Slashdot Mirror
Searching for a Directory Service Solution?
kumulan wonders: "I've got the responsibility to set up directory services as well as a messaging/groupware system for my organization of app. 100 employees spread out over three locations. We are a startup that is merging three existing smaller companies and, given the state of existing IS infrastructure at each of these locations, the decision has already been made that we are better off starting from scratch. It would be great to hear from Slashdot readers concerning which option is 'better' and why."
"For me, the choices are stark and clear:
- MS Exchange/Active Directory
- A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).
- Samba/OpenLDAP/Kerberos
- Bynari Insight Server for messaging/groupware.
- Nitrobit Group Policy for, you guessed it, group policy management.
So, the question seems to be: OSS vs. Microsoft. Am I right? If so, the answer is easy: Which platform are the people who will be managaging the stuff have the most experience with? It may be sacrilege to say it here, but if you've a crew of MCSEs on staff who've never touched Linux, it's going to be more expensive and a bigger hastle go the OSS route.
I forget who said it but "OSS is free like a puppy is free". You need to have the staff to tend to the care and feeding. In the Detroit area at least, Windows guys are a dime a dozen. Competent Windows guys, while a bit more rare, are still easier to find than experienced Linux admins. (Of course, I'm looking at your question from a business consulting standpoint. If you're looking more for a technical recommendation, there's a lot more people here better qualified than me.)
Entrepreneur : (noun), French for "unemployed"
Check out my sci-fi/humor trilogy at PatriotsBooks.
What ever happened to Novell? I used that at the college I attended - web apps, email, directory, rempote access, etc. Is this no longer a valid option, or was it just forgotten on the above list?
It's a standards based (LDAP) mail/groupware app which supports standard SMTP/IMAP clients as well as Outlook/Palm clients (for an additional fee).
Seems competitively priced to Exchange and there's also a free pure OSS version available (although if you want offical support and a nice installer, you need to pay for it).
http://www.openexchange.com/
I haven't personally used it, but I've been looking at it as an Exchange alternative (I really really hate exchange) for the small company where I work.
just save yourself the trouble
W2K3.
Just shut up, buy it and be done with it. It'll hook up with whatever you're running and it is fine as long as you take the same precautions any decent Sys Admin would.
This
Other Options to Consider:
o ntent/
Novell:
Linux Small Business Suite
http://www.novell.com/products/linuxsmallbiz/
It includes edirectory, groupwise for email, suse enterprise server,Novell ZENworks Linux Management Client
IBM (Lotus)
http://www.lotus.com/lotus/general.nsf/wdocs/nd7c
You can use Domino as an ldap server.
Other IBM Software on Linux:
http://www-306.ibm.com/software/os/linux/software
or
http://www-1.ibm.com/linux/matrix/
If the company is trying to do something geeky-cool, you may be best served by using a "cobbled-together" open source architecture. It'll show your boy's and girl's prowess on the console and could be used as a Hercules-on-a-pedestal showcase for your talents.
On the other hand, in either of the other two cases, you're most likely going to be using MS on the desktop and your people aren't going to care that you've implemented OpenLDAP as long as their Word, Excel and Outlook work. In this situation, as has already been noted, you'd probably be best served by implementing Windows Server 2003 + Active Directory. An additional benefit is the expertise is relatively cheap and available, and may already be in-house with your amalgamated IT staff.
Good luck!
"In the end, there is simply no weapon more devastating than the truth, delivered in just the right way." - tnk1
Use Fedora Directory Server or Red Hat Directory server. It is derived from the acclaimed Netscape Directory Server. It is easy to set up, scalable and *just works*. For groupware just use phpGroupware or something. If all you need is mail access, I recommend Roundcube for the web access, it uses Ajax to give a nice user experience akin to Yahoo or Gmail. Keep an eye on the Hula Project too, it looks like when a release it made it will be real nice.
Regards,
Steve
I don't know what your selection criteria are, but it seems to me that you have another choice: Novell's products. More specifically:
1. Directory Services: eDirectory. It runs on multiple OS platforms such as Windows, Linux, NetWare, Solaris, etc. It is more robust than AD, particularily across wan links (viz. replication). And of course it is LDAP v3 compliant so nearly any LDAP client can use it for authentication and authorization.
2. Open Enterprise Server, Linux and NetWare. For hosting your file and print services. You get the best file system out there - NSS - on either platform. Real ACL's and vastly more refined trustee assignment and inherited rights filtering capabilities than any other filesystem.
3. Groupware/Messaging: I am less experienced in the alternative offerings in this catagory, but I believe that Novell has a decent product in GroupWise 7, which runs on Windows or Linux or NetWare.
Again I don't know what your selection criteria are, but you may have skipped Novell due to lack of awareness...
Cheers.
Try XAD from PADL.
To Windows clients, it acts as an Active Directory domain controller, so it supports Kerberos authentication, group policies, etc. It also includes RFC 2307 support for seamless integration of Linux/UNIX clients.
That's what I thought when I read the requirements. Netware (or whatever they are calling it now that it runs on Linux) and Groupwise should be all you need.
I don't know about cost. We have their educational license, and that includes Netware and 3 other products (we use Groupwise, ZENworks and iFolder) for less than $3.50 per student. The license covers as many servers as we care to run those products on.
- GroupWise Migration Utility 2.0.1 for Microsoft Exchange
- GroupWise PDA Connect 1.0 SP1 Multi Lingual
- GroupWise Import Utility 2.0 for Microsoft Outlook
- GroupWise Gateway 2.0 for Async Connections
- GroupWise Gateway 3.0 for Lotus Notes
Just check out Novell to see some of their products (no, I do not work for Novell, I just like some of their products).Also, there are some really great LDAP/IMAP type solutions you can put together under Linux for zero cost. Obviously this option requires someone more capable than your typical point-n-click "MS-Admin". It would take one employee with the ability to read a book or some docs. Though, I know your typical point-n-click "MS-Admin" wants to be able to just put in a CD and let AUTO-RUN do all the "hard" work for them.
