but no one did.

I hinted why prior, a couple of other distros were pushing proprietary
solutions at the time.

One of the first things Red Hat first focused on was unifying Netscape
libraries with OpenLDAP libraries, as the iPlanet lineage had a lot of
Netscape libraries that had been developed _before_ OpenLDAP.  The NSS
(libnss) portion stayed separate from OpenSSL (libssl), especially
since -- at the time -- the former had all sorts of US Government
(e.g., FIPS) and Common Criteria certification, while the latter did
not (Red Hat assisted with the latter).

Next, would be a "canned" solution, which I've already talked about
endlessly.  It involves several key and core Samba maintainers to this
day, who constantly contribute a lot of the SSSD code into Samba, such
as for multi-domains, as SSSD has blown past the capabilities of
Winbindd, let alone provides so much more.  SSSD is really the "key
component" to everything.

As I often tell Windows AD architects, the SSSD is Linux's counterpart
to the LSA in NT/Windows.  It enables all sorts of capabilities, and
is modular.

This is where we are at in the 2010s.  I haven't seen a corporate
installation of _any_ distro without SSSD since 2013.  I teach a lot
of Debian and Ubuntu guys how to configure it, day-in, day-out.  And
when the comment comes up about how it should be "just a single
command to configure" ... IPA naturally follows.

IPA is nothing special.  It's just a "canned" client-server solution
of SSSD on the client side, and 389 et al. on the server.  It's
"canned," meaning inflexible, not a generic setup, but very, very
'tight,' just like AD.  After all, Microsoft _too_ offers a _full_
LDAP server.  It's called AD Lightweight Directory Services (LDS).
But it's not 'canned.'  And just like AD, you do _not_ have to know
the first thing about LDAP or Kerberos to manage IPA.  ;)

-- bjs

P.S.  With Oracle's acquisition of Sun, Oracle finally deprecated the
Sun One / iPlanet offerings.  So the defacto standard of iPlanet is
now 389, sold commercially as Red Hat Directory Server.  It's 'sold
separately' because managing a full LDAP server is costly,
support-wise.  Meanwhile, IPA (IdM) is "Free," even though it's the
same 389 at the heart of IPA.  It's not about the software.  It's
about the support costs.

Debian has the full IPA Server now, has for nearly 2 years.  The
problem is the lack of people actually knowing it exists, just like
389, Dogtag and even SSSD too.

[1] http://directory.fedoraproject.org/docs/389ds/FAQ/history.html

Bryan J Smith  -  http://www.linkedin.com/in/bjsmith
E-mail:  b.j.smith at ieee.org  or  me at bjsmith.me
lpi-examdev mailing list

Reply via email to