Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best FOSS Active Directory Alternative?

Posted by kdawson on from the war-stories dept.

danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"

16 of 409 comments (clear)

  1. Not Samba? by Tubal-Cain · · Score: 5, Interesting

    The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server

    Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?

    1. Re:Not Samba? by digitalunity · · Score: 4, Interesting

      How many years ago was this? I'll keep my negative comments about VB6 and Jet to myself, but that this was on NT4 then I would imagine your anecdotal experience is from some time ago.

      Samba has made tremendous improvements in the last couple of years in a lot of areas.

      --
      You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
    2. Re:Not Samba? by stephenpeters · · Score: 5, Interesting

      I think openLDAP should be one of the first products the submitter tries. In my experience it is reliable scalable and free of proprietary cruft. I have used it for years in a commercial network with Samba. OpenLDAP has allowed my company to drastically cut licensing costs, support costs and lengthen hardware lifecycles. As the submitter is UK based I would recommend they contact Sirius. Sirius are the consulting company I use and they are the only UK OGC/Becta accredited FOSS specialist. Sirius have considerable experience in the UK education market and in the submitters position they would be near the top of the list of people to call. Take a look at their client list to see the kind of pedigree they have.

      <disclaimer>

      I have worked closely with Mark Taylor the CEO of Sirius for a long time now. Please consider anything I say about them biased, contact them youself and make up your own mind about them.

      </disclaimer>

    3. Re:Not Samba? by sandman_eh · · Score: 4, Interesting
      But since you haven't posted anything more we can't be sure.

      What did you investigate? What samba tuning parameters did you try?

      Last year I had a very similiar problem, which actullay turned out to be network card driver issue. I upgraded from the stock debian stable kernel to one from testing and the problem went away.

      My point is a single example without actually knowing what was investigated - is just a worthless anecdote.

      --
      Master of Peng Shui.Ancient oriental art of Penguin Arranging)
    4. Re:Not Samba? by chadruva · · Score: 3, Interesting

      I think Samba is an excellent replacement for windows server for simple filesharing, is usually easy to setup and some distros even drop in powerful GUI configuration tools.

      I have used samba in a small office (around 10-15 office workers), with a few shared folders (around 5 GB of documents), at first the company didn't trust our use of Linux, they had a windows 2000 server which was badly managed (and filled with virus/malware and being used as spam relay), we gave them a 1 month complete guarantee that the system will keep up without any problems or we give their money back and install w2k server back.

      They are quite happy now as once of properly configured you don't need to mess with it, we even added virus scanning (via clamav and hourly cron, samba clamav plugin taked a noticeable performance hit and was not straightforward to configure) and reporting via email (plus the email system running on the same server).

      --
      C-x C-c
    5. Re:Not Samba? by s4m7 · · Score: 3, Interesting

      Andecdotally, I know of a company that is currently switching their file servers over to ZFS and samba because of how seriously it outperforms NTFS and windows on the same hardware. Their new array is a 100TB array, and they have single files that exceed 1TB. It seems more likely that the performance issue you ran into has more to do with configuration than raw performance of samba.

      --
      This comment is fully compliant with RFC 527.
  2. Local resources by James+Youngman · · Score: 3, Interesting

    Try talking to Tim Fletcher at Parrswood.

  3. hate to say it... by johnjones · · Score: 4, Interesting

    but the first thing to do is look at how these have been deployed

    I dont see anyone with production systems on a large domain using anthing other than redhat directory or Novell eDirectory

    I see some custom OpenLDAP servers scale really well but thats about it

    so given your choice above I would go for Fedora Directory Server and hack

    if the choice was mine I would spend a little money and get the Novell eDirectory

    regards

    John Jones

    http://www.johnjones.me.uk - email and digital communication

    1. Re:hate to say it... by Shuntros · · Score: 4, Interesting

      Not even any need for IDM any more... The latest Linux offering, Open Enterprise Server 2 (Support Pack 1) has Domain Services for Windoze. No more Novell Client, no more NCP. The backend is still Linux, NSS and eDirectory, but with full and seamless AD emulation. Administer it with MMC, the lot. The only time you'll realise you're not working on a Windoze server is when you right click on a DC and look at the properties to find it's an OES2 box. Worth looking into...

      Otherwise there are numerous guides on the web as to how one configures Samba to use OpenLDAP as its authentication source, which makes mass admin of users a piece of cake.

      Use the 90 day trial of Novell Identity Manager, plug it into your existing infrastructure and you can even migrate passwords across to your splendid new FOSS solution. Do it right and the lusers won't notice a thing!

      I used to consult on such projects, but eventually gave in, took the money and ascended to management. Kinda miss it sometimes.

  4. That depends...... by ogdenk · · Score: 5, Interesting

    I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.

    Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.

    Samba4 is supposed to change this but it may be a while before it's ready for widespread use.

    In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.

    This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.

    Students are great at f**king up machines, group policy is almost a must.

    If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.

    Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.

    1. Re:That depends...... by ogdenk · · Score: 4, Interesting

      It works OK for older versions of Photoshop, but if your going to go through the effort of running Photoshop in a dodgy reimplementation of the Win32 API, why not just run Windows? You'll get screwed everytime a new version of photoshop comes out that uses Win32 calls in a weird fashion.

      A better idea would be a massive campaign to promote a port of Photoshop to GTK or QT. Microsoft will make damn sure that Win32 is a moving target if any massive movement to use WINE is successful.

