Slashdot Mirror
Best FOSS Active Directory Alternative?
danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"
The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server
Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?
Depends if you are just using it for windows domain services, or if you need to support things like management, federation etc.
OK buddy, you have done your job and made enough noises about FOSS. Your $large_discount coupon from MSFT is ready and waiting, mention coupon code EGDI. Coupon good for getting all MSFT software for free. Manufacturers Coupon, Never expires.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Mandriva Directory Server + Pulse 2
SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.
SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?
A comparison is useless to you unless you know what your specific, minimum requirements are.
GOsa is worth a look but in my experience is VERY hard to implement. It's a web based LDAP front end that manages posix accounts, Samba, email/groupware, Asterisk, fax, automatic installation (via FAI), DNS, DHCP and much more. I think the target market is large organisations with existing inhouse skills in the base technologies and plenty of man hours. I tried getting this working as a lone generalist, and I only got as far as getting posix, Samba, SOGo (a groupware solution), DHCP and DNS working. Scripts to get something working on Debian Lenny are on sourceforge (I finally found a use for my sourceforge project:) : https://sourceforge.net/projects/wfstt/ .
Try talking to Tim Fletcher at Parrswood.
but the first thing to do is look at how these have been deployed
I dont see anyone with production systems on a large domain using anthing other than redhat directory or Novell eDirectory
I see some custom OpenLDAP servers scale really well but thats about it
so given your choice above I would go for Fedora Directory Server and hack
if the choice was mine I would spend a little money and get the Novell eDirectory
regards
John Jones
http://www.johnjones.me.uk - email and digital communication
The story goes around that an infamous Australian telecommunications company wanted to put 80,000 people on a single Windows NT domain which put it well past the 16bit limit of users - and thus the active directory project started.
I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.
Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.
Samba4 is supposed to change this but it may be a while before it's ready for widespread use.
In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.
This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.
Students are great at f**king up machines, group policy is almost a must.
If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.
Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.
Questions you should be asking yourself:
One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain? (There are many other arrangements here that may better fit your needs.)
--Whizzmo
I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.
Good luck, LDAP is a pain in the ass ;)
Maybe not exactly the answer you're looking for, seeing as Samba4 is not out yet; however samba4 includes, among other things:
* Internal LDAP server, with AD semantics
* Internal Kerberos server, including PAC support
You can, but don't have to hook it up to an external LDAP server. You can use MMC consoles to manage it. They're even building real Outlook compatible Exchange functionality on top of it (see openchange.org). Not that I'd ever want to run Outlook though.
If they're sticking with the same hardware, making the second machine they have now a replication or backup solution may already be part of their plan.
You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
It may not be opensourced yet, but Sun has released almost their entire enterprise stack for free for anyone to use, including their DSEE, with unlimited entries. It can synchronize with AD, and they have a good deployment planning guide for synchronizing with AD and there are guides all over the place regarding authenticating Windows off of LDAP servers.
...we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server
Whichever system you end up using, I strongly discourage building your network around a single server.
I've run both OpenLDAP and Fedora DS. Both are relatively easy to setup, but I'd give the nod to FedoraDS which is easier to manage and easier to get replication working. FedoraDS also seems to be more compliant, but that was just my impression based on some limited experience with the schemas.
Getting Windows to authenticate was relatively simple as there are lots of HOWTOs. If you have Linux clients, it's also relatively easy. CentOS/RedHat, for example, just needs a couple changes via system-config-authentication. You'll also need to configure things like posix groups and host/service based authentication.
I've messed with the so-called "Active Directory replacements". They all suck.
The fact is, if you are using Windows clients, Active Directory works, it's simple, and you'd be fucking CRAZY to try to use anything else. Save yourself some pain, and blow $1000 (pounds, whatever) on Server 2003 or 2008.
Seriously. You don't want to do this. It's a fucking nightmare to try to support a Windows domain without a real, genuine Microsoft domain controller.
Did I mention this is a bad idea?
