Slashdot Mirror

← Back to Stories (view on slashdot.org)

Integrating Microsoft's AD into Apple's OD?

Posted by Cliff on from the directory-manipulation dept.

grag asks: "My workplace has started a migration to a unified authentication system using Microsoft's Active Directory, and Apple's Open Directory. We need to know if it is possible to place a Microsoft Active Directory server underneath a master Open Directory server in the hierarchy. The Microsoft server provides services only to our Accounting Department, and it seems to us that it should integrate to the Mac Server since all of our other departments use the Mac Server. Our network consists of fifty Macs connected to an Xserve running Mac OS X Server 10.3.6 Unlimited Client License. In addition, we have on a separate subnet five Windows boxes connected to a Microsoft Windows 2003 Server with a five-client license. Should I pursue this question or give up and place the Microsoft Server at the top of the hierarchy?"

53 comments

  1. Do your require AD for the Windows boxes by biglig2 · · Score: 2, Informative

    Or do you just require some sort of authentication mechanism?

    I ask since some software packages depend on and demand you use AD, but if you have none of that then things like e.g. Samba could be possible alternatives, and might be easier to integrate.

    I would hope that you wouldn't have to put the MS stuff at the top, since that would be a bad network design, but it wouldn't surprise me if you end up having to do this.

    --
    ~~~~~ BigLig2? You mean there's another one of me?
    1. Re:Do your require AD for the Windows boxes by biglig2 · · Score: 3, Insightful

      I began to wonder if Samba integration to Open Directory was easy or not, so I looked it up - should have guessed, Samba is already built in to Open Directory!

      So, if you're not using an application on the PCs that demands AD, then not using AD seems to be the answer.

      However, I fear that you do really need AD, since otherwise your question is a bit pointless!

      --
      ~~~~~ BigLig2? You mean there's another one of me?
    2. Re:Do your require AD for the Windows boxes by MarcQuadra · · Score: 2, Informative

      If you need AD itself, and can't use SAMBA/OD, you've got to either run parallel systems or put AD on top. There's no way to slave AD off of OD for now, only the other way around.

      It would be cool if someone built an authentication/policy interface to OD for Windows though, or made some sort of AD-compatible transport and attribute mode for OpenLDAP.

      --
      "Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
  2. Am I missing something? by aventius · · Score: 4, Informative

    Why not just use the server that everyone else uses (the XServe) for the accounting department as well... If its because the accounting department uses Windows.... well the XServe is capable of being the domain for Windows, Macs, and Linux Boxen.

    --
    [insert lame joke here]
    1. Re:Am I missing something? by petree · · Score: 2, Insightful

      I've experienced this before. The reason that the acocunting department is likely seperate is because of the software they use. The XServe is capable of doing simple file/auth/print services, but what do you think is the backend of the accounting application? Probably MSSQL or Oracle, but likely some windows-only database. Poster wasn't asking how to migrate everything to non wintel, but directory integration.

      Now seriously, parent +5? Propose a non-ms solution get modded up.

    2. Re:Am I missing something? by aventius · · Score: 1
      I proposed a non-ms solution because they were already using a non-ms solution for 90% of the network.... seems logical, right? So maybe it wasn't some part of MS smear scandal.

      Now you have a point about database/application backends but don't assume that I'm trying to spread Anti-MS FUD when I'm only thinking logically. BTW, you can still use Open Directory to manage a Windows server... oops, I logically proposed a non-MS solution again... my bad.

      --
      [insert lame joke here]
  3. Fifty-Five nodes? by Jeremiah+Cornelius · · Score: 3, Informative
    Doesn't much matter!

    Sorry for that. Use AD - it is more flexible and will have more applications leverage the directory, as you grow.

    Populate the AD with the Apple Schema additions, and migrate your Mac info to AD - ditch OD. For fifty users, the headaches and over head of directory synchronization are not worth the trouble. Not even the education value is worth the complaints that you will endure on the way, if something goes awry.

    When you are huge, you can synch directories with MIIS. This is the cheapest Identity Management solution to play nice with all your parties - but still too much for your scale.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
    1. Re:Fifty-Five nodes? by aventius · · Score: 3, Insightful

      I think you missed the key fact that the majority of the computers are macs. I might have agreed that AD is more flexible if they had all windows machines but thats not the case. I refuse to believe that MS-AD is more flexible in a multi-OS environment than Open Directory.

      --
      [insert lame joke here]
    2. Re:Fifty-Five nodes? by Jeremiah+Cornelius · · Score: 4, Informative
      C'mon, with the schema additions for *nix, AD looks like any LDAP to a pam/ldap client. That's all OD will ever look like.

