Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best FOSS Active Directory Alternative?

Posted by kdawson on from the war-stories dept.

danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"

10 of 409 comments (clear)

  1. Not Samba? by Tubal-Cain · · Score: 5, Interesting

    The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server

    Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?

    1. Re:Not Samba? by digitalunity · · Score: 4, Interesting

      How many years ago was this? I'll keep my negative comments about VB6 and Jet to myself, but that this was on NT4 then I would imagine your anecdotal experience is from some time ago.

      Samba has made tremendous improvements in the last couple of years in a lot of areas.

      --
      You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
    2. Re:Not Samba? by stephenpeters · · Score: 5, Interesting

      I think openLDAP should be one of the first products the submitter tries. In my experience it is reliable scalable and free of proprietary cruft. I have used it for years in a commercial network with Samba. OpenLDAP has allowed my company to drastically cut licensing costs, support costs and lengthen hardware lifecycles. As the submitter is UK based I would recommend they contact Sirius. Sirius are the consulting company I use and they are the only UK OGC/Becta accredited FOSS specialist. Sirius have considerable experience in the UK education market and in the submitters position they would be near the top of the list of people to call. Take a look at their client list to see the kind of pedigree they have.

      <disclaimer>

      I have worked closely with Mark Taylor the CEO of Sirius for a long time now. Please consider anything I say about them biased, contact them youself and make up your own mind about them.

      </disclaimer>

    3. Re:Not Samba? by sandman_eh · · Score: 4, Interesting
      But since you haven't posted anything more we can't be sure.

      What did you investigate? What samba tuning parameters did you try?

      Last year I had a very similiar problem, which actullay turned out to be network card driver issue. I upgraded from the stock debian stable kernel to one from testing and the problem went away.

      My point is a single example without actually knowing what was investigated - is just a worthless anecdote.

      --
      Master of Peng Shui.Ancient oriental art of Penguin Arranging)
  2. hate to say it... by johnjones · · Score: 4, Interesting

    but the first thing to do is look at how these have been deployed

    I dont see anyone with production systems on a large domain using anthing other than redhat directory or Novell eDirectory

    I see some custom OpenLDAP servers scale really well but thats about it

    so given your choice above I would go for Fedora Directory Server and hack

    if the choice was mine I would spend a little money and get the Novell eDirectory

    regards

    John Jones

    http://www.johnjones.me.uk - email and digital communication

    1. Re:hate to say it... by Shuntros · · Score: 4, Interesting

      Not even any need for IDM any more... The latest Linux offering, Open Enterprise Server 2 (Support Pack 1) has Domain Services for Windoze. No more Novell Client, no more NCP. The backend is still Linux, NSS and eDirectory, but with full and seamless AD emulation. Administer it with MMC, the lot. The only time you'll realise you're not working on a Windoze server is when you right click on a DC and look at the properties to find it's an OES2 box. Worth looking into...

      Otherwise there are numerous guides on the web as to how one configures Samba to use OpenLDAP as its authentication source, which makes mass admin of users a piece of cake.

      Use the 90 day trial of Novell Identity Manager, plug it into your existing infrastructure and you can even migrate passwords across to your splendid new FOSS solution. Do it right and the lusers won't notice a thing!

      I used to consult on such projects, but eventually gave in, took the money and ascended to management. Kinda miss it sometimes.

  3. That depends...... by ogdenk · · Score: 5, Interesting

    I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.

    Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.

    Samba4 is supposed to change this but it may be a while before it's ready for widespread use.

    In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.

    This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.

    Students are great at f**king up machines, group policy is almost a must.

    If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.

    Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.

    1. Re:That depends...... by ogdenk · · Score: 4, Interesting

      It works OK for older versions of Photoshop, but if your going to go through the effort of running Photoshop in a dodgy reimplementation of the Win32 API, why not just run Windows? You'll get screwed everytime a new version of photoshop comes out that uses Win32 calls in a weird fashion.

      A better idea would be a massive campaign to promote a port of Photoshop to GTK or QT. Microsoft will make damn sure that Win32 is a moving target if any massive movement to use WINE is successful.

      The mac version of Photoshop is the better version IMHO anyway despite the lack of a true 64-bit port due to Adobe's laziness rewriting using Cocoa instead of Carbon. The MDI interface in the Windows version sucks, especially if you use multiple monitors and want to run other applications at the same time.

      If your going to run non-native apps, it's usually better to just say "screw it" and run those apps in the native environment.

      Really, I've gone through this fight trying to ditch Windows in an educational environment. You meet stiff resistance from all angles, including the vendors. I've eliminated it where I can but in the end, to ensure a good bullet-proof computing environment where Windows on the desktop in necessary for certain software products, group policy and automated software deployment is a MUST, not a WANT.

      In most corporate environments, I've ditched Windows with good success but in a school, things are a bit different. Especially a tech school where our job is to teach people products to get them a job. Our goal is not to "create the thinkers of tomorrow".

      We HAVE to have windows desktops. manageable Group policy and automated deployment are not available in other directory environments. You can't easily lock down Windows desktops centrally with other directory environments.

      If you have other solutions, prove me wrong so I can use them as ammo to ditch Windows directory servers here. REAL solutions that are as easy to manage for other less-skilled folks I have dealing with daily problems.

  4. Re:There isn't an alternative. Next question. by Shados · · Score: 4, Interesting

    I love Active Directory, but just a little amusing anecdote... The company I'm working for is a 100% Windows shop across the board, has desktops in the 6 figures, yet does NOT use Active Directory...

    Their "forests" connect for business reasons to the domains of all of their clients, which makes the machines/accounts in the domain hit the millions...so well, to make that work better, they wrote their own "Active Directory" from scratch...its still running on Windows server, but its not an actual Active Directory(tm) kindda thing.

    But yeah, replacing AD for the sake of replacing it, is retarded. Windows Server isn't even that expensive, and for smaller companies, you can get Small Business Server, which is really, really cheap for what it provides.

  5. Re:TCO by erroneus · · Score: 4, Interesting

    I have set up four installations of SMEserver 7.x in the past 8 months into small businesses. I think I have put a collective 24 man hours into keeping those sites up. They stay up... keep going and going and going... and running Linux, I don't have nearly as much to worry about with critical worms running around and the like. Meanwhile, keeping up with my Microsoft AD network keeps my family fed and me employed full time. I am not complaining, I am just saying if TCO is largely factored by time/labor? SME server beats Microsoft hands down so far.

    Microsoft does not justifiably dominate the market. It simply dominates the way it does with all other things it does. MSIE is the best web browser, I suppose, as evidenced by its dominance as well..?