Slashdot Mirror
Best FOSS Active Directory Alternative?
danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"
Mandriva Directory Server + Pulse 2
And, er, what about OpenLDAP?
SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.
SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?
I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.
Good luck, LDAP is a pain in the ass ;)
Maybe not exactly the answer you're looking for, seeing as Samba4 is not out yet; however samba4 includes, among other things:
* Internal LDAP server, with AD semantics
* Internal Kerberos server, including PAC support
You can, but don't have to hook it up to an external LDAP server. You can use MMC consoles to manage it. They're even building real Outlook compatible Exchange functionality on top of it (see openchange.org). Not that I'd ever want to run Outlook though.
I agree... I had a similar issue at a school a few years back. Windows + Mac clients on the network. Rather than try to run two directories, we just used Novell eDirectory with (then available) Novell dirXML which allowed all the clients to use a single directory without realising they weren't native Active Directory or OpenDirectory platforms they were talking to. It saved a lot of effort down the line and proved extremely scalable. Also had the benefit of allowing the network to integrate other platforms in the future without much effort if the school wanted to. I'm sure there are plenty of great FOSS solutions out there, but eDirectory make it so much easier and reduced the cost of implementation significantly, even taking into account licensing costs. Sometimes you do just have to weigh up all the angles.
The parent is trolling or is apparently unaware that MS specifically told people not to use Jet like this.
Here is an MS quote from back before Jet was deprecated.
"While Microsoft Jet is consciously (and continually) updated with many quality, functional, and performance improvements, it was not intended (or architected)... to be used with high-stress, high-concurrency, 24x7 server applications, such as web, commerce, transactional, messaging servers, and so on" (Source: Microsoft KB article Q222135).
So no 24x7 server apps per MS, I wonder what was slowing down the other poster's 50 concurrent connection scenario.
I could never get Jet to work well > 5 concurrent connections.
that vb jet was a piece of shit isn't in debate here, it's the fact samba wouldn't perform on the same level with beefier hardware. it's a little hard to sell samba over windows as a file sharing solution when it doesn't perform as well, and i was questioning if that's been resolved or not. if you choose to think it's a troll, it's not my problem.
If you mod me down, I will become more powerful than you can imagine....
The racial slur is sambo, ends in the letter 'o'.
Samba (ending with the letter a) is the first word in the unix dictionary that had an s, m, & b in it.
Samba itself is a musical genre.
Do you really want to use software named after a racist slur?
No, it's not a direct comparison to the GIMP situation. The slur is Sambo ; the software is Samba . There's a difference. But is there a racial slur against trolls?
A Win2K domain controller *is* AD.
It's always a long day... 86400 doesn't fit into a short.
Samba isn't a directory service, it's a Linux-based implementation of CIFS/SMB, and as such, is hardly "drop-in" replacement for AD. Why you got modded up for asking a question that reveals such a fundamental lack of knowledge is beyond me.
But, this *is* Slashdot in the 21st century, so I suppose I shouldn't even bother asking.
Either that college's IT team did not know what they were doing w/ respect to AD + Group Policy, or they had made some concessions (probably due to some software that didn't like running with zero privs). I work at a hospital on the admin team, and we have 3000 users (approx) in AD, and we use Group Policy to control the user experience quite successfully.
Samba can act as an AD PDC with the option of using LDAP as a backend. The absolute easiest way to set one of these (with LDAP) up is to use eBox on Ubuntu 8.04. Check the box marked "PDC" and ad the accounts. That's my recommendation.
It offers multiple nodes, mail, files, Jabber, and a bunch of other stuff.
Put identity in the browser.
Well, I don't know much about how well samba performs when 50 people all try to write to the same file, but my experience with samba over a windows server is that samba is much faster.
In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange. Generally you don't have that many people trying to access a single file. If NT4 is better in this one respect, that's great for you and the other 10 people that are using jet in this crazy manner, but for everyone else it's irrelevant.
AccountKiller
The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server;
OpenLDAP is too plain and simple. It isn't user-friendly. There are no GUI tools that come with it although there are various tools people have made that you can use to manage it. I even created one myself as a senior project because it doesn't come with one and having to use the CLI commands for everything is just more trouble than it is worth when you want to get up and running quickly.