      Adding Vintella or Centrify to the mix allows to to manage not just sign-on authentication, but fine-grained network and client policy with the native AD controls. This is something OD doesn't come close to.

      AD is the second best directory in the world - after NDS. NDS doesn't come close to the level of third-party application and tool support, any longer.

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    3. Re:Fifty-Five nodes? by dbrutus · · Score: 4, Informative

      The Apple paper on AD/OD integration is a good place to start. I do question why you'd need Active Directory at all unless you have some sort of application that requires it and isn't fooled by Samba/LDAP.

    4. Re:Fifty-Five nodes? by MDhaliwal · · Score: 1

      There's no reason at all to simply 'ditch OD'.

      Active Directory and Open Directory can work quite well together. My servers are set up in the exact opposite way of how you are proposing. My users accounts reside in AD and I use OD to provide the specific MCX data to the desktops that are not supported by the default AD schema.

      Here's a word of advice, *do not* modify your AD schema. Sure, its LDAP and we all know you should be able to modify your directories to meet your environmental needs, but that's not always the case with AD. Consider that Apple does update their AD modifications from time to time, as well. In my mind, why modify AD, when you can have a continually updated OD deployment on an XServe, without worrying about properly populating 'unused' attributes with OS X attributes that may change, or be used differently in different builds?

      When you consider the cost of an OD Master compared to the professional services and planning that goes into modifying AD, it really becomes easy to see why you should use OD. My AD and OD play very nicely together, but you will give up certain capabilities. If you are using OD in an AD domain, you give up the ability to manage users at the user level, your now dealing with groups. OD groups at that, but there are scripts that can sync your AD groups to your OD groups, to make management easier. Most folks don't find this to be too big of a problem, as they don't have time to manage each user, but rather just groups anyway. Also, remember, you never want to bind your OD Master to an AD. You can use a client machine to administrate your set up quite easily.

      Hope this helps! Let me know if there's anything else I can provide info on!

      Mike D, ACSA

      --
      ACSA www.district13computing.com
  4. Uh, the details are in the link by elliotj · · Score: 4, Informative

    From the Apple site the poster linked to:
    "The Open Directory architecture makes it easy to integrate Mac OS X client and server systems to into your existing network infrastructure. It's compatible with other standards-based LDAP servers, and can even plug into environments that use proprietary services such as Microsoft's Active Directory"

    So it looks pretty straight forward. If Apple says it can be done, chances are: (1) they've done it, (2) they've got documentation telling you how to do it, (3) it is possible.

    I'd start by checking the white papers on that Apple page. Then browse through the Apple knowledge base. They use groups.google.com to see what other people are saying about it.

    1. Re:Uh, the details are in the link by jhealy1024 · · Score: 5, Informative

      So it looks pretty straight forward. If Apple says it can be done, chances are: (1) they've done it, (2) they've got documentation telling you how to do it, (3) it is possible.

      I agree with (1) and (3), but (2) is nowhere close. Apple has done it, and it is possible, but the documentation is somewhat lacking. There are several gotchas to worry about (especially if you're doing stuff like roaming profiles on the windows boxes). If you read the Apple documentation, it makes it look like 30 minutes of work. In reality, a full integration like what the poster is looking for is several days of time...

      Also, it should be noted that integrating windows with OD can only be done as an NT4-style domain; the OD server can't masquerade as an AD server. I think the submitter understands this, which is why they're trying to integrate a whole AD server into the Mac setup. Running the Mac for everything just won't work if you need true AD (which I assume they do).

      Most of the OD/AD integration I've heard of has the OD taking orders from AD. This is mainly due to the fact that AD is proprietary crap that hasn't been reverse-engineered yet, so the easiest way to go is to slave off of it, rather than try to get MS to play nice with your open, standards-compliant system. Of course, this is exactly what MS wants (embrace and extend!), but until the Samba team gets enough donations to hack the AD protocols, that's probably the only option.

    2. Re:Uh, the details are in the link by Parsec · · Score: 1

      I can't be sure, but I also believe that X will use, at a maximum NTLMv1, which is susceptable to man-in-the-middle attacks. That might not be an issue if you are implementing this in a small office, but you'd likely want to set up a VPN for anyone who connects from out of office. Also make sure that you pay attention to any documentation on Lan Manager hash style passwords. You want to avoid those as they can be cracked with trivial effort. This project might be easier with Mac OS X 10.4, I hear the AD integration will be improved.

  5. Don't read only lame M$ bashing by NoSuchGuy · · Score: 4, Funny

    Drop the MS Server

    BOFH style

    from the 4th floor

    on the car of your boss.

