Enterprise support for Red Hat, Debian Linux, OpenLDAP, PostgreSQL, Samba and Squid from Sirius Corporation plc

Directory Services: Part 3

This month's OPEN For Business! continues our LDAP mini-series. The series is about using directory services to make administration of your network easier, and potentially, how to replace every bit of proprietary software you may have in the network with better Open Source software, plus how to tie it all together. So far, we've covered setting up a Directory Service based on OpenLDAP, and everything you need to do to create a single user account base and single sign-on across all of your Operating Systems, including Windows. This month we're going to begin making your Directory even more useful by moving into the realm of applications. I'm going to show you how to LDAPify (pronounced el-dap-if-eye!) your Open Source email system. You can see where this is going, can't you?

Got your CV ready?

Email systems are great! They've gone from being an obscure plaything known only to geeks to being the business critical application. Your users are guaranteed to whine about two things: "printing's not working!" and "email's not working!". And if they're correct about email not working for any length of time you'll be looking for your next job!

Email systems range from 'fast, scalable and rock solid' to 'extremely expensive and fundamentally broken'. The great news I've got for you is that it is simple to exchange them! The best email systems are, of course, Open Source.

Having said that, Open Source email systems traditionally have perceived weaknesses when compared to certain 'integrated' proprietary email products. Chief amongst these is the need to configure user account information in multiple places and configure system functionality in multiple files (e.g. underlying UNIX accounts, aliases files, virtual user tables, mutter mutter, sed, grep, awk... - you get my point...). Just imagine if you could build the ultimate integrated email system from best-of-breed Open Source components, keep each individual component dumb, but pointing to a single source of configuration information (which is where all the intelligence is).

Then, if that single source of information was easy to manage too, maybe even with a simple GUI (shock! horror!), you may even find Windows email System Administrators eager to exchange what they currently use for a licence free, killer, Open Source email platform.

Guess what? It's simple:

Here's the deal (you should be getting used to this by now). Once again, it's not rocket science, it is easy, it's fun, and it gives you a one Hell of a kick-ass IT system...

We're going to make a few enhancements to our OpenLDAP server first, starting with extending the info we keep on our users. Do you remember a couple of issues back I asked you to come up with a list of stuff that defines a user in IT terms (careful! - I heard that thought! - let's keep this clean...). Let's dig in and think about this in terms of email.

If email on your network works anything like it does on the ones I've set up, we end up with a simple list that looks something like:

'Home' email server
Username ' i.e. Account on that email server
Password
One or more email addresses (occasionally with different domain names, but all ending up in the same inbox)
A few 'housekeeping' rules (like quotas, etc.)

All these bits of information can be held in your LDAP Directory. And by now I reckon you know how we make the attributes available - that's right, we register some appropriate schemas.

Some of the attributes are available from schemas we've already got (things like email addresses and usernames). The others depend on the Open Source software you're going to be using for your email system. If you use Sendmail, for example, you'll probably want to use the 'sendmail.schema' file that comes with it.

Doing it - step by step:

Ok, time to make it real. Let's build an email server from scratch and integrate it with our newly email-enabled LDAP directory. I said earlier you can use any Open Source components - we're going to use Sendmail as our MTA. Sendmail is very easy to LDAPify, you simply add some lines to the Sendmail.cf telling it to do its lookups from your directory server. Once you've done this, Sendmail can get its aliases, routing information, authentication information, simply everything from the OpenLDAP directory. The beauty of this is that you don't ever have to touch this machine again - from now on you manage Sendmail from the LDAP directory, which is pretty great in itself.

Again, in the Open Source world, there's a wealth of 'user-facing' mail delivery software. We're going to choose the fantastic project Cyrus for LDAPification.

Cyrus is simply a superb, Enterprise Class Open Source mail storage system. It handles IMAP and POP, implements single instance storage, integrates beautifully with web-email front ends like Squirrelmail, has a delicious abstracted authentication subsystem called Cyrus SASL, and integrates with LDAP (through SASL) like nothing else I've ever seen. And here's a hot tip! Use the Cyrus patches the team at the University of Athens have created â€“ they add invaluable functionality to Cyrus (like automatic account creation the first time a user in your LDAP directory connects to the Cyrus server or the first time an email is received for that user). Trust me, this kind of functionality makes administration of your system absolutely trivial.

LDAPifying Cyrus is simply a case of compiling it against your OpenLDAP libraries (or getting the LDAPified package for your favourite Linux distribution) plus adding a couple of lines to your config files to tell Cyrus SASL to get its account and authentication information from your LDAP Directory.

And, that's it. You're done!

Bells and whistles:

You can add as many bells and whistles as you like (say spam filtering and anti-virus, maybe even calendaring, voice messaging and email to fax gateway if you really want to get fancy). But what you've now got is an Enterprise Ready email system that's fully integrated with, and managed from, your Open Source Directory Server. Now, how cool is that?

So there we are. We've made our start with applications. We've taken over the most user-critical network service and we've exchanged it for a far, far better one!

Next month I'm going to round up our LDAP mini-series by showing you how to integrate a batch of other services, plus build a company wide address book. By the time we've finished you'll be in no doubt that you can do everything the proprietary Directory Servers do for you, and do it far, far better, using superior Open Source software. It will be far faster and far more reliable. You won't be locked in to the continual upgrade cycle, and you won't have to pay those extortionate licence fees.

Set as favorite

Bookmark

Email This

Trackback(0)

TrackBack URI for this entry

Comments (0) Add Comment

Subscribe to this comment's feed

Write comment