Slashdot Mirror
Searching for a Directory Service Solution?
kumulan wonders: "I've got the responsibility to set up directory services as well as a messaging/groupware system for my organization of app. 100 employees spread out over three locations. We are a startup that is merging three existing smaller companies and, given the state of existing IS infrastructure at each of these locations, the decision has already been made that we are better off starting from scratch. It would be great to hear from Slashdot readers concerning which option is 'better' and why."
"For me, the choices are stark and clear:
- MS Exchange/Active Directory
- A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).
- Samba/OpenLDAP/Kerberos
- Bynari Insight Server for messaging/groupware.
- Nitrobit Group Policy for, you guessed it, group policy management.
So, the question seems to be: OSS vs. Microsoft. Am I right? If so, the answer is easy: Which platform are the people who will be managaging the stuff have the most experience with? It may be sacrilege to say it here, but if you've a crew of MCSEs on staff who've never touched Linux, it's going to be more expensive and a bigger hastle go the OSS route.
I forget who said it but "OSS is free like a puppy is free". You need to have the staff to tend to the care and feeding. In the Detroit area at least, Windows guys are a dime a dozen. Competent Windows guys, while a bit more rare, are still easier to find than experienced Linux admins. (Of course, I'm looking at your question from a business consulting standpoint. If you're looking more for a technical recommendation, there's a lot more people here better qualified than me.)
Entrepreneur : (noun), French for "unemployed"
There is no directory service for directories services ?
1. Install Windows XP SP1
2. leave open without a router
3. never patch, and notice people turn your computer into a fileserver solution
4. Profit!!!!!
Check out my sci-fi/humor trilogy at PatriotsBooks.
What ever happened to Novell? I used that at the college I attended - web apps, email, directory, rempote access, etc. Is this no longer a valid option, or was it just forgotten on the above list?
...check out Kerio Mailserver on Mac OS X Server.
I'm currently evaluating the combination above to see how good a job it will do replacing Windows and Exchange. Looks promising so far, and it supports MAPI-- so end users can use Outlook.
Christ on a motorcycle, it doesn't matter what machine he runs, that doesn't solve his problem. Goddamn, at least keep the evangelism moderately relevant.
It's a standards based (LDAP) mail/groupware app which supports standard SMTP/IMAP clients as well as Outlook/Palm clients (for an additional fee).
Seems competitively priced to Exchange and there's also a free pure OSS version available (although if you want offical support and a nice installer, you need to pay for it).
http://www.openexchange.com/
I haven't personally used it, but I've been looking at it as an Exchange alternative (I really really hate exchange) for the small company where I work.
Open directory is (as I understand it) basically openLDAP with a config file and a nice GUI. Don't get me wrong, GUIs are useful, but if you want to go OSS, cut out the middleman.
Of course since the questioner didn't mention openLDAP to begin with, he's probably better off with a "managed" solution like MS or Apple.
just save yourself the trouble
W2K3.
Just shut up, buy it and be done with it. It'll hook up with whatever you're running and it is fine as long as you take the same precautions any decent Sys Admin would.
This
Other Options to Consider:
o ntent/
Novell:
Linux Small Business Suite
http://www.novell.com/products/linuxsmallbiz/
It includes edirectory, groupwise for email, suse enterprise server,Novell ZENworks Linux Management Client
IBM (Lotus)
http://www.lotus.com/lotus/general.nsf/wdocs/nd7c
You can use Domino as an ldap server.
Other IBM Software on Linux:
http://www-306.ibm.com/software/os/linux/software
or
http://www-1.ibm.com/linux/matrix/
There's also Novell's NDS... That could be your third option perhaps...
If the company is trying to do something geeky-cool, you may be best served by using a "cobbled-together" open source architecture. It'll show your boy's and girl's prowess on the console and could be used as a Hercules-on-a-pedestal showcase for your talents.
On the other hand, in either of the other two cases, you're most likely going to be using MS on the desktop and your people aren't going to care that you've implemented OpenLDAP as long as their Word, Excel and Outlook work. In this situation, as has already been noted, you'd probably be best served by implementing Windows Server 2003 + Active Directory. An additional benefit is the expertise is relatively cheap and available, and may already be in-house with your amalgamated IT staff.
Good luck!
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
Yea...listen to that little red, horned devil on your shoulder. Or you can listen to the force and shun the dark side and the son of Satan.
Use Fedora Directory Server or Red Hat Directory server. It is derived from the acclaimed Netscape Directory Server. It is easy to set up, scalable and *just works*. For groupware just use phpGroupware or something. If all you need is mail access, I recommend Roundcube for the web access, it uses Ajax to give a nice user experience akin to Yahoo or Gmail. Keep an eye on the Hula Project too, it looks like when a release it made it will be real nice.
Regards,
Steve
Also check out Fedora Directory: http://directory.fedora.redhat.com/wiki/Main_Page
Stalker.com and rad thru alll the possibilities! It runs on almost anything.
I'm sure some /.ers can give you a better view of the quality of Netscape Directory Server but from the rumblings I've heard it's a complete package and it's pretty damned amazing (not to mention it supposedly scales through the roof).
You can check out the documents here
I stole this
MS Exchange/Active Directory (Cause I'm a Support Tech for AD!)
I don't know what your selection criteria are, but it seems to me that you have another choice: Novell's products. More specifically:
1. Directory Services: eDirectory. It runs on multiple OS platforms such as Windows, Linux, NetWare, Solaris, etc. It is more robust than AD, particularily across wan links (viz. replication). And of course it is LDAP v3 compliant so nearly any LDAP client can use it for authentication and authorization.
2. Open Enterprise Server, Linux and NetWare. For hosting your file and print services. You get the best file system out there - NSS - on either platform. Real ACL's and vastly more refined trustee assignment and inherited rights filtering capabilities than any other filesystem.
3. Groupware/Messaging: I am less experienced in the alternative offerings in this catagory, but I believe that Novell has a decent product in GroupWise 7, which runs on Windows or Linux or NetWare.
Again I don't know what your selection criteria are, but you may have skipped Novell due to lack of awareness...
Cheers.
Pick out one of the most osbscure, underdevelopd linux distro (I suggest shadbix.) You want it to be underdeveloped because you are going to port it some old routers. Next go to source forge and look at all the directory services packages, messaging packages, etc packages. Pick ones with a version numbers less that .0.0.0.2. Once you get it all working, leave the confines of your basement and HIRE SOMEONE WHO KNOWS WHAT THEY ARE DOING. If out of your hundred plus employees, you don't have an admin capable of this. Get rid of one or two and get someone who does.
Try XAD from PADL.
To Windows clients, it acts as an Active Directory domain controller, so it supports Kerberos authentication, group policies, etc. It also includes RFC 2307 support for seamless integration of Linux/UNIX clients.
Is this a duplicate post? Or was someone else doing their job by asking /.? Seems like a poor way to get a job done.
/.? Could be a resume generating event......
Wonder if his boss will read his question on
1. MS Exchange/Active Directory - quick, easy, and cheap.
2. Shell out alot of money for something else.
3. Have a headache "trying" to set with something similar with OSS.
That's what I thought when I read the requirements. Netware (or whatever they are calling it now that it runs on Linux) and Groupwise should be all you need.
I don't know about cost. We have their educational license, and that includes Netware and 3 other products (we use Groupwise, ZENworks and iFolder) for less than $3.50 per student. The license covers as many servers as we care to run those products on.
Download Solaris for free. It includes LDAP plus Samba etc. Includes fairly easy admin tools (for example webmin) The LDAP is first class and integrated fully with the OS and Samba. You can do it all and nothing is "cobbled together".
We used the original Netscape Directory server for user authentication of 1700 users worldwide for many years on 2 sun netra 333mhz boxes. The Netscape code back then was bulletproof. If that code is now free then all hell has broken loose and its only a matter of time before OSS has a truly free, truly robust all purpose directory server.
- GroupWise Migration Utility 2.0.1 for Microsoft Exchange
- GroupWise PDA Connect 1.0 SP1 Multi Lingual
- GroupWise Import Utility 2.0 for Microsoft Outlook
- GroupWise Gateway 2.0 for Async Connections
- GroupWise Gateway 3.0 for Lotus Notes
Just check out Novell to see some of their products (no, I do not work for Novell, I just like some of their products).Also, there are some really great LDAP/IMAP type solutions you can put together under Linux for zero cost. Obviously this option requires someone more capable than your typical point-n-click "MS-Admin". It would take one employee with the ability to read a book or some docs. Though, I know your typical point-n-click "MS-Admin" wants to be able to just put in a CD and let AUTO-RUN do all the "hard" work for them.
If I personally owned a small company with ~100 employees, I would rather have one talented admin that could handle *nix/Win than 2-3 point-n-click MS "admins". If you added up the salaries, that one guy would cost you less than the 2-3 less capable point-n-click MS "admins". TIJMO (This is just my opinion).
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
I've just started to take a look at Fedora Directory Server. It is very easy to set up and with the GUI manager, it seems about as easy to manage as Microsoft AD.
