Slashdot Mirror
Searching for a Directory Service Solution?
kumulan wonders: "I've got the responsibility to set up directory services as well as a messaging/groupware system for my organization of app. 100 employees spread out over three locations. We are a startup that is merging three existing smaller companies and, given the state of existing IS infrastructure at each of these locations, the decision has already been made that we are better off starting from scratch. It would be great to hear from Slashdot readers concerning which option is 'better' and why."
"For me, the choices are stark and clear:
- MS Exchange/Active Directory
- A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).
- Samba/OpenLDAP/Kerberos
- Bynari Insight Server for messaging/groupware.
- Nitrobit Group Policy for, you guessed it, group policy management.
So, the question seems to be: OSS vs. Microsoft. Am I right? If so, the answer is easy: Which platform are the people who will be managaging the stuff have the most experience with? It may be sacrilege to say it here, but if you've a crew of MCSEs on staff who've never touched Linux, it's going to be more expensive and a bigger hastle go the OSS route.
I forget who said it but "OSS is free like a puppy is free". You need to have the staff to tend to the care and feeding. In the Detroit area at least, Windows guys are a dime a dozen. Competent Windows guys, while a bit more rare, are still easier to find than experienced Linux admins. (Of course, I'm looking at your question from a business consulting standpoint. If you're looking more for a technical recommendation, there's a lot more people here better qualified than me.)
Entrepreneur : (noun), French for "unemployed"
There is no directory service for directories services ?
Check out my sci-fi/humor trilogy at PatriotsBooks.
What ever happened to Novell? I used that at the college I attended - web apps, email, directory, rempote access, etc. Is this no longer a valid option, or was it just forgotten on the above list?
Christ on a motorcycle, it doesn't matter what machine he runs, that doesn't solve his problem. Goddamn, at least keep the evangelism moderately relevant.
It's a standards based (LDAP) mail/groupware app which supports standard SMTP/IMAP clients as well as Outlook/Palm clients (for an additional fee).
Seems competitively priced to Exchange and there's also a free pure OSS version available (although if you want offical support and a nice installer, you need to pay for it).
http://www.openexchange.com/
I haven't personally used it, but I've been looking at it as an Exchange alternative (I really really hate exchange) for the small company where I work.
just save yourself the trouble
W2K3.
Just shut up, buy it and be done with it. It'll hook up with whatever you're running and it is fine as long as you take the same precautions any decent Sys Admin would.
This
Other Options to Consider:
o ntent/
Novell:
Linux Small Business Suite
http://www.novell.com/products/linuxsmallbiz/
It includes edirectory, groupwise for email, suse enterprise server,Novell ZENworks Linux Management Client
IBM (Lotus)
http://www.lotus.com/lotus/general.nsf/wdocs/nd7c
You can use Domino as an ldap server.
Other IBM Software on Linux:
http://www-306.ibm.com/software/os/linux/software
or
http://www-1.ibm.com/linux/matrix/
There's also Novell's NDS... That could be your third option perhaps...
If the company is trying to do something geeky-cool, you may be best served by using a "cobbled-together" open source architecture. It'll show your boy's and girl's prowess on the console and could be used as a Hercules-on-a-pedestal showcase for your talents.
On the other hand, in either of the other two cases, you're most likely going to be using MS on the desktop and your people aren't going to care that you've implemented OpenLDAP as long as their Word, Excel and Outlook work. In this situation, as has already been noted, you'd probably be best served by implementing Windows Server 2003 + Active Directory. An additional benefit is the expertise is relatively cheap and available, and may already be in-house with your amalgamated IT staff.
Good luck!
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
Use Fedora Directory Server or Red Hat Directory server. It is derived from the acclaimed Netscape Directory Server. It is easy to set up, scalable and *just works*. For groupware just use phpGroupware or something. If all you need is mail access, I recommend Roundcube for the web access, it uses Ajax to give a nice user experience akin to Yahoo or Gmail. Keep an eye on the Hula Project too, it looks like when a release it made it will be real nice.
Regards,
Steve
I'm sure some /.ers can give you a better view of the quality of Netscape Directory Server but from the rumblings I've heard it's a complete package and it's pretty damned amazing (not to mention it supposedly scales through the roof).