I'm not sure I understand the point... I mean I hate Windows as much as the next *nix-lovr, but if your network is a slew of Winboxen... why make a headache for yourself? Active Directory is pretty well received, even as a proprietary LDAP implementation... will a FOSS replacement really be worth the cost savings? If most of the machines to be managed are Windows, I'd use AD for them. If its a mixed network with mostly something else, then I'd attempt to shoehorn the management of the Winboxes with whatever implementation was easiest for the majority of the machines (i.e. if 200 OS X machines & 40 Winbox, I'd use Open Directory... if 90 debian & 15 winbox, likely OpenLDAP, etc.)
You don't hate AD as much as you think you do... do what is easiest... if AD is already deployed, its probably easiest).
The Admin and the Engineer
Hate on Microsoft all you want, I do it all the time myself, but AD (and Exchange as well) get the job done, are well supported by Microsoft, and in my experience, worth it. If you weren't running windows clients, it would be different, but as many people on here have said, the features of AD are hard to replicate. Perhaps you have philosophical open source / free software motives. But the only reason I could think of for that a smaller organization like yours would move off AD would be to save money on the license, and especially on CALs. But as a school, don't you get them for damn near free anyway?
I've seen RHDS (paid support version of FDS, but basically the same code) scale to millions of users. I've had a clustered pair running on blades handling 250K records easily. AD doesn't scale as well, requires tons of supporting software and locks you in to a funky LDAP-like format. If you want to move from RHDS to Novell, or OpenLDAP or even AD all you have to do is dump to ldif. Try going from AD to anything else without a great deal of pain.
How much for the wall?
Shai Schticks:"You don't make peace with friends, you make peace with enemies"
If you're considering Fedora DS, you also might want to look at FreeIPA.
I have set up four installations of SMEserver 7.x in the past 8 months into small businesses. I think I have put a collective 24 man hours into keeping those sites up. They stay up... keep going and going and going... and running Linux, I don't have nearly as much to worry about with critical worms running around and the like. Meanwhile, keeping up with my Microsoft AD network keeps my family fed and me employed full time. I am not complaining, I am just saying if TCO is largely factored by time/labor? SME server beats Microsoft hands down so far.
Microsoft does not justifiably dominate the market. It simply dominates the way it does with all other things it does. MSIE is the best web browser, I suppose, as evidenced by its dominance as well..?
The racial slur is sambo, ends in the letter 'o'.
Samba (ending with the letter a) is the first word in the unix dictionary that had an s, m, & b in it.
Samba itself is a musical genre.
Do you really need AD?
If you want users to be able to login any windows machine with the same username and password you don't want AD, you want samba serving as a domain controller. Try not to use LDAP as a backend, it does work but in small environments its unneeded hassle.
If you have applications that require AD it's going to be a lot more work than it's worth faking it. It takes a lot of 30 minute reboots to add up to a solid month or two of getting some other solution to behave right.
If you have to use AD make sure you have firewalls, virus scanners, and physical security in place for the controller. Absolutely do not let some joker use it as their personal web browsing station.
Go for Apple's solution and get an OpenLDAP with Samba compatible with AD and it will act both as an LDAP/multi-master KDC and a genuine Windows PDC. It's better than wasting my taxes trying to do it yourself, you'll get support and it can be done in less than half an hour. With EDU discount you get MacOSX Server Unlimited for $499 and you probably have a G4 or G5 somewhere to install it on (that's all it needs), if not get a Mac Mini or an iMac. You could probably drop it in your current installation and migrate it with minimal interruptions.
Custom electronics and digital signage for your business: www.evcircuits.com
You want to go from 2 servers to 1 server??? AD works and is easy to setup. Add a 3rd newer server to take on whatever demands you think these 2 older servers can't handle. Throw in DFS and you have a reliable fully redundant network that can handle just about anything you want.
What the reason for switching? Wanting to get rid of CALs? Problems figuring out AD? I'm just curious because your talking about investing a TON of salary into redoing the entire network when you possibly don't have to. It would be one thing if you or someone on staff had a lot of experience with AD alternatives but that really doesn't seem to be the case. Your just hoping to find out what might be a good alternative and going to just "figure it out as you go along". That is not a recipe for success. Sorry if I'm sound harsh but I've been there and done that and you don't want to spend 6 months struggling with something you have zero experience with when you can spend a month on something you already know.
