Reality check If you're connecting a couple of networks together, or connecting a network to the Internet, most people would instantly reach for a Cisco router (or, if you were really radical, maybe go for something from Juniper Networks). It's what you do, right? Wrong! Have you ever taken a router apart? I know I have. If you were expecting to see real cutting edge hardware for your money in that nice black plastic box you've yet to find it right? Hmmm, wonder what all my money's going on . . . I know. It must be the operating system that goes with it. After all, it's really complicated connecting a network to the Internet and running all those weird routing protocols isn't it? And as for packet filtering, boy I can see why they have to charge me loads extra to add that to my box. And if I change protocols, like from ISDN to ADSL or Frame Relay, it's obvious that I should need to buy all those special new modules and updates to my software. . . isn't it? No it isn't! Let's get real. The simple truth is, it really isn't rocket science, and you can actually do everything one of those exclusive, very expensive proprietary boxes does on an old 486. And you can do it do it better and faster. Here's what you do. Take a commodity PC or low-end server, install Debian GNU/Linux or your favourite Open Source OS, and then slot in a Sangoma Technologies WAN card. Bingo! Instant router! Not only that, but you've now got a router that can grow, shrink, do anything you want, and handle anything that is thrown at it. More than this, you have just saved your business a great deal of money. We think Sangoma cards are terrific. And that's why we're their UK reseller. Getting off the treadmill Let's take one of our clients as an example. They're a very rapidly growing business, naturally with a busy Internet connection. They'd done the Cisco thing and bought themselves a 1603 for the best part of a couple of thousand pounds, but within 6 very short months found themselves bumping up against its capacity. Guess what, they were told they should throw it away and buy themselves a mid-range 3600 series. This was going to set them back another £4-5 K just to get started (not a lot really - when the time comes for them to have their own E3 line they'll be asked a cool £6K just for the adapter module alone!). Then there was the additional training their staff needed, the management toolset the reseller felt they really should have, plus the extra . . . With Ciscos, it can very rapidly get very, very expensive. That's when the realisation fully set in with our clients. They were on the proprietary suppliers' upgrade treadmill - they would have to do the same thing again, and again, and again, and again. So we didn't let them do this. We got them a nice little 1U server from Dell and slotted in one of our Sangoma WAN cards - all for less money than they originally spent on that 'entry level' Cisco. Even with their growth rate it lasted over 2 years! When they did finally reach the limit and had to upgrade, we simply swapped the Sangoma card out and put it into another, bigger, box (this time from DNUK . . .). And, since the old 1U server was commodity hardware, we used it for something else! What they've got is a system that knocks spots off any Cisco equivalent and at a fraction of the cost. They love it, the FD in particular. Open Source, simply better software Kicking out the Ciscos means more than just up-front savings too. Updating your Linux box doesn't have to cost you anything. But updating your Cisco IOS most certainly will! And, if you want anything extra, other than bog-standard routing, with the proprietary suppliers you're going to have to pay for that as an extra too! That's why our clients don't go that way. Once your Sangoma card equipped PC has Linux (or perhaps FreeBSD?) on it you can do anything you want. Packet filtering – no problem, just add IPtables. Cost of packet filtering - nothing! Proxying – no problem, just add Squid. Cost of proxying - nothing! Now just try doing that with a Cisco. They'll be laughing all the way to your bank! No wonder they power the Internet. I could on all that money! But, they say, 'dedicated hardware' - it's bound to outperform a plain vanilla Intel/Linux box isn't it? Actually, NO. We've seen it in practice, and figures from Sangoma prove it. The figures show the Sangoma card outperforms the Cisco under ALL measures (with small packet sizes, by over 50%!) right up until saturation of the line, when the Cisco eventually achieves parity! By the way. There's another thing our clients like about doing routing this way. You stick a Cisco into your network and you've got another box, another set of cables, another hop on the way out, and yet another operating system to learn all about (and have you looked at IOS?). Why would anyone want all this complexity, hassle and cost? Stick one of these WAN cards in your Linux box and you simplify the whole thing. It's faster, it's cheaper, and it's a whole lot simpler to set up and administer. Have a look at Sangoma's home page. It may not be as funny as routergod.com but, if you ever do need a good laugh, there's always Slashdot. So there you have it. A couple of day's work and you have a router that's as powerful as anything on the market. And, believe me, it really is as easy as that. You've now got a more reliable, simpler and faster solution. You've eliminated another box in your server room, and replaced it with something far easier to administer. You've reduced your exposure to, and dependency on, proprietary technologies and the constant hardware/software upgrade treadmill they force you on. Even more than this, you've saved the business a great deal of money on hardware, support staff time, software licences and 'extra' modules.