You can check out the documents here
I stole this
I don't know what your selection criteria are, but it seems to me that you have another choice: Novell's products. More specifically:
1. Directory Services: eDirectory. It runs on multiple OS platforms such as Windows, Linux, NetWare, Solaris, etc. It is more robust than AD, particularily across wan links (viz. replication). And of course it is LDAP v3 compliant so nearly any LDAP client can use it for authentication and authorization.
2. Open Enterprise Server, Linux and NetWare. For hosting your file and print services. You get the best file system out there - NSS - on either platform. Real ACL's and vastly more refined trustee assignment and inherited rights filtering capabilities than any other filesystem.
3. Groupware/Messaging: I am less experienced in the alternative offerings in this catagory, but I believe that Novell has a decent product in GroupWise 7, which runs on Windows or Linux or NetWare.
Again I don't know what your selection criteria are, but you may have skipped Novell due to lack of awareness...
Cheers.
Try XAD from PADL.
To Windows clients, it acts as an Active Directory domain controller, so it supports Kerberos authentication, group policies, etc. It also includes RFC 2307 support for seamless integration of Linux/UNIX clients.
That's what I thought when I read the requirements. Netware (or whatever they are calling it now that it runs on Linux) and Groupwise should be all you need.
I don't know about cost. We have their educational license, and that includes Netware and 3 other products (we use Groupwise, ZENworks and iFolder) for less than $3.50 per student. The license covers as many servers as we care to run those products on.
Download Solaris for free. It includes LDAP plus Samba etc. Includes fairly easy admin tools (for example webmin) The LDAP is first class and integrated fully with the OS and Samba. You can do it all and nothing is "cobbled together".
- GroupWise Migration Utility 2.0.1 for Microsoft Exchange
- GroupWise PDA Connect 1.0 SP1 Multi Lingual
- GroupWise Import Utility 2.0 for Microsoft Outlook
- GroupWise Gateway 2.0 for Async Connections
- GroupWise Gateway 3.0 for Lotus Notes
Just check out Novell to see some of their products (no, I do not work for Novell, I just like some of their products).Also, there are some really great LDAP/IMAP type solutions you can put together under Linux for zero cost. Obviously this option requires someone more capable than your typical point-n-click "MS-Admin". It would take one employee with the ability to read a book or some docs. Though, I know your typical point-n-click "MS-Admin" wants to be able to just put in a CD and let AUTO-RUN do all the "hard" work for them.
If I personally owned a small company with ~100 employees, I would rather have one talented admin that could handle *nix/Win than 2-3 point-n-click MS "admins". If you added up the salaries, that one guy would cost you less than the 2-3 less capable point-n-click MS "admins". TIJMO (This is just my opinion).
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
I've just started to take a look at Fedora Directory Server. It is very easy to set up and with the GUI manager, it seems about as easy to manage as Microsoft AD.
Why are those your "stark and clear" choices? I know, for example, that there are solutions from Novell, SuSE, and Sun, without even thinking about it. Are there more factors involved here than just "we need a directory?" Given a clean sheet of paper, I'd be using eDirectory, since it's completely (according to the marketing papers -- I've never used it) cross-platform.
Acts 17:28, "For in Him we live, and move, and have our being."
The questioner did mention openldap. The advantage of going to the apple solution would be the integration that it would provide, rather than "cobbling" together the solution themselves (as they said themself.) It's not just the GUI. Then again, it would be one more thing to manage/maintain.
I do some implementation projects for an IBM reseller who does implementations on the iSeries platform, and they push (and I implement as the consultant, go figure) a lot Samba + Bynari to the point that I was actually convinced myself and bought myself a few lics for Bynari.
The nice part about Bynari is that they have great support, and they are continueously improving their product, and they use open technologies (OpenLDAP/Cyrus/Postfix) so its easily hackable. The Outlook IMAP connector rocks, and so far, I think is the only viable product out there if you're on a trim budget.
I haven't tried it yet, but having Bynari and Samba share the same LDAP schema seems to be my next personal project. Maybe even lobby the concept to them ;)
Theres always EDirectory ... it runs on sles9 now (as of version 7). All the joy of NDS, but it runs under Linux (and windows, and netware if you want).
.. if you want more information about running edirectory under linux, email me and i'll pass along what I find out.
.. there are other products there. NDS is far superior to AD, so consider it as well.
I'm going to a Zenworks 7 thingy on Wednesday
it's not just about OSS and Windows
We emerge from our mother's womb an unformatted diskette; our culture formats us. - Douglas Coupland
Added to that, it's not especially difficult getting Unix machines to talk to AD for authentication and other information (it's just LDAP, after all).
