Slashdot Mirror

← Back to Stories (view on slashdot.org)

Integrating Microsoft's AD into Apple's OD?

Posted by Cliff on from the directory-manipulation dept.

grag asks: "My workplace has started a migration to a unified authentication system using Microsoft's Active Directory, and Apple's Open Directory. We need to know if it is possible to place a Microsoft Active Directory server underneath a master Open Directory server in the hierarchy. The Microsoft server provides services only to our Accounting Department, and it seems to us that it should integrate to the Mac Server since all of our other departments use the Mac Server. Our network consists of fifty Macs connected to an Xserve running Mac OS X Server 10.3.6 Unlimited Client License. In addition, we have on a separate subnet five Windows boxes connected to a Microsoft Windows 2003 Server with a five-client license. Should I pursue this question or give up and place the Microsoft Server at the top of the hierarchy?"

1 of 53 comments (clear)

  1. OpenDirectory has known show-stopper bugs by caseih · · Score: 4, Interesting

    Having used OpenDirectory for a year and half, I can say that it is too buggy for enterprise use. There seem to be problems with the OpenLDAP and PasswordService integration in OpenDirectory. OpenLDAP crashes hard very frequently and often the entire OS X system (due to the way DirectoryService works) is made complete unresponsive. Apple is aware of the bugs and how to reproduce them but so far has done nothing. The current rumors are that these bugs (or bug) will be fixed in Tiger. That is simply not acceptable for enterprise software. Current bug numbers (ticket numbers) that Apple has assigned this problem are 3966561, 3725081, and 3549410.

    The irony is that OpenDirectory is awesome! We should be actively porting the architecture to linux. The problems I've described above are not inherent design flaws, but rather specific Apple implementation bugs on OS X. I know on Linux this stuff would work wonderfully. OpenLDAP forms a key component of this architecture but it's only the authorization component. OpenDirectory provides a unified SASL/Kerberos password store that does authentication in a unified way (and syncs passwords for samba, md5, etc)

    Given this discouraging situation, I'd stick to Active Directory if I were you for now.