Why are those your "stark and clear" choices? I know, for example, that there are solutions from Novell, SuSE, and Sun, without even thinking about it. Are there more factors involved here than just "we need a directory?" Given a clean sheet of paper, I'd be using eDirectory, since it's completely (according to the marketing papers -- I've never used it) cross-platform.
Acts 17:28, "For in Him we live, and move, and have our being."
You are obviously inclined to use Microsoft, so use it. You will only bitch if you use Unix.
The questioner did mention openldap. The advantage of going to the apple solution would be the integration that it would provide, rather than "cobbling" together the solution themselves (as they said themself.) It's not just the GUI. Then again, it would be one more thing to manage/maintain.
I do some implementation projects for an IBM reseller who does implementations on the iSeries platform, and they push (and I implement as the consultant, go figure) a lot Samba + Bynari to the point that I was actually convinced myself and bought myself a few lics for Bynari.
The nice part about Bynari is that they have great support, and they are continueously improving their product, and they use open technologies (OpenLDAP/Cyrus/Postfix) so its easily hackable. The Outlook IMAP connector rocks, and so far, I think is the only viable product out there if you're on a trim budget.
I haven't tried it yet, but having Bynari and Samba share the same LDAP schema seems to be my next personal project. Maybe even lobby the concept to them ;)
If you do not have a reliable VPN then you have to come up with a mixed environment. In this scenario not only will you have to master each component, you will also need to learn how they can interact. Quite a learning curve if you don't have hands-on experience.
Finally if you have the big bucks you can always go with Sun software; they have stuff to cover all your possible needs. The Directory Server, included in the JES, is quite impressive.
lucm, indeed.
What's wrong with Novell or Sun/iPlanet/Netscape?
The only problem I could see with either of those solutions (the Sun LDAP server is superior to everything else out there) is that it may be overkill for 100 users.
Theres always EDirectory ... it runs on sles9 now (as of version 7). All the joy of NDS, but it runs under Linux (and windows, and netware if you want).
.. if you want more information about running edirectory under linux, email me and i'll pass along what I find out.
.. there are other products there. NDS is far superior to AD, so consider it as well.
I'm going to a Zenworks 7 thingy on Wednesday
it's not just about OSS and Windows
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
What puzzled me was how to get information into the directory. Say I receive an email from bob@sub.genius, and he is not in my directory. All the common email clients seem able to consult a directory, such as an LDAP server, but none seemed to have the ability to add to the directory. It appears that you have to use some other program to add, so in this example, I'd have to run some other program, paste in "bob@sub.genius", and tell that program to update the directory.
I have only looked at open source stuff for this. Is this something an MS solution would make easier?
Or did I just miss how to do this with open source email clients and directories?
We use Scalix which authenticates against OpenLDAP. They are a commercial solution, but their software is very opensource friendly and their support is very good (including pulic forums). We also have Tomcat, Apache, PAM, PPP/CHAP (for Remote Access with L2TP/PPTP), OpenSWAN (ipsec), Samba and custom applications authenticating against LDAP. Our centralized directory system is all home-brew, but this also gives us a lot of flexibility (we have 5 different password hashes for various systems!). It's not the easiest route in the short term, but it pays off in the long term. We have bindings for pretty much any language (including shell script via ldapsearch, etc) which offers tremendous flexibility. OpenLDAP is synchronized with a hot-backup, so we have redundancy built-in.
The wheel is turning, but the hamster is dead.
Simple- Firstclass Server. Centrinity.com. Cross platform, robust, full of features. Inexpensive. Expandible to voice services
Added to that, it's not especially difficult getting Unix machines to talk to AD for authentication and other information (it's just LDAP, after all).
It's a hell of a lot easier to integrate and manage a handful of unix machines in a Windows environment than it is to integrate and manage a hundred Windows desktops in a unix environment. IME, that's typically the scenario (unix servers for mail, fileserving, DB, etc and Windows desktops).
W2K3 ... is fine as long as you take the same precautions any decent Sys Admin would.
Myself being a decent Sysadmin, I can tell you my first priority is always to banish MS products to the extent possible. It takes time, but if you're starting from scratch this is an excellent opportunity to avoid future problems.
Start by NEVER running anything mission critical under MS - especially a directory service.
Continue by banning Internet Explorer companywide, and finish by
Don't get me wrong; MS Windoze does have its strong spots. It is superb for playing games, hosting virus servers, spam drones, and spyware. If you want East European crime gangs to install packet sniffers, keystroke loggers, and Trojan Horses on your network, there is no platform more ideal than Microsoft Windows. But of course these strengths have nothing to do with running a secure business.
Since you probably will have to run MS Office, do a trial run of MS Office under Mac OS X. You'll be quite impressed: You can have MS Office without all the client problems! Who would have believed such a thing could be possible? You may even find that OpenOffice is far more than sufficient.
Deploy OpenOffice far & wide, but keep a couple spare seats of MS Office (for the Mac) onhand "just in case" some executive starts whining about different software, so you can just install it here or there selectively and shut them up. (That's the main purpose for buying MS Office. To shut people up.)
The executives may question issuing Powerbooks for the traveling employees, but they WILL NOT complain when you show them the respective overhead and MIS support estimate numbers and corporate security differences when viruses and so on are all taken into acount. Your company will remain freer of viruses when those traveling notebooks get plugged into the internet at hotels, then subsequently carried back to the office and plugged in again. Windows notebooks are one of the most notorious and uncontrollable computer virus vectors for spyware/crimeware.
Suse Linux Enterprise Linux 9 should have everything you need. It sets up and stores just about everything in LDAP. It is extremely easy to configure and maintain. Yast's Email Server module will setup Postfix/Cyrus/IMAP for you, hell it even installs Antivirus and Spam filters for you.
If you need to control Windows Clients simply create custom Policies for Microsoft's System Policy Editor (or use mine at my web site).
I have currently replaced 5 Windows Servers with SLES9 and have not had a single problem. IMO it is much easier to maintain/use than anything MS has released in the server department.
Before I write, I should say that I'm in no way opposed to open source and use it where appropriate.
If you want something very well supported, not horribly difficult to administer in a simple environment and tried and true, just go with Active Directory and Exchange, especially if your company's focus is on something other than providing unique technology solutions. (i.e. you sell baskets)
While the open source solution might cost less up front, there is nothing in open sourece land at present that can touch the Exchange/Outlook combination. Sure, there are products such as OpenExchange, but, let's assume that you want the option to easily add other services later on, such as true handheld synchronization (i.e. www.good.com)
I know it can be sacrilege on Slashdot to not promote an open source solution every time, but sometimes, the business side of the house is more important than a cool technology solution.
You can use ActiveDirectory and then a solution by Centrify or Vintela.
Those all suck, get eDirectory, which rules.
And it runs on linux. And it's cheap!
We've been struggling with the same question for some time.
We just started using Kerio Mailserver for mail, integrated with Active Directory for authentication, and it's been working out great!
Yes, but don't you want your directory server to interoperate with other systems? Isn't that the whole point? I'm half joking, but half serious as well; one of the main gripes I have with AD is the lack of customization that one can perform with it. It's great when you want to integrate it with Microsoft Remote Acess or Microsoft SQL Server or any of a dozen other Microsoft products, but try getting it to authenticate against opensource P2PP/PPP (which easily integrates with other LDAP solutions).
The wheel is turning, but the hamster is dead.
You might want to check out Fedora (or Red Hat) Directory Server, which I've had some success with. It's not absolute perfection, but it saved me from dealing with OpenLDAP, which is a bit harder to deal with, especially if you're used to easy-to-use GUIs and the like. Novell's eDirectory is also a great solution, and it runs under Linux as well. Truthfully, I'm not using their stuff, but I eval'd some of it, and their groupwise stuff with eDirectory might be just what you need. There have been lots of other good suggestions here, so I'll just throw a "me too" in there for things like Bynari and OpenXchange.
Visit my blog http://www.protocolostomy.com
With http://firstclass.com/ for group messaging.
Works for an org I know that manages 1000+ staff members...
As I see it, each of these programs perfectly implements the standard it was designed for, and the directory service you get by combining them is just that: a directory service. It seems to be fulfilling the intended purpose perfectly.
Is the "cobbled-togetherness" a result of them not being shrink-wrapped together into a product with a single name, as all the "professional" directory services are? I'm not intending to troll, but I just can't see any other way they are "cobbled together".
I'd not seen it before but Roundcube is pretty darn nice! Now if only the Horde team would merge in some of its UI...
Damien
There are some things OSS is good at, and there are some things that Microsoft is good at. Exchange is one of them.
Ask your business what its objectives for the new system are. Keep these in mind when you select products and design a solution.
Now back to solution mode. You can have a minimal three site AD and Exchange system set up in less than a day from bare metal servers. As long as you have adequate bandwidth (about 64 kbit/s will do for minimal acceptable performance for 100 users), it just works. Just add users.