    --
    Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
    1. Re:Don't read only lame M$ bashing by bill_mcgonigle · · Score: 0, Flamebait

      only lame M$ bashing

      Yet so cathartic. Thanks.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  6. Obvious answer by Anonymous Coward · · Score: 5, Funny

    Phone up Bill Gates and say "Yeah, Bill? You know all that talk about interoperability? Where is it?"

  7. Re:Translation by Anonymous Coward · · Score: 4, Funny

    Dear Slashdot,

    I am far too wimpy to take the karma hit for this flame .Will you give it to no-one

    Thanks!
    Coward

  8. Check Apple's Docs by ravenspear · · Score: 5, Informative

    I would read this document available on the Apple site. It has some good information on integrating AD and OD.

    One section says this: "Users whose information can be managed most easily on a server should be defined in the shared LDAP directory of a Mac OS X Server that is an Open Directory master. Some of these users may instead be defined in directory domains on other servers, such as an Active Directory domain on a Windows server."

    1. Re:Check Apple's Docs by DaveJay · · Score: 1, Funny

      OT: How can AD and OD help me with my ADD?

  9. Free tech-sup for a propietary system? by cniebla · · Score: 0, Troll

    what? you should ask your vendor(s), if you like a free ride go LDAP/Kerberos.

    --

    Carlos Niebla

  10. other sources by Johnny+Mnemonic · · Score: 4, Insightful

    Should I pursue this question or give up and place the Microsoft Server at the top of the hierarchy?

    While interesting, I would suggest that you look at Apple centric boards for resolution of this kind of question. How many Slashdotters know or care? Here's some examples:

    I'm sure there's more, but those are the quick few that you could at least get better resources from if they don't directly answer your question. I won't kid you--I don't think it'll be easy. But it would be helpful to start with people that might actually know the answer, than to start with people that probably don't.

    You might also consider a Server Support agreement from Apple; they can help with this kind of integration. Sure, it costs; but then you didn't think that we'd do your job for you either, right? And I believe that you could get this kind of support for the cheapest plan: $5995, and even have a few more calls left over for the rest of the year.

    --

    --
    $tar -xvf .sig.tar
    1. Re:other sources by arglesnaf · · Score: 2, Informative

      If all you need is directory services replication, the OD/AD integration is fine, but for my requirements, I wanted truly integrated native UNIX / Windows authentication, the kind the Samba does not provide.

      Beyond the Directory integration, you need to build a Kerberos domain for absolutely seamless authentication and 100% verifiable identity. The best thing is, once you have it up and running you have single sign on as well.

      Apple, Sun, and Microsoft sell "Integration tools" that do this halfway, but the best paper I have seen on doing it natively is by Microsoft.

      http://www.microsoft.com/downloads/details.aspx? Fa milyId=144F7B82-65CF-4105-B60C-44515299797D&displa ylang=en

      It's a little hard to get you head around, but it kicks ass once it is up an running. Unlike Sun's "Java One Directory" or whatever they renamed it this week OS, X's OD has native Kerberos support built in, so the hardest part is done for you.

      Of course for only 5 boxes I might just decomission AD and use Samba myself.

    2. Re:other sources by fatlaces · · Score: 1

      I've also found this site

  11. AFP548.com by SandSpider · · Score: 4, Informative

    There's a pretty good whitepaper about this on AFP548. Specifically, download the PDF.

    --
    There is nothing so good that someone, somewhere, will not hate it.
  12. twice. by leuk_he · · Score: 1

    drop it twice BOFH style

  13. Don't ask Slashdot... by sootman · · Score: 5, Informative

    ...ask Apple. Seriously. My company has an account executive and a systems engineer that visit us twice a year. Between them, they'll be able to tell you exactly what OS X can and can't do, and what it'll cost. You don't have to be a huge company to get this kind of service. If you want to spend money, they'll let you talk to whoever it takes to answer your questions and close the sale.

    Most likely it can be done but it is a pretty complex request so it *will* come down to money--either paying someone to come in and do it, or paying to train someone in-house to take care of it. Unlike something relatively simple and common, like setting up Apache, when you get this far into things there aren't a lot of tutorials on the web. Despite what Apple and MS imply, there is no flashing "Click me to integrate everything" button. Complicated shit like this is... complicated. You'll probably have to pay, one way or another. Start here: http://train.apple.com/

    --
    Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
    1. Re:Don't ask Slashdot... by Johnny+Mnemonic · · Score: 2, Informative

      Despite what Apple and MS imply, there is no flashing "Click me to integrate everything" button

      Funny that you should say that, because apparently in Tiger Server there is:

      Home Server Setup -- Anyone Can Do It

      Perfect for small offices and home offices, the new Gateway Setup Utility in Tiger Server makes it easy for anyone to set up her own Internet Gateway, Firewall and VPN. Simply connect a network cable from your server to your DSL or cable modem and another cable from your network to your server. When run, the Gateway Setup Utility automatically configures the server as a router, configures DHCP and VPN address ranges, enables DHCP and NAT, configures firewall rules and enables DNS caching. With just a few clicks you can set up complex services that even seasoned administrators find challenging.

