Searching for a Directory Service Solution?

kumulan wonders: "I've got the responsibility to set up directory services as well as a messaging/groupware system for my organization of app. 100 employees spread out over three locations. We are a startup that is merging three existing smaller companies and, given the state of existing IS infrastructure at each of these locations, the decision has already been made that we are better off starting from scratch. It would be great to hear from Slashdot readers concerning which option is 'better' and why." "For me, the choices are stark and clear:

1. MS Exchange/Active Directory
2. A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).

For (2) we have evaluated, and are strongly considering, the following:

• Samba/OpenLDAP/Kerberos
• Bynari Insight Server for messaging/groupware.
• Nitrobit Group Policy for, you guessed it, group policy management.

Of course, Samba 4 will address some of this 'cobbling', but we can't wait for that."

Easy.

[XorNand]

So, the question seems to be: OSS vs. Microsoft. Am I right? If so, the answer is easy: Which platform are the people who will be managaging the stuff have the most experience with? It may be sacrilege to say it here, but if you've a crew of MCSEs on staff who've never touched Linux, it's going to be more expensive and a bigger hastle go the OSS route.

I forget who said it but "OSS is free like a puppy is free". You need to have the staff to tend to the care and feeding. In the Detroit area at least, Windows guys are a dime a dozen. Competent Windows guys, while a bit more rare, are still easier to find than experienced Linux admins. (Of course, I'm looking at your question from a business consulting standpoint. If you're looking more for a technical recommendation, there's a lot more people here better qualified than me.)

Re:Easy.

[ndansmith]

You may be underestimating just how much is actually costs to get a Microsoft enterprise solution off the ground. You have to pay for the Server 2003 software, Exchange, XP Pro (volume), Office, Terminal Services licenses, and don't forget server CALs. Plus, you have to worry about Microsoft "obsoleting" your software via Vista, Longhorn Server, Blackcomb, and beyond; another round of licensing (and by extension of Vista's hardware requirements: another round of hardware updates / replacements).

Sure, it may require a fine tooth comb and/or training to get some qualified Linux guys on board, but I doubt that compares with the expense of purchasing the Microsoft solution.

Re:Easy.

[zulux]

if you've a crew of MCSEs on staff who've never touched Linux, it's going to be more expensive and a bigger hastle go the OSS route.

MS's newest/latest/greatest has a large learning curve as well. You old MCSE who knows Windows Domains will have just as much trouble learning Active Directory as he would have learning Samba 3.

I've trained MCSEs in open source technology - about 50% do just fine. The otheres were paper MCSEs and sucked at Windows too.

Re:Easy.

[hagrin]

MS's newest/latest/greatest has a large learning curve as well. You old MCSE who knows Windows Domains will have just as much trouble learning Active Directory as he would have learning Samba 3.

I've trained MCSEs in open source technology - about 50% do just fine. The otheres were paper MCSEs and sucked at Windows too.

Ok, so you're saying techies trying the latest and greatest without any training fail more often than the users who received your training in OSS solutions? So, obviously, the parent still remains correct - whatever you are trained better in should be the solution that is adopted. Otherwise, the cost savings you get from OSS may never be reaped as their company experiences downtime, frustration, inexperience and getting the proper training they need.

I think it's fairly clear that with the proper training and proven, qualified individuals that any solution will work if properly implemented and maintained.

Re:Easy.

[TedCheshireAcad]

Parent has a valid point, setting up and administering your OSS solution will take more work. However, you can tailor it better to your needs.

I worked at Major Software Company in the Bay Area (tm), and their LDAP/Kerberos/Jabber/SMTP infrastructure worked very well, but of course, there were armies of admins to make things run smoothly. It was not without hiccups - but most if not all of the hiccups were minor (failed hard drives, etc.) and remedied within 20 minutes.

My vote is for LDAP. You can do so much with it - authenticating users on your web apps is a cinch, directory lookups are easy, it integrates with every piece of mail client software, and it's free. Just my $.02.

Re:Easy.