It's a hell of a lot easier to integrate and manage a handful of unix machines in a Windows environment than it is to integrate and manage a hundred Windows desktops in a unix environment. IME, that's typically the scenario (unix servers for mail, fileserving, DB, etc and Windows desktops).
W2K3 ... is fine as long as you take the same precautions any decent Sys Admin would.
Myself being a decent Sysadmin, I can tell you my first priority is always to banish MS products to the extent possible. It takes time, but if you're starting from scratch this is an excellent opportunity to avoid future problems.
Start by NEVER running anything mission critical under MS - especially a directory service.
Continue by banning Internet Explorer companywide, and finish by
Don't get me wrong; MS Windoze does have its strong spots. It is superb for playing games, hosting virus servers, spam drones, and spyware. If you want East European crime gangs to install packet sniffers, keystroke loggers, and Trojan Horses on your network, there is no platform more ideal than Microsoft Windows. But of course these strengths have nothing to do with running a secure business.
Since you probably will have to run MS Office, do a trial run of MS Office under Mac OS X. You'll be quite impressed: You can have MS Office without all the client problems! Who would have believed such a thing could be possible? You may even find that OpenOffice is far more than sufficient.
Deploy OpenOffice far & wide, but keep a couple spare seats of MS Office (for the Mac) onhand "just in case" some executive starts whining about different software, so you can just install it here or there selectively and shut them up. (That's the main purpose for buying MS Office. To shut people up.)
The executives may question issuing Powerbooks for the traveling employees, but they WILL NOT complain when you show them the respective overhead and MIS support estimate numbers and corporate security differences when viruses and so on are all taken into acount. Your company will remain freer of viruses when those traveling notebooks get plugged into the internet at hotels, then subsequently carried back to the office and plugged in again. Windows notebooks are one of the most notorious and uncontrollable computer virus vectors for spyware/crimeware.
Suse Linux Enterprise Linux 9 should have everything you need. It sets up and stores just about everything in LDAP. It is extremely easy to configure and maintain. Yast's Email Server module will setup Postfix/Cyrus/IMAP for you, hell it even installs Antivirus and Spam filters for you.
If you need to control Windows Clients simply create custom Policies for Microsoft's System Policy Editor (or use mine at my web site).
I have currently replaced 5 Windows Servers with SLES9 and have not had a single problem. IMO it is much easier to maintain/use than anything MS has released in the server department.
Before I write, I should say that I'm in no way opposed to open source and use it where appropriate.
If you want something very well supported, not horribly difficult to administer in a simple environment and tried and true, just go with Active Directory and Exchange, especially if your company's focus is on something other than providing unique technology solutions. (i.e. you sell baskets)
While the open source solution might cost less up front, there is nothing in open sourece land at present that can touch the Exchange/Outlook combination. Sure, there are products such as OpenExchange, but, let's assume that you want the option to easily add other services later on, such as true handheld synchronization (i.e. www.good.com)
I know it can be sacrilege on Slashdot to not promote an open source solution every time, but sometimes, the business side of the house is more important than a cool technology solution.
The whole point is that he wants to learn to be the expert! If everybody on slashdot knows so much why is this such a difficult question? This is where the rubber-meets-the-road folks... if you want to use Linux and OSS professionally these are the questions that need answered by the community.
What, Just rule them out? They've been doing Active directory and groupware LONG before Microsoft decided to emulate (steal) the ideal...
.02 worth... (climbing into Flame resistant suite)
Novell 6.5 is the latest, and I can lock out users based on windows policies, etc.. just like MS active dir... assign various sub admins to rule over their own dept, etc... AND Groupwise (IMHO) is a great email/calender app... (Groupwise 7 is supposed to be better, but I haven't gotten to play with it yet...)
AND they are starting to move everything over to Linux via SUSE Linux, so you have the OSS...
Best of both worlds if you ask me...
Sure, Novell AND Microsoft cost $$$, you could build your own Linux server and hack it together, but if your a REAL company and you expect to play REAL Ball, you will PAY to have the propriatory software to compete with everyone else... At least with Novell, you can still play OSS and support linux, etc... even if you have to buy their version...
OSS Does not equal FREE... Thats the problem... too many freeloaders want EVERYTHING for FREE... If that was the case then your company would just give its product away also... oops, now your company is dead... Guess that model won't work.