If the AD install is truly fucked then I guess keep researching if you want. But otherwise if you have 2 working reliable networks your making a really big mistake redoing the whole thing just to go FOSS. This goes double if your 100% Windows on the client side. And trust me this is coming from someone who has been pushing OSS on the server front for 10 years.
If you wanna get rich, you know that payback is a bitch
Do you really want to use software named after a racist slur?
No, it's not a direct comparison to the GIMP situation. The slur is Sambo ; the software is Samba . There's a difference. But is there a racial slur against trolls?
If this is truly a "large school," basing your network on a single server is such a bad idea it is almost criminal, and implementations like this are what give Windows (and Linux for that matter) a bad name.
I question why you have separate networks for students and teachers, but that aside, why in the world are you giving your network a single point of failure like this? One of Active Directory's strengths is its ability to use multiple servers to achieve redundancy. Why are you running 2 domains with only one DC, and why would you design a new implementation with a single DC/LDAP server/whatever? What happens when that machine has a catastrophic software/hardware problem?
Also, change for the sake of change is a poor idea. If you have a legitimate reason to say that $FOSS_LDAP_SERVER is a better fit for your environment, that's one thing, but by not even considering that AD *MIGHT* be the best fit for your environment, you are doing your employer and clients a disservice.
Hire a consultant or someone that knows what they are doing - regardless of which platform is picked. From the question, it sounds like you don't.
Stick with AD.
I have worked with windows desktops, managing them using alternative technology ( both samba and edirectory ), and let me give you the benefit of my experience; stick with AD. What I have learned is that you should use the vendor's own technology to manage their desktops, it just makes sense. Then you have to look at the long term support of such a setup, and you start to get an idea about how hard it would be to support a non-MS architecture.
Oh, and I'm hoping you really aren't hosting two domains on two servers; that's a horrible setup, you are asking for a catastrophic failure. Each domain needs 3 DCs ( and each DC hosting a GC ).
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Don't swap to FOSS backed tech just because it's free.
AD is actually a pretty sweet piece of tech, and many FOSS apps work just fine with it.
_Always_ pick the best, AD is the best then for the situation pick the best OS to go with it etc
"Consider how lucky you are that life has been good to you so far. Alternatively, if life hasn't been good to you so far
if you know what you're doing, as I already mentioned above. I know of at least one good way around them.
The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server;
OpenLDAP is too plain and simple. It isn't user-friendly. There are no GUI tools that come with it although there are various tools people have made that you can use to manage it. I even created one myself as a senior project because it doesn't come with one and having to use the CLI commands for everything is just more trouble than it is worth when you want to get up and running quickly.
I haven't ever used Apache Directory Server so I can't speak to that but Fedora Directory Server comes from the Netscape Directory Server of yore. NDS went under and Sun Directory Server took its place. Netscape and Sun Directory Servers are basically the same thing, even the GUIs are the same except for name/logo changes here and there. FDS should be pretty good based on the NDS/SDS pedigree. OpenDS is new and runs using Java therefore it automatically requires more resources than the others which are built with C/C++. I'd let OpenDS mature a bit more before using it. Of the ones you mention I'd pick Fedora Directory Server.
But I have some questions. Do you plan to migrate clients over to a non-Windows OS? If not you'll need to investigate how to continue making Windows clients authenticate to a non-MS directory. It is possible to make this happen but past methods of doing so (a few years ago for me) have been kludgey at best. Windows likes to talk to ADS. If you migrate to Linux clients your job gets much easier because you don't have to worry about Windows SIDs and similar critical components of a Windows infrastructure.
Do you have people who know directory servers and understand LDAP? Be aware that ADS makes things easy for a Windows administrator. Even Sun Directory Server does not automatically enable replication when you have it installed on 2 servers. I highly doubt the other implementations you are looking at do the same. Therefore you will have to really understand how directory servers work underneath when working with these other implementations. You have to create replication agreements yourself and understand the underlying LDAP structure. ADS hides replication from you (accessible through Sites and Services snap-in though) until something breaks. The schema is hidden from you as well unless you need to access it (not even in the default list of MMC snap-ins but it can be added). Make sure you have people who can administer directory server installations, not just ADS installations, when you do this migration.
