Slashdot Mirror
Best FOSS Active Directory Alternative?
danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"
The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server
Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?
Depends if you are just using it for windows domain services, or if you need to support things like management, federation etc.
OK buddy, you have done your job and made enough noises about FOSS. Your $large_discount coupon from MSFT is ready and waiting, mention coupon code EGDI. Coupon good for getting all MSFT software for free. Manufacturers Coupon, Never expires.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Mandriva Directory Server + Pulse 2
SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.
SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?
A comparison is useless to you unless you know what your specific, minimum requirements are.
GOsa is worth a look but in my experience is VERY hard to implement. It's a web based LDAP front end that manages posix accounts, Samba, email/groupware, Asterisk, fax, automatic installation (via FAI), DNS, DHCP and much more. I think the target market is large organisations with existing inhouse skills in the base technologies and plenty of man hours. I tried getting this working as a lone generalist, and I only got as far as getting posix, Samba, SOGo (a groupware solution), DHCP and DNS working. Scripts to get something working on Debian Lenny are on sourceforge (I finally found a use for my sourceforge project:) : https://sourceforge.net/projects/wfstt/ .
Try talking to Tim Fletcher at Parrswood.
but the first thing to do is look at how these have been deployed
I dont see anyone with production systems on a large domain using anthing other than redhat directory or Novell eDirectory
I see some custom OpenLDAP servers scale really well but thats about it
so given your choice above I would go for Fedora Directory Server and hack
if the choice was mine I would spend a little money and get the Novell eDirectory
regards
John Jones
http://www.johnjones.me.uk - email and digital communication
The story goes around that an infamous Australian telecommunications company wanted to put 80,000 people on a single Windows NT domain which put it well past the 16bit limit of users - and thus the active directory project started.
one server? the whole point is to have at least 2 DCs per domain. sounds like you only have one per domain now. So if you lose a server you lose everything.
really there's no reason to have separate ADs for students and staff. A lot of people who didn't really understand AD did this a few years ago, and it was just never a good idea.
If you plan to build one network, great, but you need at least 2 servers.
I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.
Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.
Samba4 is supposed to change this but it may be a while before it's ready for widespread use.
In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.
This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.
Students are great at f**king up machines, group policy is almost a must.
If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.
Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.
Questions you should be asking yourself:
One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain? (There are many other arrangements here that may better fit your needs.)
--Whizzmo
I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.
Good luck, LDAP is a pain in the ass ;)
Maybe not exactly the answer you're looking for, seeing as Samba4 is not out yet; however samba4 includes, among other things:
* Internal LDAP server, with AD semantics
* Internal Kerberos server, including PAC support
You can, but don't have to hook it up to an external LDAP server. You can use MMC consoles to manage it. They're even building real Outlook compatible Exchange functionality on top of it (see openchange.org). Not that I'd ever want to run Outlook though.
It may not be opensourced yet, but Sun has released almost their entire enterprise stack for free for anyone to use, including their DSEE, with unlimited entries. It can synchronize with AD, and they have a good deployment planning guide for synchronizing with AD and there are guides all over the place regarding authenticating Windows off of LDAP servers.
Active Directory has the following features:
* LDAP directory services
* Kerberos Authentication
* Integrates natively with Exchange
* Integrates natively with Windows clients
* Provides management user interface.
* Provides ways to manage Windows clients remotely through things like Group policy objects.
* etc etc.
OpenLDAP provides LDAP. Ok... what about that? It provides the fucking _protocol_. No management facilities that are worth talking about, no schemas, etc etc.
So if you were to use OpenLDAP as a 'AD alternative' that means you'd have to create 95% of what AD provides out of the box yourself.
NO windows management.
NO user management
NO exchange compatibility
NO nothing.
Just LDAP. Woohoo. That and $1.50 will buy you a candy bar.
The closest you can get to Active Directory using open source software at the moment is:
Samba4 --- which is beta and still provides no management facilities to speak of. Provides user management, tools to impliment GPO, windows-compatible Kerberos and Windows-compatible LDAP services. Also is compatible with Linux systems (of course).
FreeIPA -- which is the community version of Redhat's IPA. This provides basic Kerberos/LDAP/etc for people that want to move away from using NIS and don't want to go to Windows. It still provides no compatibility or integration with Windows or other popular items.
In other words there is NO equivelant to Active Directory that you can get in OSS world. You can get bits and peices and can get them working together to get close to AD, maybe enough to satisfy business requirements if your lucky, but your going to put many weeks into deploying something with less functionality then you can get from Active Directory out of the box.
...we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server
Whichever system you end up using, I strongly discourage building your network around a single server.
I've run both OpenLDAP and Fedora DS. Both are relatively easy to setup, but I'd give the nod to FedoraDS which is easier to manage and easier to get replication working. FedoraDS also seems to be more compliant, but that was just my impression based on some limited experience with the schemas.
Getting Windows to authenticate was relatively simple as there are lots of HOWTOs. If you have Linux clients, it's also relatively easy. CentOS/RedHat, for example, just needs a couple changes via system-config-authentication. You'll also need to configure things like posix groups and host/service based authentication.
I've messed with the so-called "Active Directory replacements". They all suck.
The fact is, if you are using Windows clients, Active Directory works, it's simple, and you'd be fucking CRAZY to try to use anything else. Save yourself some pain, and blow $1000 (pounds, whatever) on Server 2003 or 2008.