[Tadrith]

This is definitely true. I've found it much easier, if instead of thinking of people as Windows techs, or Linux techs, you simply think of them as techs.

A good tech should not be afraid of discovering and learning any system he or she might put their hands on, because part of being a good tech is learning how to keep your mind open and troubleshoot a problem. It doesn't matter if the problem is Windows, Linux, or a coffee maker -- you use the tools that you have to do the best job you can.

I am a programmer for a living, but I also do double time as a technician. I am just as comfortable configuring Windows Server 2003 as I am with Novell Netware 6.5, or any flavor of Linux. I don't see it as my job, or my passion, to devote myself to one platform. My job is to help people with computers and give them advice on what solution works best for them. Of course, I have a primary area of expertise, but that doesn't stop me from learning on my own.

Re:Easy.

[Total_Wimp]

A good tech should not be afraid of discovering and learning any system he or she might put their hands on, because part of being a good tech is learning how to keep your mind open and troubleshoot a problem. It doesn't matter if the problem is Windows, Linux, or a coffee maker -- you use the tools that you have to do the best job you can.

This is probably true for new guys learning an in-place system or a few new systems added to the familiar core network, but far less true for a bunch of newbies (to the system in question) trying to design something good from scratch.

A good ADS guy will know how to design a good forest, he'll know how to acquire and install the necssary patches, he'll know how to set up a secure systems and he'll know the quality sources of help when he needs them. He'll know which built-in and third party utilities will save his bacon and he'll know what to check on if stuff stops working.

The only thing that will teach an MS guy how to do all this with Open Source is experience. The only way he'll get that is with a bunch of time working with the products in question.

In other words, it's dangerous as hell to trust your brand new network with a bunch of noobs. Even if they're very bright noobs who will catch on quickly, you take quite a risk while they're doing the catching on. Put a bunch of these guys under a couple of experienced people and they'll likely do ok with the new network, but if you don't have that experience on hand you're begging for trouble if you uproot a known system and throw a bunch of new stuff in to replace it.

TW

3. Mac OS X Server

[dgatwood]

Considered Open Directory?

STOP....

[ellem]

just save yourself the trouble

W2K3.

Just shut up, buy it and be done with it. It'll hook up with whatever you're running and it is fine as long as you take the same precautions any decent Sys Admin would.

Re:STOP....

[j-cloth]

You have to use the right tool for the job. In this case there is no directory server that can touch AD. Any other solution is just trying to replicate it.
Exchange, I'm no so sold on, but it works and is well documented enough that you can do most of things with it that you will want.

Another Consideration

[joelleo]

What exactly is the newly merged company doing? Is it supposed to be geeky-cool? Is it doing something totally unrelated to computers or technology? Is the IT infrastructure just a means to an end - users getting their work done?

If the company is trying to do something geeky-cool, you may be best served by using a "cobbled-together" open source architecture. It'll show your boy's and girl's prowess on the console and could be used as a Hercules-on-a-pedestal showcase for your talents.

On the other hand, in either of the other two cases, you're most likely going to be using MS on the desktop and your people aren't going to care that you've implemented OpenLDAP as long as their Word, Excel and Outlook work. In this situation, as has already been noted, you'd probably be best served by implementing Windows Server 2003 + Active Directory. An additional benefit is the expertise is relatively cheap and available, and may already be in-house with your amalgamated IT staff.

Good luck!

Re:Another Consideration

[benjamindees]

may already be in-house with your amalgamated IT staff.

Or there very likely isn't an IT staff, almagamated or not. Three companies that join to form 100 employees, with poor infrastructure, typically means one company of 50 employees and a "Windows admin/something else" and two companies of 25 employees each that paid somebody to setup their networks five years ago and have since just watched it deteriorate.

It sounds like the inquisitor is about to inhereit a huge mess without necessarily the skills or resources to deal with it. If that's the case, I'd suggest taking a long-term approach:

1) Decide who will manage the network (this is a full time job),
    A) if it's you, then
          i) choose what you're most comfortable with, else
    B) if it's not you, then
          i) put an ad in the employment section, outlining your requirements in a non-specific way, contact outsourcing firms, and take applications.