This month's OPEN For Business! is the second in our LDAP mini-series. The series is about using directory services to make the administration of your network easier, and potentially, how to replace every bit of proprietary software you may have in the network with better Open Source software, plus how to tie it all together. Last month we covered what a directory is, and hinted at what you could do with it. This month we will look at the creation of a single user account base and single sign-on initially across all of your non-Windows systems (Linux, Solaris, MacOSX, FreeBSD, HP-UX, etc). But first you need your LDAP directory! The Open Source world is blessed with the simply fantastic OpenLDAP project. Led by Kurt Zeilenga, the author of most of the RFCs that actually define what LDAP is and how it works, the OpenLDAP server and related tools are one of our best-kept secrets. So it's about time we corrected that... The OpenLDAP server is a full implementation of the LDAP definition, and has such a vast range of features that are soooo technically wonderful I could go on and on and on for ever. Let's just say it's lightning fast, superbly robust, and does simply everything you could ever need a directory server to do - but without the simply obscene price tag the proprietary vendors seem to enjoy attaching to these things. Of course it's Open Source too, which gives it transparency, extensibility, unlimited customisation potential, and it's guaranteed to never deviate from LDAP's defining standards - not like some other Directory products I could actively mention! So we've got our OpenLDAP server. Let's get on with populating it! As I mentioned last month, an LDAP Directory enables information about objects to be held in a tree-like organisational structure (a quick tip at this point - the structure you create to hold your users can be anything you like, we recommend you create one that reflects your actual organisational structure). You can then associate key pieces of information with these objects Time to make this real. The objects that we are interested in creating are users. If I asked you what your users consist of in IT terms, you'd probably tell me the standard stuff - username, password, home directory, access to this, denied access to that, email account with an email address, etc (funny old view we have of people, right?). Take some time right now, and you'll see that you can soon write a list of stuff defining what a user is on your network. So if we create an object in our directory that represents a user from the IT perspective, the attributes this object must have are the ones that are meaningful in an IT sense - and you've just listed them. All this stuff is well understood, and well thought through. A central notion in the LDAP world is that of 'schemas'. You've probably noticed by now that I like to explain complex stuff in simple terms. I'm aware that there's a million and one subtleties, and my descriptions are not 'precise' in absolute terms, but we'll leave that argument to the pedants, my descriptions are good enough for where we're going. A schema is a big batch of definitions of well understood attributes, things like telephone numbers, email addresses and passwords. By registering a schema with your LDAP server you can then associate its definitions with your objects. Simple, right? So we start by adding some schemas that represent people (our somewhat odd IT notion of what people look like that is!) and also that represent an account on a UNIX box. You now have a basic directory service, and you're ready to actually do something with it. Now we need to move on to the boxes you want to authenticate to your shiny new Directory server. As mentioned, we're going to start with your UNIX, GNU/Linux and BSD machines. By default, these machines have a local account database (/etc/passwd) - a legacy from the early days of UNIX. This database is sometimes exactly what you need, but the truth is, in most cases it's a nightmare to manage. Imagine a network of 500 servers, each with its own user database, each of which needs visiting every time a change happens in your user population. Yuck! Traditionally UNIX solved this with systems like NIS, but this is not truly cross-platform in any trivial-to-implement way, and we want to do waaay better than that, especially when we bring our Macs and Windows boxes online! The answer is Pluggable Authentication Modules, affectionately known as PAM. The notion is simple... Abstract the authentication layer so that your UNIX system can be authenticated by any method which has a PAM module. PAM makes the method look like traditional UNIX authentication. There are plenty of them, including MySQL, Radius, Kerberos and, for our purposes, LDAP. Simply better software: Once your LDAP PAM is plugged into your machine, you can authenticate the underlying operating system against your new Directory. One account base across all your UNIX and GNU/Linux servers - how cool is that? Not only that, but FreeBSD (the world's finest web server!) has had PAM capabilities since release 5, and since MacOSX is based on a BSD core, it can participate in this scheme too. There's only one significant OS missing from your new account management paradise... It’s OK. Don't worry, we’re going to hit them next month! I'll show you how to extend your new Directory to enable logons to your Windows servers and desktops. These logons will be with exactly the same accounts you've just set up to enable logons to your UNIX, GNU/Linux and BSD machines. Single identity across all of your platforms - now won't that be nice? We'll do all this without you having to buy one of those ridiculously expensive directory solutions from one of the proprietary vendors. It'll do it better. And it's all because it's simply better software.
