389 directory server or openldap

Latest response

i'd like to discuss / ask the auditorium here about the possibility of replacement of NIS and Samba.

Rhel 5x and 6x clients authenticated through NIS and windows 7 clients authenticated through Samba pdc. NIS and Samba both run on 6.5 RHEL server. Users migrate between places, using both, Linux and Windows clients, so all users are setup in Samba and in Linux. The solution is apparently implementation of LDAP to make user management simpler.

- go with the 389-ds or with openldap
- if the 389, then which source for installation to use?

epel repository contains:
389-admin.i686 1.1.35-1.el6 epel
389-admin.x86_64 1.1.35-1.el6 epel
389-admin-console.noarch 1.1.8-1.el6 epel
389-admin-console-doc.noarch 1.1.8-1.el6 epel
389-adminutil.i686 1.1.19-1.el6 epel
389-adminutil.x86_64 1.1.19-1.el6 epel
389-adminutil-devel.i686 1.1.19-1.el6 epel
389-adminutil-devel.x86_64 1.1.19-1.el6 epel
389-console.noarch 1.1.7-1.el6 epel
389-ds.noarch 1.2.2-1.el6 epel
389-ds-console.noarch 1.2.6-1.el6 epel
389-ds-console-doc.noarch 1.2.6-1.el6 epel
389-dsgw.x86_64 1.1.11-1.el6 epel

while RHEL6 repo:
389-ds-base.x86_64 rhel-dvd
389-ds-base-libs.i686 rhel-dvd
389-ds-base-libs.x86_64 rhel-dvd

  • so install only from epel or only from vendor repo - or is it possible to install base from vendor repo and add admin tools from epel?

Thank you for any comments


First let me point out that you won't be replacing Samba, only NIS will be replaced by LDAP, since Samba is the Windows Domain Controller.

Both OpenLDAP and 389-DS offer the same functionality, however 389-ds offers more features and the the admin console makes it easier managing the directory server.

If you have a Red Hat subscription then, I recommend that you utilize one for this server and install the full 389-ds from Red Hat repositories, but if you are self supporting yourself, then go with EPEL as it will offer you the full package around 389-ds.

I recommend against mix and match between RedHat repo and EPEL, as I saw issues with other software do so.

Does anyone know whether Red Hat Identity Management (formerly IPA) would be a good fit here? I believe it is included in your standard subscription and adds quite a bit of functionality.

I think it is worth reviewing:

Red Hat IDM (which is based on FreeIPA, the upstream project for IdM), is not a replacement for a domain controller (like Samba PDC or AD), however integrating Windows clients with Red Hat IdM, can be done using different ways:

1- If there is already an AD, then establish a trust between AD and IdM.
2- If there is no AD, then use Samba.
3- If neither works, then configure windows to work directly with RH IdM using kerberos.

For this reason IdM without configured AD trust can provide only authentication service for Windows hosts, it can't provide account database for Windows hosts in the same way as AD does. You have to create local Windows account and appropriate account mapping for each user if you select direct Windows<=>RH IdM integration.

More on this topic:

Thanks for all 'to the point' coments! Appreciated very much.

as i've jumped in the process of studing this setup:
Samba PDC + 389DS as Samba password backend

I'd like to ask one theoretic question. I read already tons of materials about eg. migrating groups and users from Samba to 389 directory.
Most guides focus on the PADL software (pam_ldap, smbldap-tools) etc. And some guides - including Red Hat documentation for the 6.5 recommend the usage of SSSD instead.

So the question is - would the setup be viable / possible for Samba PDC with 389DS as pw backend using the SSSD service (instead of pam_ldap)?