Slashdot Mirror
Best FOSS Active Directory Alternative?
danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"
Mandriva Directory Server + Pulse 2
And, er, what about OpenLDAP?
SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.
SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?
I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.
Good luck, LDAP is a pain in the ass ;)
Maybe not exactly the answer you're looking for, seeing as Samba4 is not out yet; however samba4 includes, among other things:
* Internal LDAP server, with AD semantics
* Internal Kerberos server, including PAC support
You can, but don't have to hook it up to an external LDAP server. You can use MMC consoles to manage it. They're even building real Outlook compatible Exchange functionality on top of it (see openchange.org). Not that I'd ever want to run Outlook though.
I agree... I had a similar issue at a school a few years back. Windows + Mac clients on the network. Rather than try to run two directories, we just used Novell eDirectory with (then available) Novell dirXML which allowed all the clients to use a single directory without realising they weren't native Active Directory or OpenDirectory platforms they were talking to. It saved a lot of effort down the line and proved extremely scalable. Also had the benefit of allowing the network to integrate other platforms in the future without much effort if the school wanted to. I'm sure there are plenty of great FOSS solutions out there, but eDirectory make it so much easier and reduced the cost of implementation significantly, even taking into account licensing costs. Sometimes you do just have to weigh up all the angles.
The parent is trolling or is apparently unaware that MS specifically told people not to use Jet like this.
Here is an MS quote from back before Jet was deprecated.
"While Microsoft Jet is consciously (and continually) updated with many quality, functional, and performance improvements, it was not intended (or architected)... to be used with high-stress, high-concurrency, 24x7 server applications, such as web, commerce, transactional, messaging servers, and so on" (Source: Microsoft KB article Q222135).
So no 24x7 server apps per MS, I wonder what was slowing down the other poster's 50 concurrent connection scenario.
I could never get Jet to work well > 5 concurrent connections.
that vb jet was a piece of shit isn't in debate here, it's the fact samba wouldn't perform on the same level with beefier hardware. it's a little hard to sell samba over windows as a file sharing solution when it doesn't perform as well, and i was questioning if that's been resolved or not. if you choose to think it's a troll, it's not my problem.
If you mod me down, I will become more powerful than you can imagine....
Do you really want to use software named after a racist slur?
No, it's not a direct comparison to the GIMP situation. The slur is Sambo ; the software is Samba . There's a difference. But is there a racial slur against trolls?
Samba can act as an AD PDC with the option of using LDAP as a backend. The absolute easiest way to set one of these (with LDAP) up is to use eBox on Ubuntu 8.04. Check the box marked "PDC" and ad the accounts. That's my recommendation.
It offers multiple nodes, mail, files, Jabber, and a bunch of other stuff.
Put identity in the browser.
Well, I don't know much about how well samba performs when 50 people all try to write to the same file, but my experience with samba over a windows server is that samba is much faster.
In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange. Generally you don't have that many people trying to access a single file. If NT4 is better in this one respect, that's great for you and the other 10 people that are using jet in this crazy manner, but for everyone else it's irrelevant.
AccountKiller
Samba isn't an Active Directory alternative.
As far as I know any AD solution involving Samba is using OpenLDAP as backend, but I may be wrong.
I am using OpenLDAP in a project and I can just say that it's quirky to say the least and isn't very verbal about configuration errors unless you fiddle with it.
It's also a bit quirky with symmetrical replication, but it's not impossible to make it work.
But on the positive side - it's fast and relatively reliable if you manage to configure it right. You just have to be very patient with it.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
I had a similar situation but I wasn't using Jet. Anyways, after pissing around with it for a while, I found the problem was the network card. I noticed this when attempting to run speed tests while data access was gradually being increased in the more to see if I could pinpoint the time of failure. I noticed that I started getting a bunch of resends because packets were getting dropped. This is when I discovered that the 3com built in network cards weren't as good as the PCI variety. I don't know if it was 3com's problem or the main board manufacturer's issue and personally, at this point I don't care.