I must admit, I do ADMIN a Novell network, and I do like SUSE Linux... Much better than anything MS has to offer...
Again, just my
--- Relax, that mass muderer is just trying to reduce our carbon footprint, one fetus at a time...
We implemented Apple Open Directory, serving ~400 users, using four Xserves and and two Xserve RAID's. We're using Apple's mail services, file, web, web log, and VPN service.
So far, things have gone better than I expected. We are authenticating Mac, Windows and Linux PC's, all of which can access the same home directory. The Open Directory master server also acts as the Windows PDC and serves up roaming profiles for Win XP clients.
What I've been hounding my Apple rep about is the lack of a real group callaboration suite. The pieces are there; iCal, Address Book, Jabber, Cyrus/Postfix. They need to be brought together in an Exchange/GroupWise sort of fashion. We are still using Steltor Corporate Time (now Oracle Collaboration Suite) for calendaring, task lists, and shared contact lists. I'm watching the Hula project closely. Rumor has it Apple is shopping around for a comprehensive group collaboration system. Hula might be it! Zee dork
Anyways, let us examine the different components and see how far OSS can take us. Maybe it can't go the whole journey, but if it can do some, then a hybrid solution will work.
Open Groupware, SuSE's Open Exchange and OSER will handle the Exchange part, including support for all those MS Exchange clients, such as Outlook.
That just leaves the Active Directories part. ISC's DHCP supports Dynamic DNS. However, you may want to add in DHCP2LDAP to get a good link between DHCP and BIND. OpenLDAP provides the LDAP implementation part. Kerberos and DNS are easy (although some may quibble with my choice of Kerberos version!)
Provided you're not planning on having both MS Active Directory and the above amalgam running, you should then be set to go with a comprehensive Active Directory lookalike which will interact with client systems in the same way Microsoft's software will.
The problem I found is that there's almost no way of getting from a Linux solution -to- Active Directory. If AD is present, it must be a root server, which Linux CAN pull from.
Do I recommend this kind of a setup? Probably not. The Exchange and Groupware stuff should be fine, but the Active Directory stuff isn't as coherent as it could be and I've heard of nobody who has completely replace AD with an Open Source solution, even though from a purely technical perspective it should be possible.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I'm afraid I can't help answer the initial question, but I have to caution you strongly regarding all of the suggestions for Novell products.
I live the Novell dream everyday, and "cobbled together" would be a generous description of their products and services. This is a company with a time honored tradition of rendering promising technologies useless. They handed most of the market to MS on a silver platter.
Before you consider Novell too seriously, look through the forums at forums.novell.com, be sure ask about your support options , and try to get a feel for the staffing and training required for a network of your size and scope.
Stick with your inital instincts, just remeber that very few Novell products are actually Open Source.
Open directory is (as I understand it) basically openLDAP with a config file and a nice GUI. Don't get me wrong, GUIs are useful, but if you want to go OSS, cut out the middleman.
Well, it's a bit more than that. With a few button clicks you can have a fully functioning Directory Service with OpenLDAP and Kerberos. You get password policies, single sign on for everything from mail to smb to web, and you even get a one click samba pdc.
The only thing it lacks is the groupware support. Firstclass or any number of OSS solutions can provide that.
Check out our site, or even just Apple's server site for more info.
Of course since the questioner didn't mention openLDAP to begin with,
Yeah he did, by name even.
Actually I can say I worked on one of the largest directories in the world... over 52 million user objects and hundreds of millions of objects.
AD does not scale well. Senior Mgmt wanted to move from eDirectory to AD due to some price breaks on desktop os and MSOffice for over 50000 employees... so we made the attempt with Microsoft in house providing consulting services... they eventually admitted even they couldn't get it stable in our large distributed environent... during the one year migration troubleshooting process we had contractors restarting servers in hundreds of locations around the clock.
We're now back on Novell eDirectory with Open Enterprise Server and stable again.
------------------------------
Ray Raspberry
raspberry@b3l33t.org
Open directory is (as I understand it) basically openLDAP with a config file and a nice GUI.
Open Directory covers a lot more than LDAP. Yes, it's based on OpenLDAP -- in part. Yes, there is a nice GUI, which you can use to administer users and groups remotely, from another Mac OS X machine.