If I personally owned a small company with ~100 employees, I would rather have one talented admin that could handle *nix/Win than 2-3 point-n-click MS "admins". If you added up the salaries, that one guy would cost you less than the 2-3 less capable point-n-click MS "admins". TIJMO (This is just my opinion).
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
I've just started to take a look at Fedora Directory Server. It is very easy to set up and with the GUI manager, it seems about as easy to manage as Microsoft AD.
Added to that, it's not especially difficult getting Unix machines to talk to AD for authentication and other information (it's just LDAP, after all).
It's a hell of a lot easier to integrate and manage a handful of unix machines in a Windows environment than it is to integrate and manage a hundred Windows desktops in a unix environment. IME, that's typically the scenario (unix servers for mail, fileserving, DB, etc and Windows desktops).
Before I write, I should say that I'm in no way opposed to open source and use it where appropriate.
If you want something very well supported, not horribly difficult to administer in a simple environment and tried and true, just go with Active Directory and Exchange, especially if your company's focus is on something other than providing unique technology solutions. (i.e. you sell baskets)
While the open source solution might cost less up front, there is nothing in open sourece land at present that can touch the Exchange/Outlook combination. Sure, there are products such as OpenExchange, but, let's assume that you want the option to easily add other services later on, such as true handheld synchronization (i.e. www.good.com)
I know it can be sacrilege on Slashdot to not promote an open source solution every time, but sometimes, the business side of the house is more important than a cool technology solution.
Anyways, let us examine the different components and see how far OSS can take us. Maybe it can't go the whole journey, but if it can do some, then a hybrid solution will work.
Open Groupware, SuSE's Open Exchange and OSER will handle the Exchange part, including support for all those MS Exchange clients, such as Outlook.
That just leaves the Active Directories part. ISC's DHCP supports Dynamic DNS. However, you may want to add in DHCP2LDAP to get a good link between DHCP and BIND. OpenLDAP provides the LDAP implementation part. Kerberos and DNS are easy (although some may quibble with my choice of Kerberos version!)
Provided you're not planning on having both MS Active Directory and the above amalgam running, you should then be set to go with a comprehensive Active Directory lookalike which will interact with client systems in the same way Microsoft's software will.
The problem I found is that there's almost no way of getting from a Linux solution -to- Active Directory. If AD is present, it must be a root server, which Linux CAN pull from.
Do I recommend this kind of a setup? Probably not. The Exchange and Groupware stuff should be fine, but the Active Directory stuff isn't as coherent as it could be and I've heard of nobody who has completely replace AD with an Open Source solution, even though from a purely technical perspective it should be possible.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Actually I can say I worked on one of the largest directories in the world... over 52 million user objects and hundreds of millions of objects.
AD does not scale well. Senior Mgmt wanted to move from eDirectory to AD due to some price breaks on desktop os and MSOffice for over 50000 employees... so we made the attempt with Microsoft in house providing consulting services... they eventually admitted even they couldn't get it stable in our large distributed environent... during the one year migration troubleshooting process we had contractors restarting servers in hundreds of locations around the clock.
We're now back on Novell eDirectory with Open Enterprise Server and stable again.
------------------------------
Ray Raspberry
raspberry@b3l33t.org
Open directory is (as I understand it) basically openLDAP with a config file and a nice GUI.
Open Directory covers a lot more than LDAP. Yes, it's based on OpenLDAP -- in part. Yes, there is a nice GUI, which you can use to administer users and groups remotely, from another Mac OS X machine.
But there's also MIT Kerberos, integrated with the LDAP. When you create a user in Open Directory, the necessary Kerberos principals are created for that user. User identification (linking usernames with Kerberos principals and home directories) happens automatically.
But wait, there's more -- there's also the Apple Password Server, which is based on the SASL layer from CMU. This provides centralized, non-Kerberos password support, for things like CRAM-MD5 authentication, or NTLMv2 auth for Samba. The Password Server passwords are automaticaly synchronized with the Kerberos passwords. When you change a user password in the KDC the corresponding password is also changed in the Password Server or vice versa.
Still not happy? How about built-in replication support for load-balancing and high availablility. It covers not only the LDAP database via slurpd but also the Kerberos and Password Server databases?
Oh, and one more thing -- encrypted archiving built in to the GUI. Archive your entire set of LDAP user information and your password database to an encrypted disk image. Secure and convenient.
(Yes, I work for Apple -- but the parent post misses most of the good parts.)
--Paul
Hammer Time!
Novell - well if you are a Novell shop, you will use NDS. You will use everything else Novell has. It is sort of like joining a secret cult.
Not true, you can use Novell's NDS (eDirectory, the LDAP server software) right on top of Linux, Unix, or Windows. The admin tools are almost all Java based or otherwise accessible so you aren't locked in there (clients and management tools for Linux, Unix and Windows). Novell can manage the rights, er permissions, er privileges for clients of any flavor (because a directory services solution is about managing the resources on the network) - and has less bloat and more security than Active Directory.
Novell is my choice hands down. It isn't the nightmare product it used to be. Quite flexable, scalable and for all intents and purposes "open". This product actually follows standards! In my experience it also prices cheaper for clients than Active Directory, although you never know because I'm sure it has changed.
The person who asked this question initially said that the only other option to Active Directory was A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists)
This simply isn't true. There is eDirectory and it's better! (PDF) Wake up people! It's 2005 and there is a better option out there and to top it all off they are a Linux company too.
Get your Unix fortune now!