Win2003 AD is fairly robust if you make mistakes with topology design, but honestly, with such a simple setup, just go political structure in OUs in a single domain, single forest AD, with three sites. Exchange will work it out.
Once you have it working, AD and Exchange are very deep products, and it will pay to learn about the zillions of features. But by default, you can set and forget.
No matter which platform or choice, keep up to date with patches and secure lockdowns.
Andrew
Andrew van der Stock
AD does not scale well up into the million object range and beyond.
Just trust me on this one. It's intended for the average case, not the huge-ass case. You find limitations on the number of GPOs. You find problems with everything when you start in with huge numbers.
That said, if all you care about is Windows, AD is the easiest of all the options.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
I realise Apple is getting a lot of press at the moment, and there is a certain amount of feeling that Slashdot is a publicity machine, but they tend to receive little support at the server end.
Tiger server actually performs very well, and admin is a synch. Given that you are starting from scratch you could easily get a some xserves...
Group messaging: Jabber server, built in.
There is Active directory and Samba support build in.
In fact, just about everything is built in.
If you don't like that solution, just look at the xserves. They're beautiful.
Just a couple of extra cents thrown into Slashdot's fountain.
OS X Server also includes a Jabber server, for IM, and a 'blog server. I don't know much about 'blog servers, but Apple's website has this to say:
Check it out.
/etc/hosts
Seems pretty insightful to me...
One person who isn't sure what to do probably shouldn't be handling this on his own (I say probably on the off-chance that you're a competent genius, in which case you wouldn't have asked /.). What you really need to decide is if you want to do Windows or OSS, and then hire a good firm to implement the system and train the IT staff to use it.
So call IBM.
Really what else do you need?
There's no shame in being a pariah. -Marge Simpson
What, Just rule them out? They've been doing Active directory and groupware LONG before Microsoft decided to emulate (steal) the ideal...
.02 worth... (climbing into Flame resistant suite)
Novell 6.5 is the latest, and I can lock out users based on windows policies, etc.. just like MS active dir... assign various sub admins to rule over their own dept, etc... AND Groupwise (IMHO) is a great email/calender app... (Groupwise 7 is supposed to be better, but I haven't gotten to play with it yet...)
AND they are starting to move everything over to Linux via SUSE Linux, so you have the OSS...
Best of both worlds if you ask me...
Sure, Novell AND Microsoft cost $$$, you could build your own Linux server and hack it together, but if your a REAL company and you expect to play REAL Ball, you will PAY to have the propriatory software to compete with everyone else... At least with Novell, you can still play OSS and support linux, etc... even if you have to buy their version...
OSS Does not equal FREE... Thats the problem... too many freeloaders want EVERYTHING for FREE... If that was the case then your company would just give its product away also... oops, now your company is dead... Guess that model won't work.
I must admit, I do ADMIN a Novell network, and I do like SUSE Linux... Much better than anything MS has to offer...
Again, just my
--- Relax, that mass muderer is just trying to reduce our carbon footprint, one fetus at a time...
Centralized directories aren't supposed to be your personal address book. Most e-mail clients let you keep a personal address book along with a connection to the centralized directory. Directories are for corporate IT types who want to centrally administer user accounts for some (perfectly valid) reason. If you're not an administrator of that database, your access is more or less read-only. LDAP was designed from the get-go as a read-optimized solution, which is what makes it faster than something like an SQL server for far less resources. It's more or less a replacement for NIS (in the Unix world).
We implemented Apple Open Directory, serving ~400 users, using four Xserves and and two Xserve RAID's. We're using Apple's mail services, file, web, web log, and VPN service.
So far, things have gone better than I expected. We are authenticating Mac, Windows and Linux PC's, all of which can access the same home directory. The Open Directory master server also acts as the Windows PDC and serves up roaming profiles for Win XP clients.
What I've been hounding my Apple rep about is the lack of a real group callaboration suite. The pieces are there; iCal, Address Book, Jabber, Cyrus/Postfix. They need to be brought together in an Exchange/GroupWise sort of fashion. We are still using Steltor Corporate Time (now Oracle Collaboration Suite) for calendaring, task lists, and shared contact lists. I'm watching the Hula project closely. Rumor has it Apple is shopping around for a comprehensive group collaboration system. Hula might be it! Zee dork
Anyways, let us examine the different components and see how far OSS can take us. Maybe it can't go the whole journey, but if it can do some, then a hybrid solution will work.
Open Groupware, SuSE's Open Exchange and OSER will handle the Exchange part, including support for all those MS Exchange clients, such as Outlook.
That just leaves the Active Directories part. ISC's DHCP supports Dynamic DNS. However, you may want to add in DHCP2LDAP to get a good link between DHCP and BIND. OpenLDAP provides the LDAP implementation part. Kerberos and DNS are easy (although some may quibble with my choice of Kerberos version!)
Provided you're not planning on having both MS Active Directory and the above amalgam running, you should then be set to go with a comprehensive Active Directory lookalike which will interact with client systems in the same way Microsoft's software will.
The problem I found is that there's almost no way of getting from a Linux solution -to- Active Directory. If AD is present, it must be a root server, which Linux CAN pull from.
Do I recommend this kind of a setup? Probably not. The Exchange and Groupware stuff should be fine, but the Active Directory stuff isn't as coherent as it could be and I've heard of nobody who has completely replace AD with an Open Source solution, even though from a purely technical perspective it should be possible.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I'm afraid I can't help answer the initial question, but I have to caution you strongly regarding all of the suggestions for Novell products.
I live the Novell dream everyday, and "cobbled together" would be a generous description of their products and services. This is a company with a time honored tradition of rendering promising technologies useless. They handed most of the market to MS on a silver platter.
Before you consider Novell too seriously, look through the forums at forums.novell.com, be sure ask about your support options , and try to get a feel for the staffing and training required for a network of your size and scope.
Stick with your inital instincts, just remeber that very few Novell products are actually Open Source.
Open directory is (as I understand it) basically openLDAP with a config file and a nice GUI. Don't get me wrong, GUIs are useful, but if you want to go OSS, cut out the middleman.
Well, it's a bit more than that. With a few button clicks you can have a fully functioning Directory Service with OpenLDAP and Kerberos. You get password policies, single sign on for everything from mail to smb to web, and you even get a one click samba pdc.
The only thing it lacks is the groupware support. Firstclass or any number of OSS solutions can provide that.
Check out our site, or even just Apple's server site for more info.
Of course since the questioner didn't mention openLDAP to begin with,
Yeah he did, by name even.
And is still available as a free (Beta) download here.
Don't know how long that will last and I image its not part of the OSS suite.
I haven't used it but would like to do some testing with it at work. For more general directory type support (domain controller, etc) I'd look at Suse LINUX Enterprise Server with their Novell Open Enterprise (sorry thats a PDF). It uses Samba and LDAP, but its the closest thing to a usable AD "killer" I've seen so far.
Quack, quack.
I hate to say it but this is pretty darn good. If starting from scratch then this is easier than open source solution and cleaner and more integrated. Sharepoint brings together exchange, web stuff, calendars, share and individual todo lists etc in a fairly new and integrated way and is very fast. Underneath it's mostly the same Exchange and Active Directory stuff. We just rolled it out to 450 people over multiple sites and it was painless - just needs some design work up front for how to organise data.
Novell Groupwise is good too, I've managed it on a large multisite company but generally you'd only choose it if you already had Novell servers. I haven't used it in the last 5 years so maybe it's much better now though I doubt it.
I have less experience of Lotus notes (set it up over a large network but never actually used it much) and would say it much more complex than the MS solution - though it's a slightly different tool and probably has greater functionality. Great if you're an IBM shop and fairly easy to get training or consultants who know it - though they're more expensive than Novell or MS consultants.
I've looked numerous times for solutions that cover unixes (linux, sun, sgi etc) and windows and there's no simple solution. So if you're a PC shop running windows clients then MS is the most integrated solution with the best support.
If the thre separate companies are already on linux or Sun servers with good unix admin skills inhouse then one of the OS solutions would be more cost effective though would require more time to set up.
pithy comment
I don't know the motive behind this post, but maybe writing about the possible motives might help. Please comment with me and lets see if we can see through where this guy is coming from.
.. Apple .. Novell .. Red Hat ..
/.
/. crowd look bad/foolish
He/She doesn't know squat about directory solutions available. All major OS vendors have a strong DS to go with their 'package'. Lets see, IBM
He/She doesn't know computer technology very well. Anyone who's been an MCSE or worked with Microsoft products knows they are just as 'cobbled together' as anyone else.
Given the appearant low skill shown by the poster, I wonder if he is really in the position described. Maybe:
1. Poster has skills/has the position. Then they are just playing a game with
2. Poster has no skills/has the position. Maybe the poster is a transfer from another career/sector and doesn't know technology at all besides a little bit of solitaire and the 'internet thing'.