Seriously. You don't want to do this. It's a fucking nightmare to try to support a Windows domain without a real, genuine Microsoft domain controller.
Did I mention this is a bad idea?
I'm not sure I understand the point... I mean I hate Windows as much as the next *nix-lovr, but if your network is a slew of Winboxen... why make a headache for yourself? Active Directory is pretty well received, even as a proprietary LDAP implementation... will a FOSS replacement really be worth the cost savings? If most of the machines to be managed are Windows, I'd use AD for them. If its a mixed network with mostly something else, then I'd attempt to shoehorn the management of the Winboxes with whatever implementation was easiest for the majority of the machines (i.e. if 200 OS X machines & 40 Winbox, I'd use Open Directory... if 90 debian & 15 winbox, likely OpenLDAP, etc.)
You don't hate AD as much as you think you do... do what is easiest... if AD is already deployed, its probably easiest).
The Admin and the Engineer
There are many, many places, where the TCO for FOSS solutions is better than that of the proprietary systems. Domain management services are not one of them; the license costs for domain controllers are much less than the additional labor you'll spend on the FOSS solutions, for anything but large networks (tens of thousands of machines.)
In other news, the comparison of Active Directory to FOSS "directory servers" is misleading at best; LDAP and fileshares are a tiny piece of AD, and one that Microsoft gives away freely for any most OS's of theirs. (The LDAP aspect isn't broadly known - the product in question is AD LDS, formerly ADAM; aside from being a little off LDAP standards, it is as efficient and reliable as anything out there.)
I hate to say it, but there's nothing even close to AD; Microsoft justifiably dominates the market here.
Hate on Microsoft all you want, I do it all the time myself, but AD (and Exchange as well) get the job done, are well supported by Microsoft, and in my experience, worth it. If you weren't running windows clients, it would be different, but as many people on here have said, the features of AD are hard to replicate. Perhaps you have philosophical open source / free software motives. But the only reason I could think of for that a smaller organization like yours would move off AD would be to save money on the license, and especially on CALs. But as a school, don't you get them for damn near free anyway?
I've seen RHDS (paid support version of FDS, but basically the same code) scale to millions of users. I've had a clustered pair running on blades handling 250K records easily. AD doesn't scale as well, requires tons of supporting software and locks you in to a funky LDAP-like format. If you want to move from RHDS to Novell, or OpenLDAP or even AD all you have to do is dump to ldif. Try going from AD to anything else without a great deal of pain.
How much for the wall?
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
If you're considering Fedora DS, you also might want to look at FreeIPA.
The racial slur is sambo, ends in the letter 'o'.
Samba (ending with the letter a) is the first word in the unix dictionary that had an s, m, & b in it.
Samba itself is a musical genre.
Do you really need AD?
If you want users to be able to login any windows machine with the same username and password you don't want AD, you want samba serving as a domain controller. Try not to use LDAP as a backend, it does work but in small environments its unneeded hassle.
If you have applications that require AD it's going to be a lot more work than it's worth faking it. It takes a lot of 30 minute reboots to add up to a solid month or two of getting some other solution to behave right.
If you have to use AD make sure you have firewalls, virus scanners, and physical security in place for the controller. Absolutely do not let some joker use it as their personal web browsing station.
Go for Apple's solution and get an OpenLDAP with Samba compatible with AD and it will act both as an LDAP/multi-master KDC and a genuine Windows PDC. It's better than wasting my taxes trying to do it yourself, you'll get support and it can be done in less than half an hour. With EDU discount you get MacOSX Server Unlimited for $499 and you probably have a G4 or G5 somewhere to install it on (that's all it needs), if not get a Mac Mini or an iMac. You could probably drop it in your current installation and migrate it with minimal interruptions.
Custom electronics and digital signage for your business: www.evcircuits.com
You want to go from 2 servers to 1 server??? AD works and is easy to setup. Add a 3rd newer server to take on whatever demands you think these 2 older servers can't handle. Throw in DFS and you have a reliable fully redundant network that can handle just about anything you want.
What the reason for switching? Wanting to get rid of CALs? Problems figuring out AD? I'm just curious because your talking about investing a TON of salary into redoing the entire network when you possibly don't have to. It would be one thing if you or someone on staff had a lot of experience with AD alternatives but that really doesn't seem to be the case. Your just hoping to find out what might be a good alternative and going to just "figure it out as you go along". That is not a recipe for success. Sorry if I'm sound harsh but I've been there and done that and you don't want to spend 6 months struggling with something you have zero experience with when you can spend a month on something you already know.
If the AD install is truly fucked then I guess keep researching if you want. But otherwise if you have 2 working reliable networks your making a really big mistake redoing the whole thing just to go FOSS. This goes double if your 100% Windows on the client side. And trust me this is coming from someone who has been pushing OSS on the server front for 10 years.
If you wanna get rich, you know that payback is a bitch
Do you really want to use software named after a racist slur?
No, it's not a direct comparison to the GIMP situation. The slur is Sambo ; the software is Samba . There's a difference. But is there a racial slur against trolls?
If this is truly a "large school," basing your network on a single server is such a bad idea it is almost criminal, and implementations like this are what give Windows (and Linux for that matter) a bad name.