You may be suprised at what you get. Linux and Open Source can save a ton of money and hassle long term, especially when implemented from scratch, but you have to know what you're doing. If you don't know or aren't sure, get help. A company of 100 employees can easily justify having two admins, especially when combined with the savings Linux and OSS are capable of.

Re:Another Consideration

[ocbwilg]

I guess that person never heard of the "Software Assurance" program from Microsoft that forces upgrades every two years

Software Assurance is not mandatory. There are quite a few companies (probably the majority) who don't use SA. Mine doesn't. Upgrades are still cheaper than buying new, but most companies aren't all that keen on constantly upgrading, and the ones that are will go with SA. Most companies buy new hardware, and buy it with and OS and applications they will need. The hardware runs and does it's job for 3-5 years, and when it's ready to be replaced the next version of the OS and applications are purchased.

I dare that coward asshat who modded me troll to come out from under his/her rock and prove the honesty of that mod.

You can't mod and post in the same topic. But assuming that the coward asshat did come out under their rock what would you do? Kick their ass? Grow up. Bad moderation is usually corrected by othe mods and is somewhat lessened by metamoderation. Get over it.

Re:3. Mac OS X Server

[Penis_Envy]

The questioner did mention openldap. The advantage of going to the apple solution would be the integration that it would provide, rather than "cobbling" together the solution themselves (as they said themself.) It's not just the GUI. Then again, it would be one more thing to manage/maintain.

Do you have Windows desktops ?

[drsmithy]

If you do, AD is your only realistic choice. Group Policy alone justifies using it.

Added to that, it's not especially difficult getting Unix machines to talk to AD for authentication and other information (it's just LDAP, after all).

It's a hell of a lot easier to integrate and manage a handful of unix machines in a Windows environment than it is to integrate and manage a hundred Windows desktops in a unix environment. IME, that's typically the scenario (unix servers for mail, fileserving, DB, etc and Windows desktops).

Mod parent hilarious

W2K3 ... is fine as long as you take the same precautions any decent Sys Admin would.

Myself being a decent Sysadmin, I can tell you my first priority is always to banish MS products to the extent possible. It takes time, but if you're starting from scratch this is an excellent opportunity to avoid future problems.

Start by NEVER running anything mission critical under MS - especially a directory service.

Continue by banning Internet Explorer companywide, and finish by

Don't get me wrong; MS Windoze does have its strong spots. It is superb for playing games, hosting virus servers, spam drones, and spyware. If you want East European crime gangs to install packet sniffers, keystroke loggers, and Trojan Horses on your network, there is no platform more ideal than Microsoft Windows. But of course these strengths have nothing to do with running a secure business.

Since you probably will have to run MS Office, do a trial run of MS Office under Mac OS X. You'll be quite impressed: You can have MS Office without all the client problems! Who would have believed such a thing could be possible? You may even find that OpenOffice is far more than sufficient.

Deploy OpenOffice far & wide, but keep a couple spare seats of MS Office (for the Mac) onhand "just in case" some executive starts whining about different software, so you can just install it here or there selectively and shut them up. (That's the main purpose for buying MS Office. To shut people up.)

The executives may question issuing Powerbooks for the traveling employees, but they WILL NOT complain when you show them the respective overhead and MIS support estimate numbers and corporate security differences when viruses and so on are all taken into acount. Your company will remain freer of viruses when those traveling notebooks get plugged into the internet at hotels, then subsequently carried back to the office and plugged in again. Windows notebooks are one of the most notorious and uncontrollable computer virus vectors for spyware/crimeware.

Active Directory and Exchange

[mrscott]

Before I write, I should say that I'm in no way opposed to open source and use it where appropriate.