I haven't ever used Apache Directory Server so I can't speak to that but Fedora Directory Server comes from the Netscape Directory Server of yore. NDS went under and Sun Directory Server took its place. Netscape and Sun Directory Servers are basically the same thing, even the GUIs are the same except for name/logo changes here and there. FDS should be pretty good based on the NDS/SDS pedigree. OpenDS is new and runs using Java therefore it automatically requires more resources than the others which are built with C/C++. I'd let OpenDS mature a bit more before using it. Of the ones you mention I'd pick Fedora Directory Server.
But I have some questions. Do you plan to migrate clients over to a non-Windows OS? If not you'll need to investigate how to continue making Windows clients authenticate to a non-MS directory. It is possible to make this happen but past methods of doing so (a few years ago for me) have been kludgey at best. Windows likes to talk to ADS. If you migrate to Linux clients your job gets much easier because you don't have to worry about Windows SIDs and similar critical components of a Windows infrastructure.
Do you have people who know directory servers and understand LDAP? Be aware that ADS makes things easy for a Windows administrator. Even Sun Directory Server does not automatically enable replication when you have it installed on 2 servers. I highly doubt the other implementations you are looking at do the same. Therefore you will have to really understand how directory servers work underneath when working with these other implementations. You have to create replication agreements yourself and understand the underlying LDAP structure. ADS hides replication from you (accessible through Sites and Services snap-in though) until something breaks. The schema is hidden from you as well unless you need to access it (not even in the default list of MMC snap-ins but it can be added). Make sure you have people who can administer directory server installations, not just ADS installations, when you do this migration.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Comment removed based on user account deletion
Samba isn't an Active Directory alternative.
As far as I know any AD solution involving Samba is using OpenLDAP as backend, but I may be wrong.
I am using OpenLDAP in a project and I can just say that it's quirky to say the least and isn't very verbal about configuration errors unless you fiddle with it.
It's also a bit quirky with symmetrical replication, but it's not impossible to make it work.
But on the positive side - it's fast and relatively reliable if you manage to configure it right. You just have to be very patient with it.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
1. I hope you understand what you gain and lose by switching.
2. I have had to endure the pain of selecting from a few LDAP servers few months back. Just go and download Sun Directory Server Enterprise Edition 6.3 (DSEE). Buy a support contract of whatever level you need. Set it up (takes minutes, the docs are EXCELLENT!) and after that forget it even exists. This baby just works!
- mritunjai
Samba could only be a DC on an old Windows NT style domain, not a Windows 2000/2003 style Active Directory domain.
No matter how you slice it, Samba is not a directory service.
See here:
Samba ADS Domain Control Samba-3 is not, and cannot act as, an Active Directory server. It cannot truly function as an Active Directory PDC. The protocols for some of the functionality of Active Directory domain controllers has been partially implemented on an experimental only basis. Please do not expect Samba-3 to support these protocols. Do not depend on any such functionality either now or in the future. The Samba Team may remove these experimental features or may change their behavior. This is mentioned for the benefit of those who have discovered secret capabilities in Samba-3 and who have asked when this functionality will be completed. The answer is maybe someday or maybe never!
To be sure, Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4-style domain controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have a number of features that Windows NT4 domain controllers do not have. In short, Samba-3 is not NT4 and it is not Windows Server 200x: it is not an Active Directory server. We hope this is plain and simple enough for all to understand.
Samba isn't a directory service, it's a Linux-based implementation of CIFS/SMB, and as such, is hardly "drop-in" replacement for AD. Why you got modded up for asking a question that reveals such a fundamental lack of knowledge is beyond me. But, this *is* Slashdot in the 21st century, so I suppose I shouldn't even bother asking.
True.. But you know, Samba 4 is actually supposed to include an ldap backend and will be quite near a drop-in replacement for AD.
It will still possible to use, for example OpenLDAP as the backend if one would like to.
Baboons are cute.
I had a similar situation but I wasn't using Jet. Anyways, after pissing around with it for a while, I found the problem was the network card. I noticed this when attempting to run speed tests while data access was gradually being increased in the more to see if I could pinpoint the time of failure. I noticed that I started getting a bunch of resends because packets were getting dropped. This is when I discovered that the 3com built in network cards weren't as good as the PCI variety. I don't know if it was 3com's problem or the main board manufacturer's issue and personally, at this point I don't care.