3. Poster has skills/not in position described. Maybe the poster is a MS hack trying to see how much the tech crowd knows. Perhaps is it someone in a compentitors business that is trying to make the
4. Poster has no skills/in position described. Clueless idiots that play solitaire do get these jobs sometimes. They should be fired, but that doesn't make the # of MSCEs any less.
novell will do everything you want... Client OS Independent... they're getting more and more cross-platform every day.
:)
e r/index.html?sourceidint=hp_products_oes
They produce Windows / Linux / Mac OS X / HTML clients for almost all of their products and they meet all of your requirements.
If you have under 100 employees you can use Novell Small Business Suite in which the licenses are about 1/2 price. Once you cross 100 users you must upgrade your licenses... You also are allowed 2 server licenses with the small business suite.
Novell is really flexible and much cheaper than Microsoft. The security and stability is also there... although their Netware product since 4.11 has left much to be desired, but that's ok... they've got Linux (and have been for some time.) Their servers run Tomcat(web-java), Apache2, Perl, PHP, MySQL and all kinds of goodies right out of the box (they're install options, many are required.)
Anyway, very slick and VERY excellent and low-cost/maintenance for small business. Plus you're supporting open source (directly and indirectly)
http://www.novell.com/products/openenterpriseserv
Ryan
------------------------------
Ray Raspberry
raspberry@b3l33t.org
Go with Windows...go with Win2K and plan on upgrading to Vista in two years. Anything else and you're asking to be fired. Every open source dweeb is going to point you towards Linux but you will soon find no one else will converse with you. The dweebs live the open source stuff. It's their drug of choice. Like all drug addicts they find themselves in the back roads of nowhere, alone except for a few other drug addicts, yet they extoll the virtues of open source as if it will promise you the nirvana you yearn for. Most, if not all, are anarchist just waiting for the opportune moment to unleash their warez. Novell, Sun and IBM saw the light...they only seek to entrap the misantrophes who have been misguided by the hope of being on the forefront of something that is impossible. Here we go with the college CS dweeb weenies who just can't get away from the group mentality. Open source in nothing more than wishful thinking. It will never amount to anything except for allowing the new millenium hippies to dance around a fire place and chant phrases of 'we're almost there'. There are only two OS's, Unix and Windows...you choose. All else are misdirected ideals who have a slim but non-existent chance of even being accepted by some strange organization. Oh yes...let them in the last gasp of hopefulness, emplore you to accept MAC OS. It's they're only chance of redemption. Walk away...please walk away. While Windows is not perfect...it's what 95% of the world uses.
Open directory is (as I understand it) basically openLDAP with a config file and a nice GUI.
Open Directory covers a lot more than LDAP. Yes, it's based on OpenLDAP -- in part. Yes, there is a nice GUI, which you can use to administer users and groups remotely, from another Mac OS X machine.
But there's also MIT Kerberos, integrated with the LDAP. When you create a user in Open Directory, the necessary Kerberos principals are created for that user. User identification (linking usernames with Kerberos principals and home directories) happens automatically.
But wait, there's more -- there's also the Apple Password Server, which is based on the SASL layer from CMU. This provides centralized, non-Kerberos password support, for things like CRAM-MD5 authentication, or NTLMv2 auth for Samba. The Password Server passwords are automaticaly synchronized with the Kerberos passwords. When you change a user password in the KDC the corresponding password is also changed in the Password Server or vice versa.
Still not happy? How about built-in replication support for load-balancing and high availablility. It covers not only the LDAP database via slurpd but also the Kerberos and Password Server databases?
Oh, and one more thing -- encrypted archiving built in to the GUI. Archive your entire set of LDAP user information and your password database to an encrypted disk image. Secure and convenient.
(Yes, I work for Apple -- but the parent post misses most of the good parts.)
--Paul
I can't speak from experience, so I'll just ask. How about Open Directory on Mac OS X Server? Good? Bad?
It scales like ass. It's slow. It has dependency issues. You have to disable commonly available services in large installations to avoid issues. But the 1000 GPO limit is just the icing on the cake.
Otherwise, explain why a large organization - perhaps the largest in the US - was compelled to split its AD installation into four illogical geographical domains without transitive trusts, due to scalability issues? So, now, you can't add people from a location in the western US to their correct OU in another region.
Yeah, didn't think you could. But yeah, it's scalable, right.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
I am a senior designer in the Directory Services organization of a very large international company. As such, I'd offer you the following observations:
--
*Microsoft Active Directory/Exchange*
Pros: Works out of the box. Integrates best with other off-the-shelf products. Large pool of available techs to design/implement/support your solution. Well documented. Excellent technical support. Mature products. Is a comprehensive solution for LAN login, messaging, Group Policy management, audit tracking, delegated security management, and can be easily leveraged for other solutions such as patch management, asset management, etc.
Cons: Minimal. You must purchase your software from the Evil Empire.
--
*OpenLDAP/some flavor of commercial UNIX directory*
Pros: Extremely flexible during the design phase. You also get bonus cred points when posting on Slashdot due to your open source solution.
Cons: Not an off-the-shelf solution (requires significant customization and implementation). Documentation can be spotty and confusing. Technical support low. Harder to staff from a technical perspective. Not a unified solution - all additional functionality must be customized through additional coding or "plug in" functionality. Less flexible once designed and implemented without causing significant impact to the existing environment. Requires dedicated developers for ongoing coding/scripting support in addition to standard technical operational staff.
--
Now I know those comments may annoy those that have knee-jerk reactions against Microsoft technology when it thumps heads against some form of *nix or Open Source. For large organizations (100k+ users) or very small organizations (under 1000 users), Microsoft simply has the best combination of features for the business.
The small companies will get everything they need in one nice little package. There are tons of AD admins out looking for jobs, it's easy to staff. There are thousands of training classes available for technical staff, and thousands of books and websites with real-life examples and how-to's. You get the whole bundle at once.
Less headaches. Easier to implement. AD is the way to go for a very small enterprise.
For goodness sake, don't call IBM. Unless you're planning on spending $50k on a "business value assessment" (paid sales process), $100k on Regatta servers, another $50k on Lotus Workplace software licenses, and $500k on an army of consultants like me to try to make the damn thing work without the aid of two crutches and a walking frame, even though the lead shark told you that it worked straight out of the box and we've never seen it throw that error before, what do you mean it won't even install?, are you running an unsupported configuration?, looks like you'd better upgrade to the latest release, tell you what I'll put you on Passport Advantage, that'll save you $10k, oh and by the way here's the bill for another $100k for the upgrade, what do you mean it still doesn't work?, oh well I don't care, I've just been reshuffled anyway, so long sucker!
Don't misunderstand me: IBM has a lot of good products and good people. And I've been proud to be an IBMer ever since the strong support for OSS. But you don't see the company at its best when dealing with small projects and new technologies.
Adopting OpenGroupware at my university has garnered few complaints. It is still beta though and there are a few areas that show it. But we're willing to stick with it and watch it grow. All of the basic functionality is there: news, calendar, email, tasks, projects, even interface with Evolution or Outlook (with a non-free plugin). The only problems seems to be a bit of a learning curve for the users and the lack of some more advanced news editing features like HTML or any kind of formatting tags.
If not, outsource it and focus your time on stuff that will earn money for your company.
(ducking)
Look at using Novell NetMail with Novell eDirectory.
It's fast, cost effective, standards based, scalable - and it runs on Linux, Windows, Solaris - or even NetWare.
For 100 users it will be just great.
If you want open source - and depending on your acceptance of 'newness and risk' - look at Hula - again based on the NetMail codebase.
Evil ZEN Scientist
If you don't want off the shelf, then a combination of LDAP and Kerberos is what you want. It's not as hard as the MS apologists claim it is.
The bizarreness of the mindshare MS has over people. The quesion is not MS vs OpenSource, the question is MS vs all other products open and closed.
Cheap - $1K for an unlimited server license, and the Xserves come with the license and are great performers in their own right and cost-effective.
It has ease of use GUI goodness, with a full open source stack underneath: supports Open/LDAP directory services, single sign-on, kerberros, email, calendering (via WebDav), file services (via Samba for Windows and Linux), CUPS, Apache, DNS, Mailman - the list goes on and on. It plays extremely well in mixed environments and is extremely easy to administer - no steep learning curve.
It's far cheaper than all the other alternatives, including Novell and RH, not to speak of Microsoft. And soon you will be migrating all your users to OS X boxen as well once you see all the advantages.
I have done administration on all the other alternatives and I'm far from an Apple fanboy, so don't start flaming me on that score.
As this is my First! Slashdot! Post! Ever! (R), I'm hoping to avoid any crass errors in style or etiqutte..fortunately, based on some posts I've read over the years, there'a a pretty high bar. (Hopefully, smartass jokes are also OK.)