Anyways, I added a spare Intel pro card and saw an immediate improvement. Like many, I assumed the on board network adapter would have been sufficient seeing how it was a 3com 3c905 series on a p4 2.8 system with about 2.5 gig memory (it did more the Samba) I ended up dropping another card into the box and separating the SMB services from another service I was running and it seemed to run circles around it's previous performance as well as the NT4 performance. I don't know if yours would have been related but I have known for a while that you need to use good network cards on servers and production machines. I rarely use on board NICs anymore except for home use and often I will either use a 3com or intel pro nic with the intel being the easiest for me to find in my area. All the others seem to shift more of the network job into software using host processes instead of doing it on the device. I'm sure there are more then 3com and Intel with good cards too, they are just the ones I'm familiar with and sticking with.
I've worked on very large directory deployments.
10 million user accounts.
We were using Novell e-Directory for the authority user database and AD downstream via DirXML for compatibility/legacy reasons.
Remember, Novell basically wrote the book on directory services. Microsoft just copied their implementation.
You can use ZENworks to store Group Policy objects but it will take much more than a Slashdot article to explain these concepts.
The beauty of eDirectory is that Novell have agents for basically every platform that is worth a damn, try that natively on Windows.
When you're dealing with something as critical as a central directory you don't want to mess about. If you have to throw some money at it to ensure some accountability and support then do it. Windows AD works as advertised, but it only works with Windows - you're on your own with anything else.
There is third party companies that have written software that bridge the gap to manage UNIX systems, users, applications, policy which from what I've seen works pretty well.
At the end of the day it comes down to understanding your environment, budget constraints, support, IT strategy, applications, business/IT partners.
Oh yeah one more thing, this big install is for an education body.
Just to throw what I use into the mix, on a network of ~100 WinXP desktops:
- Samba - acts as domain controller, triggers login scripts, maps drives etc. System Policy controlled using NTConfig.pol files in the 'netlogon' share, prepared using poledit.exe
- OpenLDAP - authentication backend for Samba, groups/users for the Samba server (plus many other tasks which are unrelated to desktop usage);
- WPKG - for software deployment, runs at each boot-up - really nice.
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
Samba is an implied component of these things. Samba doesn't do directory services (well, not as at the current stable versions - samba 4 which has been brewing for years and years will have its own LDAP service). Usually, an AD replacement consists of some directory service, such as OpenLDAP, with Samba handling the job of serving files and sharing printers. The open source services tend to follow the Unix paradigm of making a service - construct a whole out of components, and choose the components that suit you best. For instance, for our development network at work, we use OpenLDAP as the directory service, and Samba to share files from the server. Samba queries OpenLDAP when someone tries to authenticate. As do our little web applications - when you log onto one, it will query the same OpenLDAP server to authenticate/authorize your login.
Oolite: Elite-like game. For Mac, Linux and Windows
Thanks to everyone who has posted ideas, suggestions and comments so far- I've just finished reading them all now- much appreciated and very interesting stuff.
A few points that I should've mentioned in the original question are that (as most of you correctly assumed being a UK school) nearly all clients are Win XP SP3 with the odd exceptions of a few Vista, Linux and OSX machines. I say migrating to one server but of course that would have a back-up machine- its just that at the moment we have this crazy configuration of two physically separate networks/domains with their own DCs, switches, ISPs etc- one for students one for staff. I inherited one helluva crazy mess, indeed! What I mean is that all this is going to be amalgamated into one physical network and one domain, not one server.
We don't use Exchange so AD/Exchange inter-op isn't a requirement or an issue.
I was aware of eDirectory but didn't mention that in the question because its not FOSS- however this has been recommended much more than Sun's solutions and Apache hasn't even had a look in. I don't want to rule Novell out as a possibility as it may just be better a better long term solution than sticking with AD/2003. It would seem FDS/FreeIPA is the only serious FOSS solution available for this right now
Of course, AD *should* logically be the easiest one to stick with/ 'migrate' to but that doesn't necessarily make it the best choice. I think we'd be more than willing to hire a consultant to help transitions to an alternative if there were numerous long term benefits.
I'm going to have a play with FreeIPA on a small network of test machines or under VirtualBox and see how that goes first I think.