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
The computer would be completely useless if I could not store files SOMEWHERE. The desktop was just a convenient place. I could (and did) install programs to my student folder, which was stored on the network server, to exactly the same effect, except that it would take a little longer to install and to run over the network. It didn't matter.
The desktop WAS restricted, by the way... as were all other local directories. We were only "allowed", by policy, to store things in our student folder on the network server.
You have missed the point completely, which is that if you know what you are doing, the policies don't work! There are too many ways around them.
Certainly, the computers have to be useable. So they installed all the programs "they" wanted us to use (MS Office, a few compilers and IDEs, etc.) and locked everything else down. My point was that we BYPASSED those policies. Easily. And no, I daresay the staff was competent enough. If you think that policies reslly are secure, then you don't know much about the environment you are trying to administer.
We did not want to add services or keyloggers... we weren't interested in hacking into the system, just making it more useable for ourselves. However, if I had wanted to do so, I could have in a few minutes using my ERD Commander disk. So in fact, I could if I wanted to, I just didn't want to. What's your point?
I agree with your statements regarding what ADS provides and what OpenLDAP does not. The fact that OpenLDAP gives you a backend and nothing else is one reason I did not recommend it to the submitter however your subject for your post is not correct. ADS *is* LDAP. It uses LDAP underneath just as any other directory server does on the market today. Many also can integrate with Kerberos just as ADS does. I hate when people call ADS "Active Directory" and then they refer to Sun's implementation as an "LDAP server" or whatever. The fact is ADS is as much LDAP as any other. MS has just added attributes to the schema to fit a Windows infrastructure but then again so has Sun for Solaris clients. The LDAP schema was meant to be extended and can even be extended by the administrators to add custom attributes and object classes for companies who want to integrate their products with it. MS is no different in what they did. It's their own implementation of it just as Sun has their implementation. If someone wants an unadulterated implementation of a directory server they should go for OpenLDAP but they will be sorry (if only due to lack of management tools).
this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
Comment removed based on user account deletion
as a long time fedora user i would suggest using CentOS on a production server and not fedora fedora has a 1 year lifespan ( the current is fedora 10 ) CentOS has a 5 year life span( CentOS 5.2 is the current )
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
Have you considered Nintendo DS?
Comment removed based on user account deletion
Having had a look at the three alternatives you're looking at, I like Fedora DS the most. Thing is, OpenDS and Apache Directory Server run on Java, and that would worry me. Fedora DS does multi-master replication, which is a big deal, and the major feature I really wish slapd/OpenLDAP had -- and Fedora DS is GPL code, too. Novel's eDirectory also does multi-master replication but has commercial licensing costs per client depending on what you're doing with it.
Okay, so there's no Debian package for it, but it appears to be installable via alien:
http://directory.fedoraproject.org/wiki/Howto:DebianEtch
I have used Fedora DS at work and it is OK. It is fairly stable when configured properly, and is mostly hands free once you get everything going.
"When configured properly" is the rub. You have to be very careful to watch your replication setup, and SSL is a bitch.
Don't bother springing for RedHat though. Their support is well-meaning but worthless.
For linux tips: http://www.linuxtipsblog.com
I think poor old Mandriva could have suffered due to the lack of good English documentation (including developer docs and community forums), and the bias toward French language hasn't been good for them overall. Then again, it's been a few years now since I used that distro, it may have changed.
... the detailed technical documentation provided by the community (in English) beat Mandriva's docs hands down.