I've done a lot of work with a range of customers on implementing and maintaining directory infrastructure, mainly centered around Lotus Domino and the IBM Directory Server. To start the shameless plug, I'll say that based on your criteria - directory services and a groupware/mail solution - you should give Domino a hard look. A Domino server contains a totally integrated mail system (both fat client and web mail based), an application development platform with Java support, LDAP directory server, Web, SMTP, IMAP and POP server, predefined application database templates, and advanced security services like PKCS and SSL out of the box; it can also synchronize user information with Active Directories for centralized user account administration. Outside LDAP servers can be associated with Domino to allow those users direct access to resources like web-based apps. Current versions are shipping that run on Windows, Linux, HP-UX, and other platforms, which allows for platform flexibility.
To save this from becoming a sales pamphlet, there are some good reasons to consider other options depending on your needs. Some corporations demaand that directory services be highly integrated into the OS; Domino's directory is not, though it can share information with native services if they exist.
While Domino is great for having so many services instantly available out of the box, they are not necessarily best-of-class. If a very large, intensively utilized directory system is planned, then a dedicated LDAP server like the ones mentioned in previous posts may offer better performance. Some advanced LDAP features, like multi-master replication aren't included in Domino.
All that aside, in my opinion the most important things to remember in creating a directory services infrastructure is to plan around intended use and growth, not around products and glib promises a sales rep will spout. When you talk about the need to "set up directory services", take some time to plan what workflow will be used the most, what functions will need to be the most efficient, and what future applicaions and products will be hooked into the system. Create a concrete, detailed outline of what operations you'll need supported - signing people onto their workstattions is usually just the beginning.
After that's done, it's easier to look at hardware and software more critically to suit your needs - much better than fitting your needs to what a particular solution can provide.
If you are interested from managing this from a database you should check out my good friend Magnus's work with integrating openLADP and postgresql via dblink.
Check his blog
I've tried a lot of the "cobbled" together solutions as well as the paid ones, and communigate pro is one of the top ones out there. It easily scales to what you want and offers all of the protocols you mentioned and then some. Yes it costs money, but runs on just about any platform out there and allows clients from just about any platform out there - including groupware abilities.
Want the best of multiple worlds? Have you ever seeen any other Directory every try scaling to a billion objects, must less succeed at it? eDirectory does it.
GroupWise with just 100 users could be run on one server without blinking but, to save headaches when the WAN went down, spread it across the three already running eDirectory (for the same reason, and for redundancy). File-sharing exists the same. If you had a Novell partner they could implement something like this in a day in a lab without much thought and maintenance means patching three servers (like every other solution) once in a while. Honestly I could build your entire environment in a lab in one day.
For those who believe n true OSS to the rescue (as I do too) eDirectory supports LDAP versions 1, 2, and 3 as well as any other platform (OpenLDAP included). IDM (another Novell product) uses XML for connecting to third-party systems (even if the third-party doesn't necessarily have an XML connector, Novell made those too). eDirectory, GroupWise, Zen, IDM, etc etc all run on Windows, NetWare, Linux, HP-UX, AIX, and Solaris... Not many products on earth can say that.
Top that off with awesome support from Novell (really, it is great, and they have free forums for all their products searchable by Google Groups) and what else is there? Sure, you could do it all with OpenLDAP (no directory partitioning, though, and painful replication compared to eDirectory) and Samba (eDirectory/NetWare/Linux support Samba in Novell's world too) and Postfix (integrated into OpenLDAP even, maybe) but I think in this case, for ease of mind (ever seen a NetWare viruses/worm/etc ever in the wild?) I would go with a Novell solution.
I'm considering which I want to register as -- Republican or Democrat.
Can somebody give me an unbiased opinion about which is better?
These guys have saved more bacon than I've eaten in my life, and I live in the Southern US!
Formerly Netscape Directory Server, also the base for iPlanet/SunOne Directory server , Fedora Directory Server is the best OSS directory service out there today. Check These links for reviews.
-- Ravi
I would not entirely discart Novell eDirectory.
It is specially interesting on a mixed environment solution, and it does provide some interesting possibilities when coupled with Novell Client.
The pricetag is also VERY attractive.
morcego
What do you base your stark and clear choices on? Banyan was the first company to come up with directory services. Novell really took directory services to the next level when it came out with NDS and NetWare 4. Wow one place to manage users, servers, printers, file system, DNS and DHCP, pretty cool. Well, Microsoft not to be outdone started calling NT's domain a directory so that they could compete with Novell. Novell threatened to sue MS about the false information on the MS web site about NT's "directory" and MS had to pull it. So, you guessed it MS had to have a directory and eventually after years, came up with Active Directory. Novell's NDS has evolved and MATURED, key word here, to eDirectory. eDirectory is a very scalable, over one billion objects, robust, LDAP v3 compliant directory services. Novell's Identity Manager product gives one the abililty to manange identities in a mutli directory/database environment. eDirectory runs on NetWare, Linux, AIX, HPUX, and Windows. There are other directories to consider including Sun, IBM, Seimens. Novell also has Groupwise email and groupware, and a pretty awesome desktop management suite, Zenworks, both managed in eDirectory. If I were you I would talk to the vendors and better yet talk to sites who have implemented AD, eDirectory and the others to do some due diligence and help make a good choice. Lot's of people think that Novell is dead. This is not true. Check it out.
OK. You didn't mention Novell's eDirectory. AD works for small networks. It might even work for medium sized networks. If you want something that is going to scale, Novell wrote the book on directory services. They have their Small Business Suite of products. If you want to cobble(?), kludge it together, well you can look at open source solutions. In my opinion, directory services from open source isn't quite baked.
Look at this way. The folks who were your predecessors at the other companies probably thought the same things you're thinking now. They figured they'd "do it right", and now you're the one who is saying they all stink so bad that starting from scratch is better. You think that 5-10 years down the line anyone is going to appreciate what you did and think, "wow, whoever set up this infrastructure sure was smart"? Hell no they won't. They'll curse you and try to justify their jobs and make their lives easier using the same arguments you want to use now.
My advice -- save yourself a lot of angst. Just buy whatever the vendors tell you will work, from whoever will treat you to the best negotiation perqs, and throw it out there. Take the accolades and raises from your management who think you worked miracles with their IT stuff because you have all the best powerpoint slides and slick glossy brochures from vendors, and cut out, move on to the next job, and start over again.
Nobody will care when the technology moves on and whatever solution you thought you were so elegantly rolling out is now the biggest, smelliest pile of steaming...
I fucked your mother's ass with a spike strip
Fortunately, my mother is safely dead, and cremated. And you'd better not make "cream" jokes about her ashes. (Or "ash" jokes, for that matter.)
But the really important thing is, you're not an Anonymous Coward -- hats off to you, Sir/Madam/Other.
-kgj
-kgj
http://hulaproject.org/Hula_Server
From their site:
"Hula is a calendar and mail server whose goal is to be fun and easy to use, while scaling effortlessly from small groups to large organizations with thousands of members.
Hula is an open source project led by Novell."
Their directory far surpasses AD. You can also look into Netscape Directory.
For groupware, check out Zimbra (http://www.zimbra.com/). The Flash demo is great.
The global economy is a great thing until you feel it locally.
A solution which is free and satisfies all your requirements would be a no-brainer. OSS is definitely free, so i'm guessing it lacks something. Could you outline what the OSS solution needs or is missing?
Take a look at another good option, @Mail - http://atmail.com/
A nicely wrapped up mailserver/groupware and Webmail solution - Perfect for a userbase of 100+ people.
Think about MS Biz server. Nice package coupled with MS apps...cheap and easy to support. You'll get a big raise and all the employees will thank you. I've put this out there for several small/medium size companies and they love it. MS is just now starting to focus on the medium range companies so you'll get the benefit of that. Anything else and you're asking for trouble. Yeah, I use to like Novell but they went south for awhile and are just now coming back, however, they're pushing SUSE and that's going nowhere.
"Some people think that Open-Xchange is a GPL'd version of SLOX (SuSE's Groupware Server). This is not true. It's just the other way round. SuSE has made a ready-to-use server called SLOX, which is based on SuSE Linux and open-Xchange which is not a product of SuSE but of Netline Internet Service GmbH, Martinstr. 41, D-57462 Olpe, Germany. It allows for much of the functionality of MS Exchange"
http://gentoo-wiki.com/HOWTO_Open-Xchange
You only have 100 employees. You don't need an "IS infrastructure." What you need is a POP/IMAP server with 100 accounts. Get a single 300 MHz linux box and hook it up inside your firewall -- that's all most universities had as of 5 years ago, and they did fine with 1000s or even 10000s of students sending tons of mail daily. You're done, and you only spent about $300 for the box, even after buying a pair of brand spanking new hard drives to RAID. Shoot. You probably even already have a server or two that would exceed your needs. Go spend the rest of your $10,000 hardware budget (estimated by your post) on a massive beer party, and then hire 2 new devs with the payroll you'll be saving on admins.
Quit trying to justify something that nobody needs or wants.
Hammer Time!
Whenever you say Directory Services, you need to throw eDirectory in the ring. Lucky for you, you can get groupware from the same vendor. And it can all run on Enterprise Linux.
Oh ya, it comes with a pretty nice desktop offering, too. It includes a decent office suite, excellent web browser, the works. But it will integrate resources on Windows, Linux, Mac, whatever.
