Slashdot Mirror
Integrating Microsoft's AD into Apple's OD?
grag asks: "My workplace has started a migration to a unified authentication system using Microsoft's Active Directory, and Apple's Open Directory. We need to know if it is possible to place a Microsoft Active Directory server underneath a master Open Directory server in the hierarchy. The Microsoft server provides services only to our Accounting Department, and it seems to us that it should integrate to the Mac Server since all of our other departments use the Mac Server. Our network consists of fifty Macs connected to an Xserve running Mac OS X Server 10.3.6 Unlimited Client License. In addition, we have on a separate subnet five Windows boxes connected to a Microsoft Windows 2003 Server with a five-client license. Should I pursue this question or give up and place the Microsoft Server at the top of the hierarchy?"
Or do you just require some sort of authentication mechanism?
I ask since some software packages depend on and demand you use AD, but if you have none of that then things like e.g. Samba could be possible alternatives, and might be easier to integrate.
I would hope that you wouldn't have to put the MS stuff at the top, since that would be a bad network design, but it wouldn't surprise me if you end up having to do this.
~~~~~ BigLig2? You mean there's another one of me?
Why not just use the server that everyone else uses (the XServe) for the accounting department as well... If its because the accounting department uses Windows.... well the XServe is capable of being the domain for Windows, Macs, and Linux Boxen.
[insert lame joke here]
Sorry for that. Use AD - it is more flexible and will have more applications leverage the directory, as you grow.
Populate the AD with the Apple Schema additions, and migrate your Mac info to AD - ditch OD. For fifty users, the headaches and over head of directory synchronization are not worth the trouble. Not even the education value is worth the complaints that you will endure on the way, if something goes awry.
When you are huge, you can synch directories with MIIS. This is the cheapest Identity Management solution to play nice with all your parties - but still too much for your scale.
"Flyin' in just a sweet place,
Never been known to fail..."
From the Apple site the poster linked to:
"The Open Directory architecture makes it easy to integrate Mac OS X client and server systems to into your existing network infrastructure. It's compatible with other standards-based LDAP servers, and can even plug into environments that use proprietary services such as Microsoft's Active Directory"
So it looks pretty straight forward. If Apple says it can be done, chances are: (1) they've done it, (2) they've got documentation telling you how to do it, (3) it is possible.
I'd start by checking the white papers on that Apple page. Then browse through the Apple knowledge base. They use groups.google.com to see what other people are saying about it.
I would read this document available on the Apple site. It has some good information on integrating AD and OD.
One section says this: "Users whose information can be managed most easily on a server should be defined in the shared LDAP directory of a Mac OS X Server that is an Open Directory master. Some of these users may instead be defined in directory domains on other servers, such as an Active Directory domain on a Windows server."
There's a pretty good whitepaper about this on AFP548. Specifically, download the PDF.
There is nothing so good that someone, somewhere, will not hate it.
...ask Apple. Seriously. My company has an account executive and a systems engineer that visit us twice a year. Between them, they'll be able to tell you exactly what OS X can and can't do, and what it'll cost. You don't have to be a huge company to get this kind of service. If you want to spend money, they'll let you talk to whoever it takes to answer your questions and close the sale.
Most likely it can be done but it is a pretty complex request so it *will* come down to money--either paying someone to come in and do it, or paying to train someone in-house to take care of it. Unlike something relatively simple and common, like setting up Apache, when you get this far into things there aren't a lot of tutorials on the web. Despite what Apple and MS imply, there is no flashing "Click me to integrate everything" button. Complicated shit like this is... complicated. You'll probably have to pay, one way or another. Start here: http://train.apple.com/
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
About two months ago Apple launched a new Web site for IT Professionals, http://www.apple.com/itpro.
Sort of Apple's equivalent of Microsoft's TechNet page.
I'm not sure if it will help you with your particular issue, but it's bookmark-worthy for any Macintosh network systems administrator.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
We do cross-realm authentication:
a ctive_directory.html
http://www.4am-media.com/sso
Also find quite a bit of good data here:
http://www.macdevcenter.com/pub/a/mac/2003/12/09/
A good idea is to take Apple's Directory Services class http://train.apple.com./ The author of the above articles taught ours (and wrote part of the class.
If all you need is directory services replication, the OD/AD integration is fine, but for my requirements, I wanted truly integrated native UNIX / Windows authentication, the kind the Samba does not provide.
? Fa milyId=144F7B82-65CF-4105-B60C-44515299797D&displa ylang=en
Beyond the Directory integration, you need to build a Kerberos domain for absolutely seamless authentication and 100% verifiable identity. The best thing is, once you have it up and running you have single sign on as well.
Apple, Sun, and Microsoft sell "Integration tools" that do this halfway, but the best paper I have seen on doing it natively is by Microsoft.
http://www.microsoft.com/downloads/details.aspx
It's a little hard to get you head around, but it kicks ass once it is up an running. Unlike Sun's "Java One Directory" or whatever they renamed it this week OS, X's OD has native Kerberos support built in, so the hardest part is done for you.
Of course for only 5 boxes I might just decomission AD and use Samba myself.
Here's a pretty good article about how to do Single Sign on with AD with Linux/Unix Desktops.t orialsID=858
http://www.redmondmag.com/columns/article.asp?Edi
This may help someone out there.
Cheers,
Wustoff!
It's well worth it. I attended, and since then, we've implemented a large-scale AD-OSX integration.
http://train.apple.com/static/users/it.html
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
Yeah you'd think that would be the case. The source files are available but I have yet to get them to build. They also have heavily hacked OpenLDAP without separating their changes out into patches. Thus using a newer version of OpenLDAP, for example, is almost impossible. I'm going to start talking to the OpenDarwin folks about building these things.
So far, sadly, Apple indeed uses open source components and release much of their source, but they are not open in most senses of the word. There are no mailing lists where I can really have a dialog with other Apple server users *and* Apple engineers. I can't even access an open bugs list like I can with their closest enterprise competitor, RedHat.
So it is possible to use completely open source products together in a way that ofuscates (either intentionally or just from lack of documentation) how things fit together such that really modifying or fixing things is difficult. I guess the main thing that is missing is documentation. Apple has next to no documentation on the guts of the system. There is no record of how and why they have modified OpenLDAP, no information on the protcols (message-passing and tcp/ip) used by OpenDirectory (DirectoryService and PasswordService to be specific) other than ldap which only forms a part of the system. In fact after studying the system for over a year I'm still not sure exactly how the system fits together and what the service depedencies are in OpenDirectory.