I question why you have separate networks for students and teachers, but that aside, why in the world are you giving your network a single point of failure like this? One of Active Directory's strengths is its ability to use multiple servers to achieve redundancy. Why are you running 2 domains with only one DC, and why would you design a new implementation with a single DC/LDAP server/whatever? What happens when that machine has a catastrophic software/hardware problem?
Also, change for the sake of change is a poor idea. If you have a legitimate reason to say that $FOSS_LDAP_SERVER is a better fit for your environment, that's one thing, but by not even considering that AD *MIGHT* be the best fit for your environment, you are doing your employer and clients a disservice.
Hire a consultant or someone that knows what they are doing - regardless of which platform is picked. From the question, it sounds like you don't.
Stick with AD.
I have worked with windows desktops, managing them using alternative technology ( both samba and edirectory ), and let me give you the benefit of my experience; stick with AD. What I have learned is that you should use the vendor's own technology to manage their desktops, it just makes sense. Then you have to look at the long term support of such a setup, and you start to get an idea about how hard it would be to support a non-MS architecture.
Oh, and I'm hoping you really aren't hosting two domains on two servers; that's a horrible setup, you are asking for a catastrophic failure. Each domain needs 3 DCs ( and each DC hosting a GC ).
Mod me down with all of your hatred and your journey towards the dark side will be complete!
The fedora directory server is the old Netscape / IPlanet / Sun directory server which was and still is pretty much one of the most reliable and highest performance directory systems avaliable on the planet.
OpenLDAP is a nice try but simply does not scale. Apache to be kind is a joke.
Both AD/ADAM and Novell eDirectory are both excellent directory solutions.
Don't swap to FOSS backed tech just because it's free.
AD is actually a pretty sweet piece of tech, and many FOSS apps work just fine with it.
_Always_ pick the best, AD is the best then for the situation pick the best OS to go with it etc
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
What do you mean? 2009 will be the year of Linsux on the desktop! BWAHAHAHAHAAAAA
if you know what you're doing, as I already mentioned above. I know of at least one good way around them.
The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server;
OpenLDAP is too plain and simple. It isn't user-friendly. There are no GUI tools that come with it although there are various tools people have made that you can use to manage it. I even created one myself as a senior project because it doesn't come with one and having to use the CLI commands for everything is just more trouble than it is worth when you want to get up and running quickly.
I haven't ever used Apache Directory Server so I can't speak to that but Fedora Directory Server comes from the Netscape Directory Server of yore. NDS went under and Sun Directory Server took its place. Netscape and Sun Directory Servers are basically the same thing, even the GUIs are the same except for name/logo changes here and there. FDS should be pretty good based on the NDS/SDS pedigree. OpenDS is new and runs using Java therefore it automatically requires more resources than the others which are built with C/C++. I'd let OpenDS mature a bit more before using it. Of the ones you mention I'd pick Fedora Directory Server.
But I have some questions. Do you plan to migrate clients over to a non-Windows OS? If not you'll need to investigate how to continue making Windows clients authenticate to a non-MS directory. It is possible to make this happen but past methods of doing so (a few years ago for me) have been kludgey at best. Windows likes to talk to ADS. If you migrate to Linux clients your job gets much easier because you don't have to worry about Windows SIDs and similar critical components of a Windows infrastructure.
Do you have people who know directory servers and understand LDAP? Be aware that ADS makes things easy for a Windows administrator. Even Sun Directory Server does not automatically enable replication when you have it installed on 2 servers. I highly doubt the other implementations you are looking at do the same. Therefore you will have to really understand how directory servers work underneath when working with these other implementations. You have to create replication agreements yourself and understand the underlying LDAP structure. ADS hides replication from you (accessible through Sites and Services snap-in though) until something breaks. The schema is hidden from you as well unless you need to access it (not even in the default list of MMC snap-ins but it can be added). Make sure you have people who can administer directory server installations, not just ADS installations, when you do this migration.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
The computer would be completely useless if I could not store files SOMEWHERE. The desktop was just a convenient place. I could (and did) install programs to my student folder, which was stored on the network server, to exactly the same effect, except that it would take a little longer to install and to run over the network. It didn't matter.
The desktop WAS restricted, by the way... as were all other local directories. We were only "allowed", by policy, to store things in our student folder on the network server.
You have missed the point completely, which is that if you know what you are doing, the policies don't work! There are too many ways around them.
Certainly, the computers have to be useable. So they installed all the programs "they" wanted us to use (MS Office, a few compilers and IDEs, etc.) and locked everything else down. My point was that we BYPASSED those policies. Easily. And no, I daresay the staff was competent enough. If you think that policies reslly are secure, then you don't know much about the environment you are trying to administer.
We did not want to add services or keyloggers... we weren't interested in hacking into the system, just making it more useable for ourselves. However, if I had wanted to do so, I could have in a few minutes using my ERD Commander disk. So in fact, I could if I wanted to, I just didn't want to. What's your point?
Comment removed based on user account deletion
as a long time fedora user i would suggest using CentOS on a production server and not fedora fedora has a 1 year lifespan ( the current is fedora 10 ) CentOS has a 5 year life span( CentOS 5.2 is the current )
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
Red Hat is working on a combination Kerberos+DNS+DHCP+LDAP+PKI certificate management called FreeIPA (http://freeipa.org).
Have you considered Nintendo DS?