And during the transition, it can tie into LDAP, Kerberos, or whatever exists in the three merging disparate offices.
For a small expense, you can even wrap it in a bow.
Novell - well if you are a Novell shop, you will use NDS. You will use everything else Novell has. It is sort of like joining a secret cult.
Not true, you can use Novell's NDS (eDirectory, the LDAP server software) right on top of Linux, Unix, or Windows. The admin tools are almost all Java based or otherwise accessible so you aren't locked in there (clients and management tools for Linux, Unix and Windows). Novell can manage the rights, er permissions, er privileges for clients of any flavor (because a directory services solution is about managing the resources on the network) - and has less bloat and more security than Active Directory.
Novell is my choice hands down. It isn't the nightmare product it used to be. Quite flexable, scalable and for all intents and purposes "open". This product actually follows standards! In my experience it also prices cheaper for clients than Active Directory, although you never know because I'm sure it has changed.
The person who asked this question initially said that the only other option to Active Directory was A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists)
This simply isn't true. There is eDirectory and it's better! (PDF) Wake up people! It's 2005 and there is a better option out there and to top it all off they are a Linux company too.
Get your Unix fortune now!
ive done it with SME server and NIS to repicate users. Does everything, very simple and the new verison in beta is looking very slick. contribs.org
Hi all, A.Directory is not so bad for an LDAP made in MS , and if your boss want MS exchange (too bad ...).
Nevertheless I'll have a look at Redhat Directory.
What about Redhat Directory http://www.redhat.com/software/rha/directory/ . I think it can help you.
See some of the features.
# Centralizes management of people and their profiles, thus reducing administrative costs
# Acts as a central repository for user profiles and preferences, enabling personalization
# Allows 4-way multi-master replication of data across the enterprise, providing a centralized, consistent data source available to enterprise applications
# Enables single sign-on access with a partner solution
# Provides scalability for massive numbers of users by containing the information control required for developing extranet applications
# Provides full support for 64-bit HP-UX and Solaris platforms.
# Provides the foundation for strong certificate-based authentication when used in conjunction with a Red Hat Certificate System
Regards.
Guillaume.
You can try Zoho Virtual Office (www.zohovo.com) for your groupware solution. It works on Linux and Windows. A demo is available @ http://demo.zohovo.com/ Raju Zoho Team
Windows Server System. End of Discussion.
As far as I recall, the Apple Password Server is only provided for backward compatibility with previous MacOS releases. I don't wish to denigrate what Apple has achieved in shipping OpenDirectory with their OS, but anybody can install Heimdal Kerberos, OpenLDAP, and Cyrus SASL and get automatic integration of Kerberos principals with LDAP accounts and Cyrus passwords. All of these three packages support each other directly, out of the box. And likewise, since you can create a single LDAP user object with all of their Kerberos info, Unix info, and SASL info in one place, they naturally all replicate together. So there's nothing magic about OpenDirectory here. (Nevertheless, OpenDirectory is good stuff, and I'm sure it will be even better in the future.)
And yes, I'm on the OpenLDAP core team, and I wrote a lot of the code that makes Heimdal, OpenLDAP, and Cyrus SASL play together. It's been working well in the field for years. And for those people who have trouble getting configure scripts to connect everything the way they want, my company Symas Corp. offers pre-built binaries of all of these packages, already integrated, ready to run.
-- *My* journal is more interesting than *yours*...
Give a try to CommuniGate. trial is free. It provides more, than ordinary user needs, and may be suitable for your case.
... plus, in case you need to equip desktops, too, I suggest looking at KDE and Kolab (http://www.kolab.org/). Kolab is a nice, integrated groupware solution which includes a server and a smart client based on KDE's "Kontact".
If you need to deploy user desktops, the "Kiosk" framework in KDE makes it easy to lock down the workstations and guarantee an easy job for the administrators.
Communigate.
Full exchange compatibility with an exchange connector you install - but it *does* work, and has for ages.
Does everything well, on any OS you want. Sorry - I can't see *any* reason to run Exchange. None. Not when the competition is just *so* much faster.
-- A mind is a terrible thing.
For a company with about 100 employees, hosting an entire AD/Exchange infrastructure sounds very wasteful. The cost per mailbox tends to be much higher than seeking messaging as an external commodity service.
It might make sense to run an internal directory server for accounts and IT asset tracking, but it's not at all clear that you need to run the messaging internally. Companies like Outblaze will do this sort of thing for you, or folks like IBM and HP (ObDisc: I work for HP) offer these sorts of managed services.
Actually, there's so little information in your original requirements list that it's very hard to recommend anything. It has to be said that phrases like "cobbled together" rather than "tailored integration" make it sound like you want justification for your already-made decision; if I'm wrong on this one, I do apologize.
What will you be managing in the directory? Are you likely to be buying off-the-shelf LDAP aware products. Is LDAP 2000 branding important to your organisation? Are your applications Kerberised? What's the expected expansion/contraction of the company. What sort of R&D budget have you got? What is the target cost per user per mailbox? How important are shared calendars versus personal time trackers?
Sorry to be negative - but without that sort of information, anything you see here is likely to be "I use X, and like it, so I say use X".
--Ng
If you do not have any client software that is dependant on Windows, you might consider an Apple solution. That allows you to minimise personel costs, while maintaining a high security level and full functionality for any client OS you can come up with. Look at license and storage cost and an Apple Server solution suddenly comes out really cheap, certainly when you count in the hours you will need for maintenance and setup.
Additionally - Active Directory et al. isn't as easy as people would lead you to believe ("It's Windows! It has a GUI! Therefore it's easy!")
We just had Active Directory rolled out here. Our performance problems were so bad we had to hire Microsoft consultants to try and figure it out - and these people from the company that makes the product took over a month to actually come up with a solution that ran only half as quickly as our old Novell system. Admittedly, it's a much bigger system than 100 users (and I'm glad I have absolutely nothing to do with it, it's a nightmare) but Microsoft Active Directory and Windows aren't some sort of ease of use silver bullet. In fact after seeing what trauma they went through, it's not actually any easier than a "cobbled together" OpenLDAP/Samba installation and a great deal more expensive.
Oolite: Elite-like game. For Mac, Linux and Windows
But I would implore you stay away, especially if you are interested in the possiblity of having users use VPN services to log into your network. We found Novell's VPN solutions to be disgustingly expensive.
Two way overkill Nortel Networks Contivity Switches behaving in a fully redundant setup, both hardware and software, cost us significantly less than Novell's software solution alone. That didn't even count the hardware to run it on. When we decided to go with an alternate, it became necessary to use an alternate RADIUS solution, because Novell's solution once again turned up to be decidedly expensive.
We're talking in excess of $10,000 for RADIUS services that I ended up setting up for free using FreeRADIUS on preexisting hardware running Linux.
Even after that it took significant tweaking of the Novell Client to work properly. Primarily this was due to the clients default behaviour of caching information about the network, that as far as I am concerned is totally absurd in a modern environment where laptops accessing a network by multiple methods should not only be considered possible, but likely. And in the end we did get it to work quite nicely, to the point where we no longer had any user complaints, but Novell's technical support was COMPLETELY useless, and it took us reading, making educated guesses, and experimenting to acheive this.
Novell's response was that we should have just used their software. They were as into locking us in, in a similar fashion to Microsoft. Sure that IS what I got paid the big bucks for, but then why was the company also paying big bucks for support from Novell.
Novell likes to talk Linux, and talk low costs, and talk simplicity, talk open source, and talk interoperability, but my experience was that in practice, they were phoney on all counts.
The way I see it you are best to seek open source alternatives, or lock yourself into the beast whom everyone's third party applications should reasonably be expected to work with. That might seem like a very much falacious argument, but the way I see it the middle road is not so middle, and you are asking to cause yourself considerable headaches trying to get their solutions to work with software and solutions, you would feel that you should be able to reasonably expect your windows client computers to work with at first glance.
Just my not so humble two cents.
Firstclass sucks. What do they have so special? It's just a message board without the web interface. And, btw, where's the linux client that they've promised and they're "testing" for the last 3 years?
I'll do the stupid thing first and then you shy people follow...
Don't go near AD for unix authentication.
It's not even nearly stable in large environments. I've seen replication stop for no reason, servers crash for no reason, the performance is shockingly bad. It can also tarpit the ldap port when it gets busy, leaving your clients hanging.
It also takes microsoft around a month to fix bugs that cause random reboots, even then private fixes can cause more problems than they fix.
Local passwd files are better than AD. Way better.
For a supported version of the highly-regarded LDAP formerly known as Netscape Directory Server that runs on Linux, see Red Hat Directory Server. And to try before you buy, you can check it out on Fedora as the parent suggested.
-- Moderation in all things, exceptions to all rules --
Apple's OpenDirectory system is a joy to use and easy to setup. However their lack of a groupware system is truly a shame.
Having said this, I would have a look at CommuniGate Pro from Stalker.com It integrates with OpenDiretory and you can use Outlook as the client front-end and get pretty close to an Exchange system for less money and the hardware requirements are much less hoary.