But there's also MIT Kerberos, integrated with the LDAP. When you create a user in Open Directory, the necessary Kerberos principals are created for that user. User identification (linking usernames with Kerberos principals and home directories) happens automatically.
But wait, there's more -- there's also the Apple Password Server, which is based on the SASL layer from CMU. This provides centralized, non-Kerberos password support, for things like CRAM-MD5 authentication, or NTLMv2 auth for Samba. The Password Server passwords are automaticaly synchronized with the Kerberos passwords. When you change a user password in the KDC the corresponding password is also changed in the Password Server or vice versa.
Still not happy? How about built-in replication support for load-balancing and high availablility. It covers not only the LDAP database via slurpd but also the Kerberos and Password Server databases?
Oh, and one more thing -- encrypted archiving built in to the GUI. Archive your entire set of LDAP user information and your password database to an encrypted disk image. Secure and convenient.
(Yes, I work for Apple -- but the parent post misses most of the good parts.)
--Paul
Cheap - $1K for an unlimited server license, and the Xserves come with the license and are great performers in their own right and cost-effective.
It has ease of use GUI goodness, with a full open source stack underneath: supports Open/LDAP directory services, single sign-on, kerberros, email, calendering (via WebDav), file services (via Samba for Windows and Linux), CUPS, Apache, DNS, Mailman - the list goes on and on. It plays extremely well in mixed environments and is extremely easy to administer - no steep learning curve.
It's far cheaper than all the other alternatives, including Novell and RH, not to speak of Microsoft. And soon you will be migrating all your users to OS X boxen as well once you see all the advantages.
I have done administration on all the other alternatives and I'm far from an Apple fanboy, so don't start flaming me on that score.
As this is my First! Slashdot! Post! Ever! (R), I'm hoping to avoid any crass errors in style or etiqutte..fortunately, based on some posts I've read over the years, there'a a pretty high bar. (Hopefully, smartass jokes are also OK.)
I've done a lot of work with a range of customers on implementing and maintaining directory infrastructure, mainly centered around Lotus Domino and the IBM Directory Server. To start the shameless plug, I'll say that based on your criteria - directory services and a groupware/mail solution - you should give Domino a hard look. A Domino server contains a totally integrated mail system (both fat client and web mail based), an application development platform with Java support, LDAP directory server, Web, SMTP, IMAP and POP server, predefined application database templates, and advanced security services like PKCS and SSL out of the box; it can also synchronize user information with Active Directories for centralized user account administration. Outside LDAP servers can be associated with Domino to allow those users direct access to resources like web-based apps. Current versions are shipping that run on Windows, Linux, HP-UX, and other platforms, which allows for platform flexibility.
To save this from becoming a sales pamphlet, there are some good reasons to consider other options depending on your needs. Some corporations demaand that directory services be highly integrated into the OS; Domino's directory is not, though it can share information with native services if they exist.
While Domino is great for having so many services instantly available out of the box, they are not necessarily best-of-class. If a very large, intensively utilized directory system is planned, then a dedicated LDAP server like the ones mentioned in previous posts may offer better performance. Some advanced LDAP features, like multi-master replication aren't included in Domino.
All that aside, in my opinion the most important things to remember in creating a directory services infrastructure is to plan around intended use and growth, not around products and glib promises a sales rep will spout. When you talk about the need to "set up directory services", take some time to plan what workflow will be used the most, what functions will need to be the most efficient, and what future applicaions and products will be hooked into the system. Create a concrete, detailed outline of what operations you'll need supported - signing people onto their workstattions is usually just the beginning.
After that's done, it's easier to look at hardware and software more critically to suit your needs - much better than fitting your needs to what a particular solution can provide.
I would not entirely discart Novell eDirectory.
It is specially interesting on a mixed environment solution, and it does provide some interesting possibilities when coupled with Novell Client.