If you want something very well supported, not horribly difficult to administer in a simple environment and tried and true, just go with Active Directory and Exchange, especially if your company's focus is on something other than providing unique technology solutions. (i.e. you sell baskets)

While the open source solution might cost less up front, there is nothing in open sourece land at present that can touch the Exchange/Outlook combination. Sure, there are products such as OpenExchange, but, let's assume that you want the option to easily add other services later on, such as true handheld synchronization (i.e. www.good.com)

I know it can be sacrilege on Slashdot to not promote an open source solution every time, but sometimes, the business side of the house is more important than a cool technology solution.

Re:I know! I know!

[mabhatter654]

The whole point is that he wants to learn to be the expert! If everybody on slashdot knows so much why is this such a difficult question? This is where the rubber-meets-the-road folks... if you want to use Linux and OSS professionally these are the questions that need answered by the community.

Novell eDirectory/GroupWise

Want the best of multiple worlds? Have you ever seeen any other Directory every try scaling to a billion objects, must less succeed at it? eDirectory does it.

GroupWise with just 100 users could be run on one server without blinking but, to save headaches when the WAN went down, spread it across the three already running eDirectory (for the same reason, and for redundancy). File-sharing exists the same. If you had a Novell partner they could implement something like this in a day in a lab without much thought and maintenance means patching three servers (like every other solution) once in a while. Honestly I could build your entire environment in a lab in one day.

For those who believe n true OSS to the rescue (as I do too) eDirectory supports LDAP versions 1, 2, and 3 as well as any other platform (OpenLDAP included). IDM (another Novell product) uses XML for connecting to third-party systems (even if the third-party doesn't necessarily have an XML connector, Novell made those too). eDirectory, GroupWise, Zen, IDM, etc etc all run on Windows, NetWare, Linux, HP-UX, AIX, and Solaris... Not many products on earth can say that.

Top that off with awesome support from Novell (really, it is great, and they have free forums for all their products searchable by Google Groups) and what else is there? Sure, you could do it all with OpenLDAP (no directory partitioning, though, and painful replication compared to eDirectory) and Samba (eDirectory/NetWare/Linux support Samba in Novell's world too) and Postfix (integrated into OpenLDAP even, maybe) but I think in this case, for ease of mind (ever seen a NetWare viruses/worm/etc ever in the wild?) I would go with a Novell solution.

Novell eDirectory ?

[morcego]

I would not entirely discart Novell eDirectory.
It is specially interesting on a mixed environment solution, and it does provide some interesting possibilities when coupled with Novell Client.

The pricetag is also VERY attractive.

Stark and Clear?

[clarkeb]

What do you base your stark and clear choices on? Banyan was the first company to come up with directory services. Novell really took directory services to the next level when it came out with NDS and NetWare 4. Wow one place to manage users, servers, printers, file system, DNS and DHCP, pretty cool. Well, Microsoft not to be outdone started calling NT's domain a directory so that they could compete with Novell. Novell threatened to sue MS about the false information on the MS web site about NT's "directory" and MS had to pull it. So, you guessed it MS had to have a directory and eventually after years, came up with Active Directory. Novell's NDS has evolved and MATURED, key word here, to eDirectory. eDirectory is a very scalable, over one billion objects, robust, LDAP v3 compliant directory services. Novell's Identity Manager product gives one the abililty to manange identities in a mutli directory/database environment. eDirectory runs on NetWare, Linux, AIX, HPUX, and Windows. There are other directories to consider including Sun, IBM, Seimens. Novell also has Groupwise email and groupware, and a pretty awesome desktop management suite, Zenworks, both managed in eDirectory. If I were you I would talk to the vendors and better yet talk to sites who have implemented AD, eDirectory and the others to do some due diligence and help make a good choice. Lot's of people think that Novell is dead. This is not true. Check it out.

Why not Novell?

[koamana]

OK. You didn't mention Novell's eDirectory. AD works for small networks. It might even work for medium sized networks. If you want something that is going to scale, Novell wrote the book on directory services. They have their Small Business Suite of products. If you want to cobble(?), kludge it together, well you can look at open source solutions. In my opinion, directory services from open source isn't quite baked.