I for one have found that all groupware services can be given to MS Outlook Users over FreeBSD and Mail : Toaster (http://www.tnpi.biz/). The toaster is effectively a mail deamon, LDAP store, support IMAP, POP, SMTP, WebMail, with spam and AV scanning and also is quite well documented. Set it up on a old dual PII server and you will be home free for years.
Basically, if you're expecting to use A.D anywhere, you're really advised to stick to all-MS.
We worked hard on getting A.D. to play nicely with a Unix LDAP system, Bind (DNS), Samba, etc. and it just wasn't even slightly fun. There's quite a few hacks that they use, and they seem to expect an ability to dynamically-update quite a few things (e.g. in DNS) which was tricky to get going with Unix tools. On top of that, it will be expensive.
However, if you avoid A.D, and even Windows PDC's, it's actually fairly easy. OpenLDAP is mostly only tricky for Access-Controls, Samba 3 can do pretty-much everything SMB/CIFS file/print-related, and can auth. against LDAP easily.
We preferred Exim over Sendmail, Postfix, and QMail, but just pick the one you like best as they all do LDAP.
We installed Dovecot for the IMAP server -- does LDAP, too.
I think the main point is: if you use some decent (read: fully-compliant) LDAP server, or X.500 + LDAP shim, the rest of it can be whatever you like best.
I would like to put in a couple of other points:
However licenses start at £150-ish/user, and £3000-ish/server... (sorry if I mis-remembered those prices!)
- the problem with IBM's directory is that it sits on top of DB2. This abrogates one of the coolest parts about directories - that you don't need a DBA. And a mistuned IBM directory is an ugly, ugly thing.
But I take issue with this mythology...I work with IBM's Tivoli security solutions, most of which use the LDAP Directory Server under the hood (and, illustrating the beauty of *standards*, also tend to support the use of Novell, Sun, & MSAD). The underlying DB2 engine doesn't require independent tuning, maintenance, or administration in the vast majority of deployments. It isn't until you get into user populations of several hundred thousand that you start tweaking the DB2 parms...and the solution actually includes a detailed LDAP tuning guide that explains how and when you should tweak the DB2 and OS-level parms.
The notion of needing a DBA just to deploy the IBM LDAP is just silly...any tech capable of RTFM can handle a moderate implementation on his own.
Here's the kicker: Which would you prefer for performance and scalability? A directory that uses flat or proprietary file structures for data storage, or one that uses a scalable and reliable relational database engine? Seems like a big "duh!" to me.
And, as you mentioned...it's free. Go download it from IBM and try it out. If it doesn't work for you, or if you decide you can't do it without a DBA, well...you aren't out any expense. Export it all to an LDIF and bring in the next vendor.
The parent poster (as with many other posters) refer to the term LDAP. Correct me if I'm wrong, but isn't LDAP simply a protocol?
If you (i.e. the collective you) speak of an LDAP implementation, do you mean you implemented the protocol? It would seem more accurate to say We are implementing an OSS based, LDAP-enabled directory service.
Active Directory is also implements LDAP, so this term would equally apply to this Microsoft product.
All the A.D. advantages you've mentioned are avail. under OSS, long before A.D. had them.
Perl modules for LDAP are old news. They're very useful.
In fact, I've made Perl update PDC data a lot more easily than anything else I've used.
You can easily create multiple hierarchies under one LDAP Base DN, and apply your ACLs based on the Base DN. You can even create multiple Base DNs running on different servers, and teach them how to pass clients off to each one.
If you really need strong auth and auth-domains, you should be looking at Kerberos. Even A.D. is based on it, and many, many products can use it (i.e. Samba, PAM libraries, etc).
I'm not too sure how it interacts with LDAP, but I believe it can with little pain -- in fact I vaguely remember OpenLDAP can auth. against Kerberos somehow...
And the thing about being able to use it "out of the box" implies a workable set-up as soon as it's installed, which just doesn't happen in the real world:
You read the docs/go on your course
You adjust your expectations
You install
You configure it properly for your environs
You test
You add some power-users
You fix
You get it signed-off
You deploy
(You fight off complaining users who are never satisfied)
Apple's Password Service is the authentication database for Open Directory. All other services reference the Password Server database for authentcation services.
They don't really call it Password Server anymore, they just talk about it as a part of Open Directory.
Never ask for directions from a two-headed tourist! -Big Bird
Cheaper, more robust, easier to manage than either Microsoft or pure OSS software. Well, cheaper than MS anyway - more robust and easier to manage than either of the choices you mention.
While I would normally say use OpenLDAP, Sun has recently made a version of their Directory Server free and open source. Their GUI management is excellent, and it supports Multi-Master Replication.
In case you're not familiar with MMR, think about your normal scenario. Maybe you have 1 master server and 2 slaves, one for each physical location. with MMR, you quite literally have 3 master servers, all of which can be updated and will push the changes to the others. This means no more worrying about losing the "most important" server--they are all equally unimportant if lost!
A year spent in artificial intelligence is enough to make one believe in God.
http://www.desknow.com/
Java based, platform independent and decent support. also AD/LDAP integration. Outlook synchronization tool.
From their site: A full-featured and integrated mail and instant messaging server, with webmail, secure instant messaging, document repository, shared calendars, address books, message boards, web-publishing, anti-spam features, Palm and PocketPC access and much more. Very inexpensive.
You never mentioned the type of organization and users.
Assuming a mix of technical staff and business operations (not a health organization or lawyers office etc.) You'll have to anticipate that you will have to deal with a lot of user desires for different clients etc. "Groupware" users are largely business folks due to the shared calendars, contacts, etc. However, when you add IM, online meetings and other SIP-based services, you'll end up with an incredible communication tool for the entire company.
I've been running Communigate Pro (http://www.stalker.com/ for a loong time, and it will do everything above at a very good price. It will also give you an LDAP server and the groupware you want. It has class-A support for IMAP, MAPI, POP whatever, in addition to webmail. It does SIP, meaning IP telephony and instant messaging and can provide microsoft meeting etc. support out of the box. The next version will be an IP PBX as well so you can build your phone system around it too.
Communigate Pro administration is incredible:
1. Setup takes about 30 minutes
2. Version upgrades take about 5 minutes.
3. A simple web interface for most tasks
4. Uses standard unix mailboxes or maildir
5. runs on just about any platform
6. has a CLI and a scripting interface
7. Aids you in solving all sorts of compliance issues etc.
8. Supports the essential virus scanning, spamassassin, and automated rules.
9. Users web-mail is a great tool for users to self-administer
10. Beautiful quota handling!
Your cost with CGPro is much lower than Exchange, and still you have much better support for open standards while providing good support for Outlook users.
You should really check it out.
Johan
http://www.redhat.com/software/rha/directory/
It's just a better product.
If you're buying any Windows servers at all AD would be cheaper than licensing eDirectory.
Coversly, if you are buying an Novell servers at all you get eDirectory as part of the OS. That's right, eDirectory is included in Netware 6.5 which allows you to install either the Netware kernel or the Linux kernel.
Novell also offers GroupWise a fantastic groupware platform that easily rivals Exchange and in many cases, GroupWise blows it away!
In my opinion the choices are Novell and eDirectory or Microsoft and Active Directory. My preference would be Novel but, certain circumstances could make Microsoft a better choice.
There's a lot of Novell lovin going on here. As someone who's main file server is Novell, I can certainly understand that.
What I can't understand is how many of them are marked trolls. Looking at the mod points, it looks like it's not just one rogue modder, it's serveral (or one person with several accounts). Are the MS fanboys so insecure that that can't even deal with someone mentioning Novell? Or do people actually get off by trolling via mod points?
There just is simply no reason to bite the Microsoft bullit anymore. The whole "support" issue is largely a myth. Anyone can support Linux and UNIX if they are technically inclined. If you have a technician who feels they can't learn Linux then they are really not technically minded. They've merely learned to support Microsoft products. There is a big difference and learning that difference will better prepare your company. Given the conveluted licensing scheme Microsoft uses, the cost of renewing, the fact that you be having to make compulsory upgrades at a cost, and the fact that OSS is just outright cheaper, I can find no reason to move to Microsoft if I were launching a new infrastructure.
If you are going to be a Windows desktop shop then you might want to consider Groove http://www.groove.net/ for your groupware.
For our organization Groove has done what we needed and provided a nice side effect in that important files are automatically "backed up" if they are in a shared workspace. Since we work from laptops the off-line usage has also been an important feature.
Groove was already integrated with Office and Project. Now that they have been bought by Microsoft I expect that integration to deepen.
A quick list of features is available at http://groove.net/index.cfm/pagename/VO_Compare/
To ask my own question here: does anyone know of an OSS alternative to Groove? Anything like it at all?
Fedora Directory Server was bought from AOL. It was called then Netscape Directory Server. So I think it is robust.