This month's OPEN For Business! is the first in a mini-series. The series is about how to use Directory Services to make the administration of your network simpler and easier. We'll look at how to replace every bit of proprietary software you may have in that network with what we all know is a far faster, far more reliable solution, Open Source software. Then finally, and most importantly, I'll show you how to tie it all together into a network that really delivers, and that really provides, what the business wants and IT's users need. First of all some background. Let's start with something that's often unpalatable - the truth. The truth - would you start from where you are? The truth about almost every network in the world is that it consists of a wild variety of disparate (or is that desperate?) technologies, platforms, operating systems and services. Timescales are always tight so bits have had to be tacked on here, kluged there and patched all over simply to keep pace with the latest business demand or new management strategy. So it’s all grown higgledy-piggledy over the years. Now ask yourself, if you had to do it again would you really want to start from where you are? Even so-called 'Microsoft shops' rarely consist of a single build of Windows. Indeed, the truth about the Windows platform is that it's just as 'fragmented' as any other - you didn't really believe that Windows 3.1, 3.11, 95, 98, 98SE, 98ME, NT 3.51, NT4, 2000, XP Home, XP Professional, 2003, XP Reloaded (!) were perfectly interoperable or even similar operating systems did you? Then there's the never-ending barrage of Service Packs. It's best not to even think about what they do to the underlying technologies, protocols, or even file systems... Yep, the plain truth is that an operating system monoculture, even if it were desirable, only exists in the proprietary vendors' marketing brochures. Now, add network services to this already heady cocktail and you've got what most businesses out there have complexity in spades, constant fixes and upgrades, high cost, poor reliability. In short, a mess. Yet a mess that's absolutely crucial to business competitiveness and performance. So what's a poor IT Director to do? Well, there's certainly no shortage of vendors happy to 'advise' you, and to help you sort this lot out. Most vendors will tell you that their solution can integrate all of your various platforms, and that if you choose their solution everything will be "roses, roses!". Occasionally they even mean it! More often than not though, what they actually mean is that you have to chuck out all those 'non-industry standard' (this week!) platforms you've been dumb enough to accumulate and 'upgrade' to the best, all time favourite, greatest platform of today. Theirs. But at what cost? Always remember - it-s only lizards that can grow new arms and legs . . . A shining light: So is there any light that Open Source can throw on this issue? And is there a strategy for using Open Source to extend the life of your existing cocktail (if it ain't broke . . .), keep your options open for the future, and maybe even give you a clear roadmap to the future based on Enterprise Class Open Source solutions? Funny you should ask that . . . The common element in all IT systems is that your users need to use them. So the logical place to start is with a single source of user information. This is where Directory Services come in. All the vendors know this, this is why Microsoft's Active Directory, Sun's Sun One Directory, or Novell's eDirectory are touted as the cure for all network woes. Now is there a common element to all these products? You bet!, it's called LDAP. LDAP, or the Lightweight Directory Access Protocol, enables information about objects (most commonly users but also computers, printers, servers, pretty much anything), to be held in a tree-like organisational structure. You can associate key pieces of information with these objects, things like passwords, email addresses, HR information, home directories, and so on. Once you've done this you can use your directory as the basis for managing pretty much everything about your network. It's the Holy Grail! One of the things Microsoft networks have historically done, and done reasonably well, is to give a form of single signon to the network and all its services (as long as they're Windows of course!). It's the basis of Windows networking's supposed 'ease of use' (along with GUIs for everything!). It comes with a price tag, however - and I don't just mean money. The thing is, if you use a Directory Service that locks you into a single platform (whether it's Sun, Microsoft, Novell, anyone), you've just slapped on a pair of lock-in handcuffs and dramatically reduced your options. And guess what vendors do when you run out of options . . . Quite simply, for many tasks, non-Windows software does a far better job. But these days it's Open Source software that does the best job of all. Simply better software: Over the next few months, OPEN For Business! will show you how to build an entirely Open Source Directory Service. One that will give you options. I will show you how to do this and why you should want to. I will show you how you can integrate what proprietary vendors disparagingly call your 'legacy' systems (even though you appear to be getting perfectly decent service from them!), and how you can weld together multiple platforms, different generations of technologies, servers, services and desktops into a functional whole, without mortgaging your future to a roadmap your vendor tells you is "the one true way". This is a big subject, so we're going to take several episodes to cover it. Here's a taster of what we'll do: - Single user account base and single sign on across all of your non-Windows systems (Linux, Solaris, MacOSX, FreeBSD, HP-UX, etc)
- Extending this account base to offer the same accounts, home directories, passwords, etc to your Windows servers and desktops
- Using the same accounts to manage access to key network services (email aliases and routing, Internet access, web server access, FTP, network file systems, the list goes on)
- Extending your directory to represent groups, desktop PCs and workstations, printers and other objects
- Using your directory for a company-wide single address book
It's simple, it's easy to do, it's fast and it's reliable. The business will absolutely love it and your FD will smile all the way to the bank. And all because it's simply better software.
|
Newsletter
Sign up to our Quarterly Newsletter for company news, case studies and insight delivered straight to your inbox.
[ Sign up! ]
Syndicated By
Tag Clouds aaron seigo, active directory, Advocacy, Apache, ARTIO JoomSEF, becta, Bill Gates, business, Capita, CMS, copyright, Debian, Desktops, directory services, Eee, Elonex One, Email Calendaring, Environmental, european union, FUD, Gnome, GPL, Inkmedia, Innovation, Internet Connectivity, Joomla!, KDE, KDE4, Kolab, LAMP stack, Learning Platform, Legal, Linux, Microsoft, Moodle, MySQL, Networks Databases, Open Source, Open Source Schools ICT, openldap, OpenOffice, patents, PHP, Politics, Power Consumption, public sector, Qt, SCO, Serco, SIF, Sims.net, Steve Ballmer, sunone, thin-clients, VLEs, whitehall, Windows Latest Comments Most Popular Blogs Archive
|