Re:cobbled-together?

[DaveV1.0]

How many companies out there are sole proprieterships? What about LLCs, where one of the people happens to have/bring in about 80% of the billables.

This is exactly why so many small businesses fail. A sole proprietorship (SP) where the owner is in an accident or gets sick and can't work or an SP with an owner who can't do it all. Great tech but a crappy marketeer, or good salesman but lousy time management or poor quality work. An LLC where one person brings in 80%, and then that person leaves, gets sick, dies, etc. is pretty much doomed to fail. I have seen it happen.

Just about every "owner" or "CEO" fits the "business revolves around one person". Apple now w/o SteveJ? Yeah.

While a small business with consolidated power will revolve around the one or few people with the power, one being the CEO does not mean the business revolves around one. That is the kind of thinking that led to the dot.com bust, Enron, and all the other scandals. It is also the kind of thinking that has caused CxO pay to balloon, while the middle and lower employee's pay has barely increased (it hasn't even kept up with inflation). If what you say is true, then no CEO would ever be unseated because it would be death for the company.

Easy: Novell

[ImaLamer]

Novell - well if you are a Novell shop, you will use NDS. You will use everything else Novell has. It is sort of like joining a secret cult.

Not true, you can use Novell's NDS (eDirectory, the LDAP server software) right on top of Linux, Unix, or Windows. The admin tools are almost all Java based or otherwise accessible so you aren't locked in there (clients and management tools for Linux, Unix and Windows). Novell can manage the rights, er permissions, er privileges for clients of any flavor (because a directory services solution is about managing the resources on the network) - and has less bloat and more security than Active Directory.

Novell is my choice hands down. It isn't the nightmare product it used to be. Quite flexable, scalable and for all intents and purposes "open". This product actually follows standards! In my experience it also prices cheaper for clients than Active Directory, although you never know because I'm sure it has changed.

The person who asked this question initially said that the only other option to Active Directory was A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists)

This simply isn't true. There is eDirectory and it's better! (PDF) Wake up people! It's 2005 and there is a better option out there and to top it all off they are a Linux company too.

Re:one caveat

[JourneymanMereel]

So because of a price break on OS and MS Office management decided to move 52 million user objects and change the backbone of the distributed network? For a large corporation, what you save on the "price break" for those 50000 employers is negligent compared to what the total cost of the project, long term and short term.

You obviously haven't worked with the management I have. Most decisions seem to be made based around golf buddy opinions rather than technical superiority.

If you are 100% MS use Active Directory

[Deviant]

I preface this with the disclaimer that if you have a large enough amount of unix/linux and Mac clients that you loose alot of the reasons for and functionality of AD.

When it comes down to it, in a Windows enviornment, Active Directory is second to none. With W2K3 they let you get much more fine-grained with your replication, site-links and routing than in 2K which caused some companies with many sites some slowness and issues (as some of the other posters have mentioned). It has gotten to the point where, when you have at least 2 servers for replication/redundancy, it is bulletproof, well understood, tested and trusted in the industry.

As with any other product you need to get the manuals and see the best practices for how MS would have you configure the tree, the sites and the security groups and permissions. I have seen people try to wing it because it has a GUI and the results are rather poor. Done right AD is a near flawless solution to the directory services problem. It lets you configure almost any setting on a 2K or XP workstation through Group Policy. It lets you implement a software deployment/management system (MS SMS) that will install/upgrade softare either on a user or a PC basis. It is cheaper than most of the other corporate solutions that lack this level of ease of control over the workstations.

People here talk about forced upgrades but I have clients still using NT4 domains, servers and workstations after 10 years and they have not been forced so that is rather BS. MS supports their solution and will keep it viable and steady far longer than many of these open source projects may well. It is something that, if your organization grows, it is easy to hire somebody to help maintain and interact with as it is the industry standard.

As a previous poster said, if you are a MS house already, just buy it already. If you are going to use Exhange even more so you need AD. It seems to be the clear choice.