The pricetag is also VERY attractive.
morcego
What do you base your stark and clear choices on? Banyan was the first company to come up with directory services. Novell really took directory services to the next level when it came out with NDS and NetWare 4. Wow one place to manage users, servers, printers, file system, DNS and DHCP, pretty cool. Well, Microsoft not to be outdone started calling NT's domain a directory so that they could compete with Novell. Novell threatened to sue MS about the false information on the MS web site about NT's "directory" and MS had to pull it. So, you guessed it MS had to have a directory and eventually after years, came up with Active Directory. Novell's NDS has evolved and MATURED, key word here, to eDirectory. eDirectory is a very scalable, over one billion objects, robust, LDAP v3 compliant directory services. Novell's Identity Manager product gives one the abililty to manange identities in a mutli directory/database environment. eDirectory runs on NetWare, Linux, AIX, HPUX, and Windows. There are other directories to consider including Sun, IBM, Seimens. Novell also has Groupwise email and groupware, and a pretty awesome desktop management suite, Zenworks, both managed in eDirectory. If I were you I would talk to the vendors and better yet talk to sites who have implemented AD, eDirectory and the others to do some due diligence and help make a good choice. Lot's of people think that Novell is dead. This is not true. Check it out.
OK. You didn't mention Novell's eDirectory. AD works for small networks. It might even work for medium sized networks. If you want something that is going to scale, Novell wrote the book on directory services. They have their Small Business Suite of products. If you want to cobble(?), kludge it together, well you can look at open source solutions. In my opinion, directory services from open source isn't quite baked.
Their directory far surpasses AD. You can also look into Netscape Directory.
For groupware, check out Zimbra (http://www.zimbra.com/). The Flash demo is great.
The global economy is a great thing until you feel it locally.
Hammer Time!
Novell - well if you are a Novell shop, you will use NDS. You will use everything else Novell has. It is sort of like joining a secret cult.
Not true, you can use Novell's NDS (eDirectory, the LDAP server software) right on top of Linux, Unix, or Windows. The admin tools are almost all Java based or otherwise accessible so you aren't locked in there (clients and management tools for Linux, Unix and Windows). Novell can manage the rights, er permissions, er privileges for clients of any flavor (because a directory services solution is about managing the resources on the network) - and has less bloat and more security than Active Directory.
Novell is my choice hands down. It isn't the nightmare product it used to be. Quite flexable, scalable and for all intents and purposes "open". This product actually follows standards! In my experience it also prices cheaper for clients than Active Directory, although you never know because I'm sure it has changed.
The person who asked this question initially said that the only other option to Active Directory was A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists)
This simply isn't true. There is eDirectory and it's better! (PDF) Wake up people! It's 2005 and there is a better option out there and to top it all off they are a Linux company too.
Get your Unix fortune now!
As far as I recall, the Apple Password Server is only provided for backward compatibility with previous MacOS releases. I don't wish to denigrate what Apple has achieved in shipping OpenDirectory with their OS, but anybody can install Heimdal Kerberos, OpenLDAP, and Cyrus SASL and get automatic integration of Kerberos principals with LDAP accounts and Cyrus passwords. All of these three packages support each other directly, out of the box. And likewise, since you can create a single LDAP user object with all of their Kerberos info, Unix info, and SASL info in one place, they naturally all replicate together. So there's nothing magic about OpenDirectory here. (Nevertheless, OpenDirectory is good stuff, and I'm sure it will be even better in the future.)
And yes, I'm on the OpenLDAP core team, and I wrote a lot of the code that makes Heimdal, OpenLDAP, and Cyrus SASL play together. It's been working well in the field for years. And for those people who have trouble getting configure scripts to connect everything the way they want, my company Symas Corp. offers pre-built binaries of all of these packages, already integrated, ready to run.
-- *My* journal is more interesting than *yours*...
Additionally - Active Directory et al. isn't as easy as people would lead you to believe ("It's Windows! It has a GUI! Therefore it's easy!")
We just had Active Directory rolled out here. Our performance problems were so bad we had to hire Microsoft consultants to try and figure it out - and these people from the company that makes the product took over a month to actually come up with a solution that ran only half as quickly as our old Novell system. Admittedly, it's a much bigger system than 100 users (and I'm glad I have absolutely nothing to do with it, it's a nightmare) but Microsoft Active Directory and Windows aren't some sort of ease of use silver bullet. In fact after seeing what trauma they went through, it's not actually any easier than a "cobbled together" OpenLDAP/Samba installation and a great deal more expensive.
Oolite: Elite-like game. For Mac, Linux and Windows
For a supported version of the highly-regarded LDAP formerly known as Netscape Directory Server that runs on Linux, see Red Hat Directory Server. And to try before you buy, you can check it out on Fedora as the parent suggested.
-- Moderation in all things, exceptions to all rules --
Basically, if you're expecting to use A.D anywhere, you're really advised to stick to all-MS.