      NT Migration Tool

      Tiger Server makes it a snap to upgrade your aging Windows NT network to a Mac OS X server. The new NT Migration Tool automatically extracts all of your user and group account information from an existing Windows Primary Domain Controller and moves it into Open Directory. Tiger Server can then take over as your Primary Domain Controller for your Windows clients and even host your Windows users' home directories, group folders, roaming profiles and shared printers.

      'Course, your point remains and I second it; see my post above. But it struck me as funny that Apple will include something that at least purports to do this...

      --

      --
      $tar -xvf .sig.tar
    2. Re:Don't ask Slashdot... by segoy · · Score: 1

      Except that a "Windows Primary Domain Controller" is part of an NT4 domain structure, not an Active Directory domain. AD makes no distinction between primary and secondary: it is federated, and only recongnizes the "master" machine which is the authoritative source when conflicts are encountered.

  14. Re:Translation by aventius · · Score: 5, Insightful
    You know.... the above parent has a good point about calling tech support. Contacting tech support or searching the Apple website would have been much faster and more fruitful than posting on Slashdot. Half of the responses here will be:

    1) drop Open Directory
    2) drop AD, or
    3) I welcome our new LDAP overlords

    But unfortunately, the parent is lame for posting anonymously so flamebait he obviously is. Had he posted under an account, I would have not jumped to conclusions (damn I need to get my 'Jump to conlusions' mat back from the repair shop) that he was trolling. /end-rambling

    --
    [insert lame joke here]
  15. Vice Versa [Re:Uh, the details are in the link] by Anonymous Coward · · Score: 2, Insightful

    I think the poster is asking if M$'s Active Directory will integrate with OS X, not if Apple can integrate with M$.

  16. Actually, even better... by Anonymous Coward · · Score: 1, Insightful

    Try this resource first: http://consultants.apple.com/consultant/ It'll probably be cheaper and faster to get it right in the first place.

  17. Apple's IT Pro page by Vandil+X · · Score: 4, Informative

    About two months ago Apple launched a new Web site for IT Professionals, http://www.apple.com/itpro.

    Sort of Apple's equivalent of Microsoft's TechNet page.

    I'm not sure if it will help you with your particular issue, but it's bookmark-worthy for any Macintosh network systems administrator.

    --
    Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
    1. Re:Apple's IT Pro page by Vandil+X · · Score: 4, Informative
      I'm not sure if it will help you with your particular issue, but it's bookmark-worthy for any Macintosh network systems administrator.
      Actually, one of the first "Featured Articles" links on that site might help you: Integrating Mac OS X and Active Directory
      --
      Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
    2. Re:Apple's IT Pro page by oDDmON+oUT · · Score: 1

      Unfortunately for the poster the article reads like AD needs to be at the root. :^(

      There is a sidebar pointing to another whitepaper:

      http://www.afp548.com/filemgmt/viewcat.php?cid=8

      But it too seems to deal with AD as root "A detailed overview of how to integrate OS X clients into an Active Directory environment while still retaining the ability to manage the clients with the OS X Server tools."

      --
      Some days it's just not worth
      chewing through my restraints.
  18. cross-realm by Anonymous Coward · · Score: 2, Informative

    We do cross-realm authentication:

    http://www.4am-media.com/sso

    Also find quite a bit of good data here:

    http://www.macdevcenter.com/pub/a/mac/2003/12/09/a ctive_directory.html

    A good idea is to take Apple's Directory Services class http://train.apple.com./ The author of the above articles taught ours (and wrote part of the class.

  19. Integration by Anonymous Coward · · Score: 0

    Drop Windows Server and replace with Samba acting as domain controller with LDAP backend.

  20. OpenDirectory has known show-stopper bugs by caseih · · Score: 4, Interesting

    Having used OpenDirectory for a year and half, I can say that it is too buggy for enterprise use. There seem to be problems with the OpenLDAP and PasswordService integration in OpenDirectory. OpenLDAP crashes hard very frequently and often the entire OS X system (due to the way DirectoryService works) is made complete unresponsive. Apple is aware of the bugs and how to reproduce them but so far has done nothing. The current rumors are that these bugs (or bug) will be fixed in Tiger. That is simply not acceptable for enterprise software. Current bug numbers (ticket numbers) that Apple has assigned this problem are 3966561, 3725081, and 3549410.