Anyways, I added a spare Intel pro card and saw an immediate improvement. Like many, I assumed the on board network adapter would have been sufficient seeing how it was a 3com 3c905 series on a p4 2.8 system with about 2.5 gig memory (it did more the Samba) I ended up dropping another card into the box and separating the SMB services from another service I was running and it seemed to run circles around it's previous performance as well as the NT4 performance. I don't know if yours would have been related but I have known for a while that you need to use good network cards on servers and production machines. I rarely use on board NICs anymore except for home use and often I will either use a 3com or intel pro nic with the intel being the easiest for me to find in my area. All the others seem to shift more of the network job into software using host processes instead of doing it on the device. I'm sure there are more then 3com and Intel with good cards too, they are just the ones I'm familiar with and sticking with.
I've worked on very large directory deployments.
10 million user accounts.
We were using Novell e-Directory for the authority user database and AD downstream via DirXML for compatibility/legacy reasons.
Remember, Novell basically wrote the book on directory services. Microsoft just copied their implementation.
You can use ZENworks to store Group Policy objects but it will take much more than a Slashdot article to explain these concepts.
The beauty of eDirectory is that Novell have agents for basically every platform that is worth a damn, try that natively on Windows.
When you're dealing with something as critical as a central directory you don't want to mess about. If you have to throw some money at it to ensure some accountability and support then do it. Windows AD works as advertised, but it only works with Windows - you're on your own with anything else.
There is third party companies that have written software that bridge the gap to manage UNIX systems, users, applications, policy which from what I've seen works pretty well.
At the end of the day it comes down to understanding your environment, budget constraints, support, IT strategy, applications, business/IT partners.
Oh yeah one more thing, this big install is for an education body.
Just to throw what I use into the mix, on a network of ~100 WinXP desktops:
- Samba - acts as domain controller, triggers login scripts, maps drives etc. System Policy controlled using NTConfig.pol files in the 'netlogon' share, prepared using poledit.exe
- OpenLDAP - authentication backend for Samba, groups/users for the Samba server (plus many other tasks which are unrelated to desktop usage);
- WPKG - for software deployment, runs at each boot-up - really nice.
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
we actually use samba with 800 open connections and it's ok. Your experience seems outdated. sorry.
From my experience, in a small-to-medium Linux/*BSD/OS X environment, with NFSv4 or AFS, this will work fine.
However, as other posters here suggest: if you have predominantly windows clients, for your own sanity it would be better just to use AD from the outset.
.:SOLCAVUS:.
Samba is an implied component of these things. Samba doesn't do directory services (well, not as at the current stable versions - samba 4 which has been brewing for years and years will have its own LDAP service). Usually, an AD replacement consists of some directory service, such as OpenLDAP, with Samba handling the job of serving files and sharing printers. The open source services tend to follow the Unix paradigm of making a service - construct a whole out of components, and choose the components that suit you best. For instance, for our development network at work, we use OpenLDAP as the directory service, and Samba to share files from the server. Samba queries OpenLDAP when someone tries to authenticate. As do our little web applications - when you log onto one, it will query the same OpenLDAP server to authenticate/authorize your login.
Oolite: Elite-like game. For Mac, Linux and Windows
Thanks to everyone who has posted ideas, suggestions and comments so far- I've just finished reading them all now- much appreciated and very interesting stuff.
A few points that I should've mentioned in the original question are that (as most of you correctly assumed being a UK school) nearly all clients are Win XP SP3 with the odd exceptions of a few Vista, Linux and OSX machines. I say migrating to one server but of course that would have a back-up machine- its just that at the moment we have this crazy configuration of two physically separate networks/domains with their own DCs, switches, ISPs etc- one for students one for staff. I inherited one helluva crazy mess, indeed! What I mean is that all this is going to be amalgamated into one physical network and one domain, not one server.
We don't use Exchange so AD/Exchange inter-op isn't a requirement or an issue.
I was aware of eDirectory but didn't mention that in the question because its not FOSS- however this has been recommended much more than Sun's solutions and Apache hasn't even had a look in. I don't want to rule Novell out as a possibility as it may just be better a better long term solution than sticking with AD/2003. It would seem FDS/FreeIPA is the only serious FOSS solution available for this right now
Of course, AD *should* logically be the easiest one to stick with/ 'migrate' to but that doesn't necessarily make it the best choice. I think we'd be more than willing to hire a consultant to help transitions to an alternative if there were numerous long term benefits.
I'm going to have a play with FreeIPA on a small network of test machines or under VirtualBox and see how that goes first I think.