We worked hard on getting A.D. to play nicely with a Unix LDAP system, Bind (DNS), Samba, etc. and it just wasn't even slightly fun. There's quite a few hacks that they use, and they seem to expect an ability to dynamically-update quite a few things (e.g. in DNS) which was tricky to get going with Unix tools. On top of that, it will be expensive.
However, if you avoid A.D, and even Windows PDC's, it's actually fairly easy. OpenLDAP is mostly only tricky for Access-Controls, Samba 3 can do pretty-much everything SMB/CIFS file/print-related, and can auth. against LDAP easily.
We preferred Exim over Sendmail, Postfix, and QMail, but just pick the one you like best as they all do LDAP.
We installed Dovecot for the IMAP server -- does LDAP, too.
I think the main point is: if you use some decent (read: fully-compliant) LDAP server, or X.500 + LDAP shim, the rest of it can be whatever you like best.
I would like to put in a couple of other points:
However licenses start at £150-ish/user, and £3000-ish/server... (sorry if I mis-remembered those prices!)
- the problem with IBM's directory is that it sits on top of DB2. This abrogates one of the coolest parts about directories - that you don't need a DBA. And a mistuned IBM directory is an ugly, ugly thing.
But I take issue with this mythology...I work with IBM's Tivoli security solutions, most of which use the LDAP Directory Server under the hood (and, illustrating the beauty of *standards*, also tend to support the use of Novell, Sun, & MSAD). The underlying DB2 engine doesn't require independent tuning, maintenance, or administration in the vast majority of deployments. It isn't until you get into user populations of several hundred thousand that you start tweaking the DB2 parms...and the solution actually includes a detailed LDAP tuning guide that explains how and when you should tweak the DB2 and OS-level parms.
The notion of needing a DBA just to deploy the IBM LDAP is just silly...any tech capable of RTFM can handle a moderate implementation on his own.
Here's the kicker: Which would you prefer for performance and scalability? A directory that uses flat or proprietary file structures for data storage, or one that uses a scalable and reliable relational database engine? Seems like a big "duh!" to me.
And, as you mentioned...it's free. Go download it from IBM and try it out. If it doesn't work for you, or if you decide you can't do it without a DBA, well...you aren't out any expense. Export it all to an LDIF and bring in the next vendor.
While I would normally say use OpenLDAP, Sun has recently made a version of their Directory Server free and open source. Their GUI management is excellent, and it supports Multi-Master Replication.
In case you're not familiar with MMR, think about your normal scenario. Maybe you have 1 master server and 2 slaves, one for each physical location. with MMR, you quite literally have 3 master servers, all of which can be updated and will push the changes to the others. This means no more worrying about losing the "most important" server--they are all equally unimportant if lost!
A year spent in artificial intelligence is enough to make one believe in God.
You obviously haven't worked with the management I have. Most decisions seem to be made based around golf buddy opinions rather than technical superiority.
Life has many choices. Eternity has two. What's yours?
I preface this with the disclaimer that if you have a large enough amount of unix/linux and Mac clients that you loose alot of the reasons for and functionality of AD.
When it comes down to it, in a Windows enviornment, Active Directory is second to none. With W2K3 they let you get much more fine-grained with your replication, site-links and routing than in 2K which caused some companies with many sites some slowness and issues (as some of the other posters have mentioned). It has gotten to the point where, when you have at least 2 servers for replication/redundancy, it is bulletproof, well understood, tested and trusted in the industry.
As with any other product you need to get the manuals and see the best practices for how MS would have you configure the tree, the sites and the security groups and permissions. I have seen people try to wing it because it has a GUI and the results are rather poor. Done right AD is a near flawless solution to the directory services problem. It lets you configure almost any setting on a 2K or XP workstation through Group Policy. It lets you implement a software deployment/management system (MS SMS) that will install/upgrade softare either on a user or a PC basis. It is cheaper than most of the other corporate solutions that lack this level of ease of control over the workstations.
People here talk about forced upgrades but I have clients still using NT4 domains, servers and workstations after 10 years and they have not been forced so that is rather BS. MS supports their solution and will keep it viable and steady far longer than many of these open source projects may well. It is something that, if your organization grows, it is easy to hire somebody to help maintain and interact with as it is the industry standard.
As a previous poster said, if you are a MS house already, just buy it already. If you are going to use Exhange even more so you need AD. It seems to be the clear choice.