Comment removed based on user account deletion
Having had a look at the three alternatives you're looking at, I like Fedora DS the most. Thing is, OpenDS and Apache Directory Server run on Java, and that would worry me. Fedora DS does multi-master replication, which is a big deal, and the major feature I really wish slapd/OpenLDAP had -- and Fedora DS is GPL code, too. Novel's eDirectory also does multi-master replication but has commercial licensing costs per client depending on what you're doing with it.
Okay, so there's no Debian package for it, but it appears to be installable via alien:
http://directory.fedoraproject.org/wiki/Howto:DebianEtch
I have used Fedora DS at work and it is OK. It is fairly stable when configured properly, and is mostly hands free once you get everything going.
"When configured properly" is the rub. You have to be very careful to watch your replication setup, and SSL is a bitch.
Don't bother springing for RedHat though. Their support is well-meaning but worthless.
For linux tips: http://www.linuxtipsblog.com
I think poor old Mandriva could have suffered due to the lack of good English documentation (including developer docs and community forums), and the bias toward French language hasn't been good for them overall. Then again, it's been a few years now since I used that distro, it may have changed.
... the detailed technical documentation provided by the community (in English) beat Mandriva's docs hands down.
It may be great for French speakers, but my experience back when I used Mandriva (and "Mandrake") daily on my Desktop PC was that good English technical documentation was lacking, although I noticed lots of developer docs in French on the wiki that I couldn't read. Ultimately this was a major driver that pushed me toward Ubuntu
There is no comparable solution. Choosing anything else is a massive disservice to your users and the people responsible. AD is set up by default to work properly. It requires minimal maintence. It supports multimaster replication, automatically doing nearly everything required. It uses Kerberos. It does your DNS for you. Windows works perfectly with it. Linux sort of works with it with Samba. Your alternatives in the FOSS space are basically seting up FDS or OpenLDAP by hand. THat means making the schema by hand. OpenLDAP does not do multimaster replication. You will have to hand configure kerberos. You will have to manage most maintence tasks by hand, using tools like some Java LDAP UIs, which expose raw LDAP information to you. You will not have an easy interface to 'create users'. You will have interfaces to edit LDAP databases. FDS is a better LDAP server: but it is STILL JUST AN LDAP SERVER. It does not take care of DNS. It does not do Kerberos. Novel's commercial offerings are the closest: but they are woefully hard to get set up compared to AD, and they cost just about the same.
Samba isn't an Active Directory alternative.
I'd just like to echo what a few other posters have suggested: stick with AD for now and migrate to Samba4 when it matures.
While you can certainly hook a Windows network up to OpenLDAP, FDS, or $OTHER_DIRECTORY_SERVER, you will end up spending far more time and effort (and hence money) than you save when you try and reimplement all the additional management functionality that is built in, in particular Group Policy. If you decide to skip the Group Policy functionality, you will lose all your hair, acquire several ulcers and otherwise age very quickly as your students end up with the run of the network.
Further, as long as your AD controllers (and you should have at least two for reliability, if you only have two physical servers to play with then virtualise them with Xen or ESXi, run an AD controller on each and then any other VMs you care as well) are ONLY AD controllers then you should find that they are relatively stable. AD has numerous flaws but setup right, it mostly just works, and is the key ingredient to making Windows clients behave sensibly.
The Novell directory stuff works well and retains the management functionality (and gives you some more too) but it still isn't a drop-in replacement and is rather expensive.
Samba4 will be a great drop-in replacement for AD but it's still some way away from being properly production-ready.
I live and work in South Manchester and I've setup and looked after a number of similar heterogeneous networks (with various authentication mechanisms) over the past few years. For a school I'm also happy to do a bit of consulting pro bono. Email me if you're interested: marmarama@gmail.com
1. I hope you understand what you gain and lose by switching.
2. I have had to endure the pain of selecting from a few LDAP servers few months back. Just go and download Sun Directory Server Enterprise Edition 6.3 (DSEE). Buy a support contract of whatever level you need. Set it up (takes minutes, the docs are EXCELLENT!) and after that forget it even exists. This baby just works!
- mritunjai
This is what we do at my my work. MS Access... at least we all open the same document. We arn't going to be reading all at exactly the same time though...
Red Hat Directory Services over tens of thousands of users... so if you the pay-for-support option, you go to Red Hat, for the bleeding edge, "no paid support but tell us about or contribute bug fixes", go for the Fedora option.
One of my large bank customers has both Windows and UNIX (moving to Linux) active directories, with software from a UK company called Fortefi that syncs changes between the two as soon as either is updated. See http://www.fortefi.com/products/account-provisioning/index.shtml
Ian W.
As far as my experience tells, Fedora Directory Server has my vote. Very mature, good integration with Windows and Unix world and (very important) great admin tools and interface. I've been using it for 3 years, and never feel the need to go do RDS (the supported version). openLDAP ispretty rought, even if it works well. No idea on Apache DS. If you want to have the list of all candidate solution, have a look at http://www.opensource-it.com/tags/directory_server_0
I've worked on very large directory deployments.
10 million user accounts.
We were using Novell e-Directory for the authority user database and AD downstream via DirXML for compatibility/legacy reasons.
Remember, Novell basically wrote the book on directory services. Microsoft just copied their implementation.
You can use ZENworks to store Group Policy objects but it will take much more than a Slashdot article to explain these concepts.
The beauty of eDirectory is that Novell have agents for basically every platform that is worth a damn, try that natively on Windows.
When you're dealing with something as critical as a central directory you don't want to mess about. If you have to throw some money at it to ensure some accountability and support then do it. Windows AD works as advertised, but it only works with Windows - you're on your own with anything else.
There is third party companies that have written software that bridge the gap to manage UNIX systems, users, applications, policy which from what I've seen works pretty well.
At the end of the day it comes down to understanding your environment, budget constraints, support, IT strategy, applications, business/IT partners.
Oh yeah one more thing, this big install is for an education body.
Just to throw what I use into the mix, on a network of ~100 WinXP desktops:
- Samba - acts as domain controller, triggers login scripts, maps drives etc. System Policy controlled using NTConfig.pol files in the 'netlogon' share, prepared using poledit.exe
- OpenLDAP - authentication backend for Samba, groups/users for the Samba server (plus many other tasks which are unrelated to desktop usage);
- WPKG - for software deployment, runs at each boot-up - really nice.
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
First of all, why use crappy openldap when you can use the Netspace directory server that red hat bought and opensourced. There is a reason why they paid 23$ millions for it...
Then, AD isn't just a LDAP server with usernames and passwords....
Which is why many people can only use Windows setups. There's nothing like AD in the FOSS world. To start with, FOSS client apps should be lockdown-able from the server. But you can't do that...
I mean, in a office with a linux server and some linux clients, try to lockdown some options on Firefox, the desktop, evolution....surprise, you can't do it. Oh, yeah, there're a lot of workarounds everywhere, but they are different if you use KDE or Gnome or depending on the app you are using. It's a horrible mess.
Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks. Until then, Windows is pretty much the only realistic option. I can't understand why Red Hat, Suse and Ubuntu don't put more efforts on this, it's one of the biggest showstoppers for Linux adoption.
"OpenLDAP is too plain and simple .. There are no GUI tools .. I even created one"
What was this tool you created called, is there a copy online anywhere? What's difficult about a Unix admin setting up a script. And you don't have to use the CLI for everything, you put it in a script and let the machine do it.
"you'll need to investigate how to continue making Windows clients authenticate to a non-MS directory"
'These problems have been solved by using OpenLDAP and Samba TNG software'
"ADS hides replication from you (accessible through Sites and Services snap-in though)"
It really amazes me how MS releases a utility with most of the core components missing and then charges you more for the 'snapins'.
davecb5620@gmail.com
This may be a bit of a stretch for the original poster, but if the intention is to lock down the desktop why not abolish it all together and put it all on the server using thin clients?
"I'd just like to echo what a few other posters have suggested: stick with AD for now and migrate to Samba4 when it matures .. Samba4 will be a great drop-in replacement for AD but it's still some way away from being properly production-ready"
'In short, you can join a WinNT, Win2000, WinXP or Win2003 member server to a Samba4 domain, and it will behave much as it does in AD, including Kerberos domain logins where applicable'
Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients.
davecb5620@gmail.com
From my experience, in a small-to-medium Linux/*BSD/OS X environment, with NFSv4 or AFS, this will work fine.
However, as other posters here suggest: if you have predominantly windows clients, for your own sanity it would be better just to use AD from the outset.
.:SOLCAVUS:.
From an Associated Press Article Appearing in the Chicago Tribune October 17, 1998: "Of the 13 initial sponsors of the House bill [the Copyright Term Extension Act], 10 received contributions from Disney's political action committee." Also, US copyright terms were already compatible with Berne before the bill.
We have implemented a similar project in our local school.
OpenLDAP takes a while to configure but it does work eventually. When new students are added to the school DB they are added to the system by a Perl script which generates entries automatically and mails the class tutor with their login details.
Samba once set up works wonderfully for us.
Best of luck and hope it works out well for you.
"Linux is for noobs"-The new MS fud strategy
It can be done, but there's a few things you have to bear in mind:
1. Lots of existing products (and this is becoming more common as the years go on) expect an AD-backed domain. Samba + (insert name of LDAP server here) currently can only emulate an NT4-type domain. Samba 4 claims to eliminate this issue but the last time I checked it wasn't even in beta. You'd be nuts to implement it in production at this stage. If your employer's been heavily into Windows for some time, don't be too surprised to find you need to replace quite a lot.
2. Do you have a lot of policies pushed out through AD? (If you're a school, the answer should be "yes". Unless you like making work for yourself...) The closest equivalent is NT4- style policies - which aren't as flexible, don't offer as much and suitable precooked template files are becoming much harder to find.
3. Do you use Exchange anywhere? Exchange doesn't have a directory of its own, relying heavily on AD. You'd have to replace it, and while there are lots of projects claiming to replace Exchange, few come anywhere close in the real world. Most of the projects seem to be driven by people who have heard of Exchange and had it described to them, but never actually used it much.
4. Is your network heavily subnetted? AD doesn't really care about this because it uses DNS to find services it requires (such as the domain controllers). NT-4 type domains use broadcast packets, and can be a dog to get everything working properly where a lot of subnets are involved.
5. The information stored in AD about who owns and has permissions over which files is stored as unique IDs ("SIDS"). As far as I know, there is no easy pre-cooked way to migrate these SIDs between AD and Samba. So you're going to have to be very careful at replicating this information in your shiny new LDAP-backed system otherwise who has access to which files is going to be thrown all over the place. If that means one pupil gets read-access to another pupils work, that's annoying. If that means all the students get write access to a file storing their grades, that goes out annoying and through the other side.
Basically, if you already have a strong investment in Windows servers and associated licenses, this carries very high risk, will cost an inordinate amount of time and inevitably mean substantial upheaval for your end users. And (assuming you currently have AD running fairly nicely and you do a good job), you'll come out the other side with there being little or no perceivable benefit to anyone else.
You're only mentioning OpenLDAP which is a good option but why would you ignore Sun's Java directory server ? I'm using this one at home as part of the Java Enterprise System and based on my own experience I'd say that you don't want to mess with things like OpenLDAP and the likes.
/. about this instead of grabbing your obvious choices to check them out and discover for yourself if these products meet your demands. That is what matters here. And if a quick google search is too much to ask (note how it also mentions the Java Directory Server at page 2?) then I can't help wonder what extra value the open source part will be. It doesn't look to me as if you'll be hunting down the source code and its (sometimes meager) documentation to find ways to enhance said software yourself.
Not because these products would be bad or anything, on the contrary, but because these Sun products are a little more developed and advanced when it comes to system administration. With OpenLDAP you'll be writing up a lot of scripts yourself to get things to work as you want it to. Sun's directory server comes with a full flexed administration interface free of charge. You can script or you can click your way around, you'll be the one deciding that. And also important; this stuff was around long before Fedora and the likes even had these kind of solutions, perhaps with the exception of RedHat's RHEL.
I can't help wonder if you're not falling into the common trap by assuming FOSS to be free software by definition. Sorry but that is NOT the way it works. If you're looking for free software then say so. Or do you plan to tinker with this software yourself as well? Because in that case I can't help being my cynical self by wondering why the heck you'd need to ask people on
Which brings me to my closing point: why change in the first place? Please don't assume that by simply installing a free Linux solution you'll reduce your total cost of ownership. Implementing such a change takes time for research and the implementation itself. And thats not even mentioning possible educational costs. We're not talking about a point and click solution per facto. So also keep this in the back of your mind that by switching environments you might be hitting your budget more than you expected or anticipated. Just because something is free does not make that better by definition.
Alas, I wish you much wisdom in your final pick and good luck with the migration should you decide to go through.
I don't think your trolling but you are surely aware that you can get paid support for almost any distro or FOSS software out there. ReadHat, Novell & Canonical are the first three that spring to mind but there are countless others, both 1st and 3rd party for most distros.
IranAir Flight 655 never forget!
Check out http://www.univention.de/ucs.html . It's a true AD replacement and if you are willing to compile there packages on your own, you won't have to pay fees. If you stick to prebuild binaries, you have to pay.
UCS is either a replacement or a teamplayer *with* AD.
http://www.freeipa.org/
As others have suggested: once you have Windoze-clients, you can't just replace AD. You need it.
With RHE-IPA, you can (AFAIK) sync the kerberos-part of the two, so you have common passwords (which is all what matters for non-Windoze AD-clients).
The only way to replace AD and continue using Windoze clients is to get rid of Exchange and use something else and replace the desktop-management-stuff also with something else (Novell comes to mind).
However, you will not save money or work/effort...
Windows 2000 - from the guys who brought us edlin
The zimbra mail server has a frontend form managing LDAP, this can be combined with Samba.
Take a look at this guide:
http://wiki.zimbra.com/index.php?title=UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI
microsoft AD is several well integrated things in one. But in this FOSS world you get all the building blocks, but you may have to assemble them yourself.. /Skolelinux [1] distribution, It's made to be easy to admin for a part time teacher /part time admin. And comes with openldap+bind+saba+winbind out of the box.
Thus you get great flexibitity, and power. But it may be that you are not very interested in tinkering with the internals. And building your enviroment from the ground up.
You should atlest test out the Debian Edu
You can easily join linux, mac, and windows machines into the domain. have central authentication, and roaming profiles. And is tailor made just for your use case.
Debian Edu Homepage http://skolelinux.no/en/
Debian Edu Wiki http://wiki.debian.org/DebianEdu
Ronny Aasen
Thanks to everyone who has posted ideas, suggestions and comments so far- I've just finished reading them all now- much appreciated and very interesting stuff.
A few points that I should've mentioned in the original question are that (as most of you correctly assumed being a UK school) nearly all clients are Win XP SP3 with the odd exceptions of a few Vista, Linux and OSX machines. I say migrating to one server but of course that would have a back-up machine- its just that at the moment we have this crazy configuration of two physically separate networks/domains with their own DCs, switches, ISPs etc- one for students one for staff. I inherited one helluva crazy mess, indeed! What I mean is that all this is going to be amalgamated into one physical network and one domain, not one server.
We don't use Exchange so AD/Exchange inter-op isn't a requirement or an issue.
I was aware of eDirectory but didn't mention that in the question because its not FOSS- however this has been recommended much more than Sun's solutions and Apache hasn't even had a look in. I don't want to rule Novell out as a possibility as it may just be better a better long term solution than sticking with AD/2003. It would seem FDS/FreeIPA is the only serious FOSS solution available for this right now
Of course, AD *should* logically be the easiest one to stick with/ 'migrate' to but that doesn't necessarily make it the best choice. I think we'd be more than willing to hire a consultant to help transitions to an alternative if there were numerous long term benefits.
I'm going to have a play with FreeIPA on a small network of test machines or under VirtualBox and see how that goes first I think.
www.zivios.org looks very nice...
Why on Earth would anyone write an app that requires sharing MDB files? Even Microsoft warns that the MDB is a "desktop database" format, not really intended for heavy use.
It's almost trivially easy to port any Jet application to use a "real" backend database server (MS SQL, Postgres, MySQL, Oracle, etc.) Even Access works beautifully as an ODBC client.
Why so Sirius?
Novell Open Entperprise Server has it all:
SLES, which allows you to run Netware in Xen. You can support eDirectory, NCP, printing, and so on in a Netware VM in Xen. Plus Novell has a fancy front end to eDirectory that makes it look like AD to clients (I haven't run this myself though).
Windows and Linux computers use the same eDirectory based login script (your "K" drive in Windows is /home/user/K on a Linux workstation) with eDirectory out the box. Both Windows and Linux can run Groupwise 7 clients natively. It's pretty much the best of both worlds in 1 directory system.
Plus, it's all RSA secured :-)
http://en.wikipedia.org/wiki/Novell_Open_Enterprise_Server
70 years isn't what Berne requires, so no, actually, they did just that.
Berne only requires author's life + 50 for works, and it doesn't apply that to music and video. Music and video get lower amounts. The Copyright Act of 1976 provided for exactly that - life + 50. Sonny Bono Copyright Term Extension Act, which was heavily lobbied for by Disney and by Sonny Bono (at the time a congressman, his singing career behind him). Bono had his own interest involved as he increased the value of his copyrights, and his widow was quoted with this:
Anyways.. In the US, it's author's life + infinity, because it keeps getting extended and will continue until such time as there is a massive government upheaval. As it stands now:
Unpublished works:
Life of the author + 70 years
Unpublished anonymous and pseudonymous works, and works made for hire (corporate authorship):
120 years from date of creation
Unpublished works when the death date of the author is not known
120 years from date of creation
But there's no reason to think that in 10 or 15 years, we won't just extend it again. Hollywood and Disney specifically will show up with 8 figure poltical donations (to both parties, if need be) and will not let the copyrights die. On their side they have lots of well organized and very well funded companies. On the other side is the general populace that does not have organization nor does it have funding. Not a lot you can do about it unless you can get a strong PAC to fight for it, or a SCOTUS that decides 'infinity plus one' is not a copyright limit that is constitutional.
A couple of years ago, with none of us where I was working having worked with it, and figuring ldap was the wave of the future (our other options were NIS and NIS+), I volunteered and implemented openLDAP. I even did an upgrade (2.2 to 2.3).
It was a nightmare. The documentation was *NOT* adequate, the openldap "communities", when I joined them, mostly gave me one of the three responses: a) no answer; b) "it's been discussed before", and c) this isn't the right forum for that question". They were *utterly* unhelpful.
openLDAP's tools and error handling are also inadequate. IMO, it ain't ready for prime time.
Between many days of googling, and responses from a techie mailing list I'm on, and from the Redhat general discussion list, I managed it.
However, I would *not* recommend the openLDAP project, per se. I trust *any* of the others that have been mentioned are better.
mark
How do you back up just the Active Directory data? I have been down this path several times, and end up choosing Active Directory over the others for the reasons already noted, primarily compatibility.
However I want to be able to rebuild the Active Directory server on new hardware should the old hardware fail. Activation issues noted and aside, I have not found any way to backup and restore only the Active Directory data. ntbackup is offered by Microsoft, but this also backs up and restores hardware configuration related registry entries, which is unwanted. Certainly there is a solution - what is it?
I was just about to download FreeIPA and try it under VirtualBox but had the good sense to read the FAQ first where it states:
IPA Policy
1.
Q: Can I specify different policies for different groups?
A: No. The current release of IPA supports one policy for all.
The PRD for v2 does not explicitly list this requirement. There is, however, some requirement to improve password policies but not to that scope. This will be added to a future feature set. /end quote
Hence it seems FOSS advocates are waiting for IPA v2 or samba 4.x until they have a good chance of really booting MS and proprietary solutions out of the server room at least.
It's not "free" but have you checked Apples Leopard server platform? It is easy to manage and can work as a PDC for Win32 machines right out of the box. It integrates with existing domains as a BDC so you can play with it. It has comprehensive directory and service list that makes it a good choice for looking into. Add to that it is a one off cost of less than $1000au for the "unlimited" version.. no CALs to buy for anything.. ever. EB
I ran an OpenLDAP server as the one repository of directory and login information for a small company for over 5 years and it generally worked very well... with some caveats.
1) Integrating OSX systems into the mix is not trivial or particularly well documented. Our Macs' ability to recognize group permissions, specifically, would come and go with different MacOS updates. If "proper" Mac support is important to you, you should seriously consider using Apple Directory Server (which the Windows and Linux systems will be perfectly happy with).
2) On several instances we suffered corruption of the openLDAP database, so back up regularly and push changes to your slave. (In all of our cases the corruption that broke the server did not propagate to the slave.) The bad thing about this is that it fails in a reasonably silent manner where slapd just stops responding and them quietly refuses to start. The fix in these case was to wipe the ldap database, slapcat from the slave, then slapadd everything back on the master.
