Slashdot Mirror
Integrating Microsoft's AD into Apple's OD?
grag asks: "My workplace has started a migration to a unified authentication system using Microsoft's Active Directory, and Apple's Open Directory. We need to know if it is possible to place a Microsoft Active Directory server underneath a master Open Directory server in the hierarchy. The Microsoft server provides services only to our Accounting Department, and it seems to us that it should integrate to the Mac Server since all of our other departments use the Mac Server. Our network consists of fifty Macs connected to an Xserve running Mac OS X Server 10.3.6 Unlimited Client License. In addition, we have on a separate subnet five Windows boxes connected to a Microsoft Windows 2003 Server with a five-client license. Should I pursue this question or give up and place the Microsoft Server at the top of the hierarchy?"
Why not just use the server that everyone else uses (the XServe) for the accounting department as well... If its because the accounting department uses Windows.... well the XServe is capable of being the domain for Windows, Macs, and Linux Boxen.
[insert lame joke here]
From the Apple site the poster linked to:
"The Open Directory architecture makes it easy to integrate Mac OS X client and server systems to into your existing network infrastructure. It's compatible with other standards-based LDAP servers, and can even plug into environments that use proprietary services such as Microsoft's Active Directory"
So it looks pretty straight forward. If Apple says it can be done, chances are: (1) they've done it, (2) they've got documentation telling you how to do it, (3) it is possible.
I'd start by checking the white papers on that Apple page. Then browse through the Apple knowledge base. They use groups.google.com to see what other people are saying about it.
Drop the MS Server
BOFH style
from the 4th floor
on the car of your boss.
Grundgesetz * 23. Mai 1949 - 30. November 2007 - http://www.vorratsdatenspeicherung.de/
Phone up Bill Gates and say "Yeah, Bill? You know all that talk about interoperability? Where is it?"
Dear Slashdot,
.Will you give it to no-one
I am far too wimpy to take the karma hit for this flame
Thanks!
Coward
I would read this document available on the Apple site. It has some good information on integrating AD and OD.
One section says this: "Users whose information can be managed most easily on a server should be defined in the shared LDAP directory of a Mac OS X Server that is an Open Directory master. Some of these users may instead be defined in directory domains on other servers, such as an Active Directory domain on a Windows server."
Should I pursue this question or give up and place the Microsoft Server at the top of the hierarchy?
While interesting, I would suggest that you look at Apple centric boards for resolution of this kind of question. How many Slashdotters know or care? Here's some examples:
- AFP 548
- OS X Enterprise
- Apple's Server mailing list,this question is right up that alley.
- X server boards on Apple's website
- Apple's PDF on Open Directory Administration.
I'm sure there's more, but those are the quick few that you could at least get better resources from if they don't directly answer your question. I won't kid you--I don't think it'll be easy. But it would be helpful to start with people that might actually know the answer, than to start with people that probably don't.You might also consider a Server Support agreement from Apple; they can help with this kind of integration. Sure, it costs; but then you didn't think that we'd do your job for you either, right? And I believe that you could get this kind of support for the cheapest plan: $5995, and even have a few more calls left over for the rest of the year.
--
$tar -xvf
There's a pretty good whitepaper about this on AFP548. Specifically, download the PDF.
There is nothing so good that someone, somewhere, will not hate it.
...ask Apple. Seriously. My company has an account executive and a systems engineer that visit us twice a year. Between them, they'll be able to tell you exactly what OS X can and can't do, and what it'll cost. You don't have to be a huge company to get this kind of service. If you want to spend money, they'll let you talk to whoever it takes to answer your questions and close the sale.
Most likely it can be done but it is a pretty complex request so it *will* come down to money--either paying someone to come in and do it, or paying to train someone in-house to take care of it. Unlike something relatively simple and common, like setting up Apache, when you get this far into things there aren't a lot of tutorials on the web. Despite what Apple and MS imply, there is no flashing "Click me to integrate everything" button. Complicated shit like this is... complicated. You'll probably have to pay, one way or another. Start here: http://train.apple.com/
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
1) drop Open Directory
2) drop AD, or
3) I welcome our new LDAP overlords
But unfortunately, the parent is lame for posting anonymously so flamebait he obviously is. Had he posted under an account, I would have not jumped to conclusions (damn I need to get my 'Jump to conlusions' mat back from the repair shop) that he was trolling. /end-rambling
[insert lame joke here]
Adding Vintella or Centrify to the mix allows to to manage not just sign-on authentication, but fine-grained network and client policy with the native AD controls. This is something OD doesn't come close to.
AD is the second best directory in the world - after NDS. NDS doesn't come close to the level of third-party application and tool support, any longer.
"Flyin' in just a sweet place,
Never been known to fail..."
About two months ago Apple launched a new Web site for IT Professionals, http://www.apple.com/itpro.
Sort of Apple's equivalent of Microsoft's TechNet page.
I'm not sure if it will help you with your particular issue, but it's bookmark-worthy for any Macintosh network systems administrator.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
The Apple paper on AD/OD integration is a good place to start. I do question why you'd need Active Directory at all unless you have some sort of application that requires it and isn't fooled by Samba/LDAP.
Having used OpenDirectory for a year and half, I can say that it is too buggy for enterprise use. There seem to be problems with the OpenLDAP and PasswordService integration in OpenDirectory. OpenLDAP crashes hard very frequently and often the entire OS X system (due to the way DirectoryService works) is made complete unresponsive. Apple is aware of the bugs and how to reproduce them but so far has done nothing. The current rumors are that these bugs (or bug) will be fixed in Tiger. That is simply not acceptable for enterprise software. Current bug numbers (ticket numbers) that Apple has assigned this problem are 3966561, 3725081, and 3549410.
The irony is that OpenDirectory is awesome! We should be actively porting the architecture to linux. The problems I've described above are not inherent design flaws, but rather specific Apple implementation bugs on OS X. I know on Linux this stuff would work wonderfully. OpenLDAP forms a key component of this architecture but it's only the authorization component. OpenDirectory provides a unified SASL/Kerberos password store that does authentication in a unified way (and syncs passwords for samba, md5, etc)
Given this discouraging situation, I'd stick to Active Directory if I were you for now.
It's well worth it. I attended, and since then, we've implemented a large-scale AD-OSX integration.
http://train.apple.com/static/users/it.html
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom