Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best FOSS Active Directory Alternative?

Posted by kdawson on from the war-stories dept.

danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"

12 of 409 comments (clear)

  1. Mandriva by Anonymous Coward · · Score: 5, Informative

    Mandriva Directory Server + Pulse 2

    1. Re:Mandriva by flydpnkrtn · · Score: 4, Informative

      Wow MDS and Pulse look pretty cool... but the documentation for Pulse 2 is lacking. For example, one of my first questions would be "Do the Windows machines need to run an 'agent' first for pushing software installs?"

      "English documentation will soon be available, stay tuned."

      http://pulse2.mandriva.org/wiki/Documentation

      --
      Here's to the crazy ones
  2. Re:Not Samba? by Anonymous Coward · · Score: 4, Informative

    And, er, what about OpenLDAP?

  3. SME Server 8 by erroneus · · Score: 5, Informative

    SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.

    SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?

    1. Re:SME Server 8 by grcumb · · Score: 5, Informative

      I can second SME server. I've been using it for this role since it was E-Smith many years ago. It's a fantastic little distro for a lot of different reasons. Definitely good stuff.

      I worked for e-smith inc. (later purchased by Mitel Networks) on the team that developed for the SME Server distro.

      It's magic for small offices, no doubt. I work in developing countries now, and I find it especially useful in places with no in-house IT capacity. I can get file services, email, web and user management up and running in about 45 minutes.

      (I'm not going to link to any particular installations, because, well, slashdot has the capacity to swamp our entire nation's bandwidth.)

      BUT! SME Server doesn't have a built-in AD capability. It will act as an excellent small network domain controller. Its user and group management is simplicity done right. But that's not Active Directory per se.

      If you want an actual AD roll-out, you'll have to layer it on top of the server's existing capabilities. Note that this is not at all impossible - SME Server can run just about everything CentOS runs with little or no fuss or bother.

      To sum up - SME Server would be a great platform for schools to build on - it's low-maintenance, robust and simple enough that even a Windows admin can't complain. But you need to roll part of the solution on your own. Of course, you were going to do that anyway. So definitely look at SME Server. 8^)

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  4. Sun Java System Directory Server by wmute · · Score: 5, Informative

    I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.

    Good luck, LDAP is a pain in the ass ;)

  5. Re:hate to say it... by Korgan · · Score: 5, Informative

    I agree... I had a similar issue at a school a few years back. Windows + Mac clients on the network. Rather than try to run two directories, we just used Novell eDirectory with (then available) Novell dirXML which allowed all the clients to use a single directory without realising they weren't native Active Directory or OpenDirectory platforms they were talking to. It saved a lot of effort down the line and proved extremely scalable. Also had the benefit of allowing the network to integrate other platforms in the future without much effort if the school wanted to. I'm sure there are plenty of great FOSS solutions out there, but eDirectory make it so much easier and reduced the cost of implementation significantly, even taking into account licensing costs. Sometimes you do just have to weigh up all the angles.

  6. Re:Not Samba? by ushering05401 · · Score: 5, Informative

    The parent is trolling or is apparently unaware that MS specifically told people not to use Jet like this.

    Here is an MS quote from back before Jet was deprecated.

    "While Microsoft Jet is consciously (and continually) updated with many quality, functional, and performance improvements, it was not intended (or architected)... to be used with high-stress, high-concurrency, 24x7 server applications, such as web, commerce, transactional, messaging servers, and so on" (Source: Microsoft KB article Q222135).

    So no 24x7 server apps per MS, I wonder what was slowing down the other poster's 50 concurrent connection scenario.

    I could never get Jet to work well > 5 concurrent connections.

  7. And not Sambo either by tepples · · Score: 4, Informative

    Do you really want to use software named after a racist slur?

    No, it's not a direct comparison to the GIMP situation. The slur is Sambo ; the software is Samba . There's a difference. But is there a racial slur against trolls?

  8. Re:Not Samba? by Daengbo · · Score: 5, Informative

    Samba can act as an AD PDC with the option of using LDAP as a backend. The absolute easiest way to set one of these (with LDAP) up is to use eBox on Ubuntu 8.04. Check the box marked "PDC" and ad the accounts. That's my recommendation.

    It offers multiple nodes, mail, files, Jabber, and a bunch of other stuff.

    --
    Put identity in the browser.
  9. Re:Not Samba? by Vellmont · · Score: 5, Informative

    Well, I don't know much about how well samba performs when 50 people all try to write to the same file, but my experience with samba over a windows server is that samba is much faster.

    In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange. Generally you don't have that many people trying to access a single file. If NT4 is better in this one respect, that's great for you and the other 10 people that are using jet in this crazy manner, but for everyone else it's irrelevant.

    --
    AccountKiller
  10. Re:Not Samba? by sumdumass · · Score: 5, Informative

    I had a similar situation but I wasn't using Jet. Anyways, after pissing around with it for a while, I found the problem was the network card. I noticed this when attempting to run speed tests while data access was gradually being increased in the more to see if I could pinpoint the time of failure. I noticed that I started getting a bunch of resends because packets were getting dropped. This is when I discovered that the 3com built in network cards weren't as good as the PCI variety. I don't know if it was 3com's problem or the main board manufacturer's issue and personally, at this point I don't care.

    Anyways, I added a spare Intel pro card and saw an immediate improvement. Like many, I assumed the on board network adapter would have been sufficient seeing how it was a 3com 3c905 series on a p4 2.8 system with about 2.5 gig memory (it did more the Samba) I ended up dropping another card into the box and separating the SMB services from another service I was running and it seemed to run circles around it's previous performance as well as the NT4 performance. I don't know if yours would have been related but I have known for a while that you need to use good network cards on servers and production machines. I rarely use on board NICs anymore except for home use and often I will either use a 3com or intel pro nic with the intel being the easiest for me to find in my area. All the others seem to shift more of the network job into software using host processes instead of doing it on the device. I'm sure there are more then 3com and Intel with good cards too, they are just the ones I'm familiar with and sticking with.