It has a graphical interface: AdminUtil and SetupUtil.
http://directory.fedora.redhat.com/wiki/Main_Page
Have anyone tested this?
You should take a look at XAD: http://www.padl.com/Products/XAD.html
It is basically the cobbled together solution you mention, only nicely integrated into one supported package.
There is a missing piece to this puzzle, and it would greatly help us propose solutions. There were 3 companies before, what software licenses did they already have. Do you already have an Exchange license, or 5 copies of Novel 6.5, or a bunch of Mac's?
This needs to be taken as two pieces. What is your desktop platform, and what can you do to make that desktop the most secure and provide the most services to your company. Why do some people implement Exchange when there are OSS products out there? Easy, Exec's like those fancy pda phones that can get their emails and calendar from anywhere (and it replaces laptops).
Find out what the business needs are, figure out what you have, then look at the software that will support that.
-Joe
Never thought I'd be saying this, but have you looked at Novell lately? I recently got pulled in to be the Linux consultant on a classic Netware to Novell Linux (SuSE) migration. eDirectory/Identity Manager are really nice.
`fortune -o`
The password server is there to securly handle any authentication that is _not_ covered by kerberos.
Users don't always have a tgt.
We're in the middle of a Nitrobit deployment right now, and I'd have reservations about recommending it. It's a great idea (Group Policy without Active Directory), a reasonable price, and they seem to have a fairly fast release schedule and quick, helpful tech support, but we've had one problem after another getting it to work (so we've had to rely on that tech support more often than we'd like). I expect that we'll be able to get all of the bugs worked out, and it should be very nice once that's done, but it's been a headache getting there.
Nitrobit gives you a few limitations that you wouldn't have with a full fledged AD deployment. For example, AD allows laptops to have two separate firewall profiles, one for when it's connected to the domain and one for when it isn't. With Nitrobit, as far as Windows is concerned, it's never connected to a W2K/2K3 domain, so you only have one profile.
Feel free to drop me a message if you'd like any more details.
What about Novell eDirectory? It still is a valid option and it runs on Netware, Windows, and Linux.
I currently use ActiveDir but it just doesn't make cross authentication with Linux easy. I will most likely be switching to eDirectory next year.
~Petaris "The world is open. Are you?"
I have deployed both. The differences between the two are night and day:
Exchange: Easy to install, monkeys can administrate it, unparalelled 3rd party support, fully documented API.
OpenXchange: Fucked to install, you have to know exactly what you are doing to administrate it, almost zero third party support, largely undocumented API assuming one exists for what you are trying to do.
Still, to me, OpenXchange wins, hands down. Because the user paradigm of "you must use Outlook in X fashion" with Exchange is completely thrown away in OpenXchange and the web GUI is brilliant. Costs and hassles aside, to me, OpenXchange got the concept of groupware *just right* - trust me on this, OpenXchange is the best OSS groupware, and if it were not for 3rd party support, and the fucked installation and administration it would get my vote for best groupware ever (Notes, puh-leese, it's on crack). Oh ya, and it integrates with OpenLDAP so no prob there. Give it a serious look, it's really really good. Enterprise good.
And I guess you also didn't know that Novell has contributed code to the FreeRADIUS project to facilitate CHAP, MSCHAP, LEAP, and PEAP authentications against the eDirectory Universal Password. Novell even provides an administration guide for configuring FreeRADIUS with eDirectory.
This gets a little outside the scope of Directory Services, but it's a question I havn't found an answer to in a while.
One of the semi-popular management features of AD installations is its ability to push policies to clients, including the automatic installation of mandatory software, etc. From a sysadmin point of view, this seems like a good feature to me since it would allow me to force everyone to use basic protection (spybot, zonealarm, etc.).
Does Open Directory, OS X Server, or any of the other products discussed here also offer this kind of a feature?
-J
I preface this with the disclaimer that if you have a large enough amount of unix/linux and Mac clients that you loose alot of the reasons for and functionality of AD.
When it comes down to it, in a Windows enviornment, Active Directory is second to none. With W2K3 they let you get much more fine-grained with your replication, site-links and routing than in 2K which caused some companies with many sites some slowness and issues (as some of the other posters have mentioned). It has gotten to the point where, when you have at least 2 servers for replication/redundancy, it is bulletproof, well understood, tested and trusted in the industry.
As with any other product you need to get the manuals and see the best practices for how MS would have you configure the tree, the sites and the security groups and permissions. I have seen people try to wing it because it has a GUI and the results are rather poor. Done right AD is a near flawless solution to the directory services problem. It lets you configure almost any setting on a 2K or XP workstation through Group Policy. It lets you implement a software deployment/management system (MS SMS) that will install/upgrade softare either on a user or a PC basis. It is cheaper than most of the other corporate solutions that lack this level of ease of control over the workstations.
People here talk about forced upgrades but I have clients still using NT4 domains, servers and workstations after 10 years and they have not been forced so that is rather BS. MS supports their solution and will keep it viable and steady far longer than many of these open source projects may well. It is something that, if your organization grows, it is easy to hire somebody to help maintain and interact with as it is the industry standard.
As a previous poster said, if you are a MS house already, just buy it already. If you are going to use Exhange even more so you need AD. It seems to be the clear choice.
Triplesec
Triplesec is geared toward acting as a resource/ACL repository and can be accessed via the Guardian API (on the same site).
These are still works in progress, but I know one of the developers - a very smart guy - one of the smartest people I've ever met.
Yes, OS X Server supports "pushing" policies out of the box for OS X clients. There's a range of methods you can use for managing OS X clients, including NetBooting, managed clients, and mobile home directories.
There may be a way to hack in management features for other OSs, but there's nothing simple I'm aware of.
We run OS X Server 10.4.2 on an Xserve G5 to provide directory, authentication, and home directory / file sharing to about 15 Linux and Windows clients. We used to use FreeBSD instead of Linux, but switched due to a variety of hassles with BSD (didn't play nice with our hardware, nor with OS X Server's NFS). The Xserve G5 might sound like overkill, but there's some light scientific computing / numerical work that happens on these machines, which can generate substantial loads.
Why do you need to lie?
Honestly.
It is not cheap. Monopolies, in case you did not know, raise the costs of the goods and services you use because they stiffle any meaningful competition/
In any case, it is a well nknown fact in the industry, specially when it comes to directory services, that, technical merits aside, MS solutions are more expensive per seat. Also you need more System Administrators given the restrictions of MS operating systems and tools (when handling directory services the posibility of using proper scripting languages can be all the difference in the world, saving you real money).
Also aparent spped sacrifices flexibility, as well as apparent ease of use does.
Ease of use is fine for desktop users, for systmes administrators it is an straight jacket better avoided (and in today's regularoty climate, documenting point anc click colutions is becoming a nightmare, nothing compared with a few clean, fully codumentable scripts and configuration files about how you are implementing your name services).
IANAL but write like a drunk one.
The subject line pretty much says it all.
Novell has a fine product that I used for many years. Their eDirectory is cross-platform compatible, can be made RFC-compliant with little effort, is strongly supported, and scales far beyond what AD can handle in real-world use.
Active Directory is another "embrace and extend" powerplay that doesn't scale to the level of Novell's eDirectory or integrate to the level of Open Source. It's non-RFC-standard to the point that I just call it "broken" and use OpenLDAP to ameliorate its deficiencies.
We run an OpenLDAP infrastructure that securely unifies our identity and attribute management across HPUX, Red Hat, Slack, Solaris, and Windows. But it was very tricky to build (took years, literally) so I cannot recommend it as a quick or easy solution, even though it is tremendously robust, powerful, and cost-effective.
My employers have purposely chosen to invest in really smart people who can handle an Open Source solution instead of really smart software that works out of the box. You may find it better to go the other way; it depends on your business model really. We need those smart people for other reasons, so it makes sense to spend lots on salaries and little on software (please don't take that to mean we are freeloaders - we pay for our OSS, just far less than Novell or Microsoft charges for the same functions).
I laugh at you!! There IS NO SOLUTION... sucker! Just a pile of code you're welcome to string together yourself.
F/OSS you are truly pathetic.
Love,
Myren
Re:Easy writes:
"- Novell - well if you are a Novell shop, you will use NDS. You will use everything else Novell has. It is sort of like joining a secret cult."
Being a Novell shop (and Microsoft, and Sun, and OpenLDAP, blah blah blah) eDirectory is less like a belonging to a "secret cult" and more like being part of a revolution. We use eDirectory as our "Identity Vault" with DirXML to syncronize all of our other directories and databases. It rocks!
Sorry for the late reply, but it's been busy here.
r oupmanagement.html
Open Directory has provisions via the Workgroup Manager settings from Mac OS X Server to completely manage clients. In conjunction with Apple Remote Desktop and NetBoot it gives you the ability to manage almost anything on a client machine.
There are also third-party packages that can help with this process, such as NetRestore and Radmind.
Some URLs:
http://www.apple.com/server/macosx/features/workg
http://www.bombich.com/
http://eq.rsug.itd.umich.edu/software/radmind/
--Paul