      The mac version of Photoshop is the better version IMHO anyway despite the lack of a true 64-bit port due to Adobe's laziness rewriting using Cocoa instead of Carbon. The MDI interface in the Windows version sucks, especially if you use multiple monitors and want to run other applications at the same time.

      If your going to run non-native apps, it's usually better to just say "screw it" and run those apps in the native environment.

      Really, I've gone through this fight trying to ditch Windows in an educational environment. You meet stiff resistance from all angles, including the vendors. I've eliminated it where I can but in the end, to ensure a good bullet-proof computing environment where Windows on the desktop in necessary for certain software products, group policy and automated software deployment is a MUST, not a WANT.

      In most corporate environments, I've ditched Windows with good success but in a school, things are a bit different. Especially a tech school where our job is to teach people products to get them a job. Our goal is not to "create the thinkers of tomorrow".

      We HAVE to have windows desktops. manageable Group policy and automated deployment are not available in other directory environments. You can't easily lock down Windows desktops centrally with other directory environments.

      If you have other solutions, prove me wrong so I can use them as ammo to ditch Windows directory servers here. REAL solutions that are as easy to manage for other less-skilled folks I have dealing with daily problems.

  5. Re:There isn't an alternative. Next question. by Shados · · Score: 4, Interesting

    I love Active Directory, but just a little amusing anecdote... The company I'm working for is a 100% Windows shop across the board, has desktops in the 6 figures, yet does NOT use Active Directory...

    Their "forests" connect for business reasons to the domains of all of their clients, which makes the machines/accounts in the domain hit the millions...so well, to make that work better, they wrote their own "Active Directory" from scratch...its still running on Windows server, but its not an actual Active Directory(tm) kindda thing.

    But yeah, replacing AD for the sake of replacing it, is retarded. Windows Server isn't even that expensive, and for smaller companies, you can get Small Business Server, which is really, really cheap for what it provides.

  6. DoD uses RHDS (FDS) by xzvf · · Score: 3, Interesting

    I've seen RHDS (paid support version of FDS, but basically the same code) scale to millions of users. I've had a clustered pair running on blades handling 250K records easily. AD doesn't scale as well, requires tons of supporting software and locks you in to a funky LDAP-like format. If you want to move from RHDS to Novell, or OpenLDAP or even AD all you have to do is dump to ldif. Try going from AD to anything else without a great deal of pain.

  7. Re:TCO by erroneus · · Score: 4, Interesting

    I have set up four installations of SMEserver 7.x in the past 8 months into small businesses. I think I have put a collective 24 man hours into keeping those sites up. They stay up... keep going and going and going... and running Linux, I don't have nearly as much to worry about with critical worms running around and the like. Meanwhile, keeping up with my Microsoft AD network keeps my family fed and me employed full time. I am not complaining, I am just saying if TCO is largely factored by time/labor? SME server beats Microsoft hands down so far.

    Microsoft does not justifiably dominate the market. It simply dominates the way it does with all other things it does. MSIE is the best web browser, I suppose, as evidenced by its dominance as well..?

  8. Notes on a running imlementation by Skrynesaver · · Score: 3, Interesting

    We have implemented a similar project in our local school.

    • Debian server
    • OpenLDAP
    • Samba
    • Edubuntu on the client machines
    • A combination of XP and LTSP to Edubuntu in the computer lab

    OpenLDAP takes a while to configure but it does work eventually. When new students are added to the school DB they are added to the system by a Perl script which generates entries automatically and mails the class tutor with their login details.

    Samba once set up works wonderfully for us.

    Best of luck and hope it works out well for you.

    --
    "Linux is for noobs"-The new MS fud strategy
  9. We already have this by jimicus · · Score: 3, Interesting

    It can be done, but there's a few things you have to bear in mind:

    1. Lots of existing products (and this is becoming more common as the years go on) expect an AD-backed domain. Samba + (insert name of LDAP server here) currently can only emulate an NT4-type domain. Samba 4 claims to eliminate this issue but the last time I checked it wasn't even in beta. You'd be nuts to implement it in production at this stage. If your employer's been heavily into Windows for some time, don't be too surprised to find you need to replace quite a lot.

    2. Do you have a lot of policies pushed out through AD? (If you're a school, the answer should be "yes". Unless you like making work for yourself...) The closest equivalent is NT4- style policies - which aren't as flexible, don't offer as much and suitable precooked template files are becoming much harder to find.

    3. Do you use Exchange anywhere? Exchange doesn't have a directory of its own, relying heavily on AD. You'd have to replace it, and while there are lots of projects claiming to replace Exchange, few come anywhere close in the real world. Most of the projects seem to be driven by people who have heard of Exchange and had it described to them, but never actually used it much.

    4. Is your network heavily subnetted? AD doesn't really care about this because it uses DNS to find services it requires (such as the domain controllers). NT-4 type domains use broadcast packets, and can be a dog to get everything working properly where a lot of subnets are involved.

    5. The information stored in AD about who owns and has permissions over which files is stored as unique IDs ("SIDS"). As far as I know, there is no easy pre-cooked way to migrate these SIDs between AD and Samba. So you're going to have to be very careful at replicating this information in your shiny new LDAP-backed system otherwise who has access to which files is going to be thrown all over the place. If that means one pupil gets read-access to another pupils work, that's annoying. If that means all the students get write access to a file storing their grades, that goes out annoying and through the other side.

    Basically, if you already have a strong investment in Windows servers and associated licenses, this carries very high risk, will cost an inordinate amount of time and inevitably mean substantial upheaval for your end users. And (assuming you currently have AD running fairly nicely and you do a good job), you'll come out the other side with there being little or no perceivable benefit to anyone else.