    The irony is that OpenDirectory is awesome! We should be actively porting the architecture to linux. The problems I've described above are not inherent design flaws, but rather specific Apple implementation bugs on OS X. I know on Linux this stuff would work wonderfully. OpenLDAP forms a key component of this architecture but it's only the authorization component. OpenDirectory provides a unified SASL/Kerberos password store that does authentication in a unified way (and syncs passwords for samba, md5, etc)

    Given this discouraging situation, I'd stick to Active Directory if I were you for now.

    1. Re:OpenDirectory has known show-stopper bugs by nacturation · · Score: 1

      Given the name OpenDirectory, one would assume that source is available? If so, how difficult are those bugs to reproduce and fix? I haven't done any Apple development, but it should be possible for someone experienced in this to pick up the ball, release a patch, and enjoy the respect and admiration of the whole community... maybe even catch a few PayPal donations while they're at it.

      --
      Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    2. Re:OpenDirectory has known show-stopper bugs by caseih · · Score: 2, Informative

      Yeah you'd think that would be the case. The source files are available but I have yet to get them to build. They also have heavily hacked OpenLDAP without separating their changes out into patches. Thus using a newer version of OpenLDAP, for example, is almost impossible. I'm going to start talking to the OpenDarwin folks about building these things.

      So far, sadly, Apple indeed uses open source components and release much of their source, but they are not open in most senses of the word. There are no mailing lists where I can really have a dialog with other Apple server users *and* Apple engineers. I can't even access an open bugs list like I can with their closest enterprise competitor, RedHat.

      So it is possible to use completely open source products together in a way that ofuscates (either intentionally or just from lack of documentation) how things fit together such that really modifying or fixing things is difficult. I guess the main thing that is missing is documentation. Apple has next to no documentation on the guts of the system. There is no record of how and why they have modified OpenLDAP, no information on the protcols (message-passing and tcp/ip) used by OpenDirectory (DirectoryService and PasswordService to be specific) other than ldap which only forms a part of the system. In fact after studying the system for over a year I'm still not sure exactly how the system fits together and what the service depedencies are in OpenDirectory.

  21. Single Sign on Using AD by Wustoff · · Score: 2, Informative

    Here's a pretty good article about how to do Single Sign on with AD with Linux/Unix Desktops.
    http://www.redmondmag.com/columns/article.asp?Edit orialsID=858

    This may help someone out there.

    Cheers,

    Wustoff!

  22. Re:Translation by nacturation · · Score: 1
    Half of the responses here will be:

    1) drop Open Directory
    2) drop AD, or
    3) I welcome our new LDAP overlords
    You missed the most obvious one:

    4) In Soviet Russia, Directory Opens you!
    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  23. Take the Directory Services course by csoto · · Score: 4, Informative

    It's well worth it. I attended, and since then, we've implemented a large-scale AD-OSX integration.

    http://train.apple.com/static/users/it.html

    --
    There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
    1. Re:Take the Directory Services course by jimmyharris · · Score: 1

      I agree, the course is well worth doing and it's the only way of getting good documentation from Apple in this area. There is a section on cross-realm Kerberos authentication which is what you are looking at here.

      We run a large AD (~70,000 users and ~20,000 computers) and many of the university's departments have configured X.3 clients to authenticate against the AD.

      I've documented how to authenticate a X.3 client against and AD as well as how to use an AD for authentication and an OD server to manage groups and computers.

  24. AD/OD Integration by Anonymous Coward · · Score: 0

    MOST Training & Consulting has an excellent Advanced Admin course which covers AD/OD integration and Mass deployment too. Worked great for my company. http://www.macworkshops.com/most/course.html

  25. Re:Translation by bardothodal · · Score: 1

    You missed , 4. just leave it alone and deal with it!

    --
    No matter where you go , there you are.
  26. start where i did by option8 · · Score: 1

    o'reilly's article - a little out of date now, but still valid.

    and AFP548.com - run by the guy i took OS X server classes from.

    --
    - Entertaining Bits from the Ancient Kernel Tree
  27. Do ask Slashdot... by WindBourne · · Score: 1

    because, there is more than one way to skin a cat. Plain and simple, the companies have their best interest at heart. That means more sales. They may have a solution that works just so, so or even does not work; Yet, they sell you the solution.

    By asking here, everybody learns (or at least gets to be modded as funny or troll/flamebait for being asses).

    --
    I prefer the "u" in honour as it seems to be missing these days.