3) Failover can be tricky. Even with multiple servers configured in ldap.conf and similar locations, most clients seem "latch on" to a particular server and then not let go. At some point you'll want to set things up for a more automated failover and/or load balancing. For that purpose, we have been looking into switching to CentOS Directory Server (like Fedora or Redhat), which has a more robust master/master sync arrangement and thus better supports load balancing. Losing LDAP service will bring your entire network to an unpleasant halt... so engineering in some redundancy should be a priority and will make your life much easier in the long run.
I'd take a serious look at CentOS Directory Server (and CentOS itself) for this purpose before finalizing your decision.
That a single network is a good idea. I work in education in Aust, and govt policy is admin network, which contains students confidential records, is always kept phisically isoalated form the student network.
The only point at which the networks connect is the outgoing router, and connections between the 2 are not allowed by the router.
I would suggest this is a much more secure option. You may find education dept policy requires seperate networks anyway.
How is Samba a drop-in replacement for AD? Does it have the same system of hierarchical groups and policies?
+++ATH0
Comment removed based on user account deletion
Ya'know... there's a very good reason to keep 2 servers.
Server A: Primary Domain Controller
Server B: Secondary Domain Controller
If you only have one, hardware failures do happen.
I will not give in to the terrorists. I will not become fearful.
I'm just going to put this lightly.
You follow through with this idea, you're going to lose your job. Not only are you going to lose your job, but you're going to make it so FOSS software is almost never considered in your school again--for any project. Because the beancounters are going to look back and see just how much money they wasted, how much time and effort they wasted, only to hire a consultant to come fix the mess you made whom is going to reinstall Windows anyway.
Just my 2 cents.
Has anyone tried IBM's LDAP server? It is not open, but free-beer.
zimbra plus samba plus the posix zimlets & modifications to zimbra. If you'd like to connect outlook, windows mobile and iphone you can pay zimbra a reasonable amount for their connectors otherwise its free.
I've been using smbldap-tools for some time with a sync on imap + sendmail .
It helps me to have one password for mail and workstation since 4 years .
But it is hard to update but it is very lovely especialy when you have lvm to manage storage better
the best part is one script to creat user , mail , and add to group and lvm2
windows 2008 server is getting as good but it is missing lvm and a directory more open .
good luck when had a site with 500 users in a parent company
I know Novell has been the target of a lot of criticism lately (some of it fair, some of it totally bogus), but if you are truly scanning the market for alternatives you should take a look at the products they offer.
:-)
Novell has made a business out of Identity Management and network security. It is what they do. Not all of it is Open Source, but all of it runs on open platforms and is easy to integrate with. Their products run on Linux (SUSE Enterprise, but I suppose other distros would work as well).
I think you will find Novells products very mature and rich in features. They integrate a lot better with a FOSS based infrastructure than most alternatives, and the quality is commercial-grade (in the positive sense). There are ready-to-go tools for migrating ADs to new non-Microsoft servers, and do Identity Management with many different security technologies concurrently.
After evaluating it you may decide you don't like it (perhaps because of a religious opposition to closed source binaries or simply because you don't like the flavor of the UI) but at least you would be making a qualified choice.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
...which happens to be run by Windows 2008. And really, I'm not trolling here, but what advantage are you looking to get by this move? What superior options will you gain?
The major advatange I can see for a linux box these days is ZFS - not so much for speed, but for reliability. Problem there is, you can simply set up FreeNAS (or similar) to offer that via iSCSI-to-Win2003/8. And even then, MS are already offering exFAT, so no doubt a ZFS-killer is on the way.
Others have already pointed out the failings of the 'alternative' crowd to provide reasonable equivalents to the MS offerings (group policies and the like- they've only just started offering GP's for FF under Windows, never mind Linux), but is there a Linux offering that will corral your machines until they're patched and up-to-date before allowing network/ internet access? Will there be an equivalent to the Direct Access MS are pushing with 2008 R2?
The list goes on...and any license savings you achieve will be swallowed by the higher charges for Linux engineers and so on (otherwise businesses would have chopped over long ago). And that's also before you get to the users who panic 'this isn't office! What's open office? I don't know this! I want training, etc. etc.', and users who want to connect from home, the list is, in fact, endless...
redhat new project called IPA
visit for more information freeipa.org
Redhat IPA server (freeipa.org). LDAP+Kerberos+ glue and other good bits all rolled into one OSS project.
I second Fedora Directory Server/Redhat Directory Server. Also, you may want to checkout FreeIPA
FDS/RDS have a very nice Java GUI to manage or you can use standard ldap command line tools.
http://directory.fedoraproject.org/
http://freeipa.org/page/Main_Page
FreeIPA Is what makes your Plain Jane LDAP server more AD like
It's not free, but it is pretty cheap (unlimited clients), and that would be Apple's drop-in replacement for AD: Mac OS X Server.
It's based on Open Directory - utilizes LDAP, Kerberos, & SASL. Single sign on supports Windows, Mac & Linux clients as opposed to Windows only. O'Reilly has a good write up about Linux clients and Open Directory. Google it.
http://www.apple.com/server/macosx/technology/opendirectory.html
Comment removed based on user account deletion