It may be great for French speakers, but my experience back when I used Mandriva (and "Mandrake") daily on my Desktop PC was that good English technical documentation was lacking, although I noticed lots of developer docs in French on the wiki that I couldn't read. Ultimately this was a major driver that pushed me toward Ubuntu
There is no comparable solution. Choosing anything else is a massive disservice to your users and the people responsible. AD is set up by default to work properly. It requires minimal maintence. It supports multimaster replication, automatically doing nearly everything required. It uses Kerberos. It does your DNS for you. Windows works perfectly with it. Linux sort of works with it with Samba. Your alternatives in the FOSS space are basically seting up FDS or OpenLDAP by hand. THat means making the schema by hand. OpenLDAP does not do multimaster replication. You will have to hand configure kerberos. You will have to manage most maintence tasks by hand, using tools like some Java LDAP UIs, which expose raw LDAP information to you. You will not have an easy interface to 'create users'. You will have interfaces to edit LDAP databases. FDS is a better LDAP server: but it is STILL JUST AN LDAP SERVER. It does not take care of DNS. It does not do Kerberos. Novel's commercial offerings are the closest: but they are woefully hard to get set up compared to AD, and they cost just about the same.
Samba isn't an Active Directory alternative.
I'd just like to echo what a few other posters have suggested: stick with AD for now and migrate to Samba4 when it matures.
While you can certainly hook a Windows network up to OpenLDAP, FDS, or $OTHER_DIRECTORY_SERVER, you will end up spending far more time and effort (and hence money) than you save when you try and reimplement all the additional management functionality that is built in, in particular Group Policy. If you decide to skip the Group Policy functionality, you will lose all your hair, acquire several ulcers and otherwise age very quickly as your students end up with the run of the network.
Further, as long as your AD controllers (and you should have at least two for reliability, if you only have two physical servers to play with then virtualise them with Xen or ESXi, run an AD controller on each and then any other VMs you care as well) are ONLY AD controllers then you should find that they are relatively stable. AD has numerous flaws but setup right, it mostly just works, and is the key ingredient to making Windows clients behave sensibly.
The Novell directory stuff works well and retains the management functionality (and gives you some more too) but it still isn't a drop-in replacement and is rather expensive.
Samba4 will be a great drop-in replacement for AD but it's still some way away from being properly production-ready.
I live and work in South Manchester and I've setup and looked after a number of similar heterogeneous networks (with various authentication mechanisms) over the past few years. For a school I'm also happy to do a bit of consulting pro bono. Email me if you're interested: marmarama@gmail.com
1. I hope you understand what you gain and lose by switching.
2. I have had to endure the pain of selecting from a few LDAP servers few months back. Just go and download Sun Directory Server Enterprise Edition 6.3 (DSEE). Buy a support contract of whatever level you need. Set it up (takes minutes, the docs are EXCELLENT!) and after that forget it even exists. This baby just works!
- mritunjai
Red Hat Directory Services over tens of thousands of users... so if you the pay-for-support option, you go to Red Hat, for the bleeding edge, "no paid support but tell us about or contribute bug fixes", go for the Fedora option.
One of my large bank customers has both Windows and UNIX (moving to Linux) active directories, with software from a UK company called Fortefi that syncs changes between the two as soon as either is updated. See http://www.fortefi.com/products/account-provisioning/index.shtml
Ian W.
As far as my experience tells, Fedora Directory Server has my vote. Very mature, good integration with Windows and Unix world and (very important) great admin tools and interface. I've been using it for 3 years, and never feel the need to go do RDS (the supported version). openLDAP ispretty rought, even if it works well. No idea on Apache DS. If you want to have the list of all candidate solution, have a look at http://www.opensource-it.com/tags/directory_server_0
I've worked on very large directory deployments.
10 million user accounts.
We were using Novell e-Directory for the authority user database and AD downstream via DirXML for compatibility/legacy reasons.
Remember, Novell basically wrote the book on directory services. Microsoft just copied their implementation.
You can use ZENworks to store Group Policy objects but it will take much more than a Slashdot article to explain these concepts.
The beauty of eDirectory is that Novell have agents for basically every platform that is worth a damn, try that natively on Windows.
When you're dealing with something as critical as a central directory you don't want to mess about. If you have to throw some money at it to ensure some accountability and support then do it. Windows AD works as advertised, but it only works with Windows - you're on your own with anything else.
There is third party companies that have written software that bridge the gap to manage UNIX systems, users, applications, policy which from what I've seen works pretty well.
At the end of the day it comes down to understanding your environment, budget constraints, support, IT strategy, applications, business/IT partners.
Oh yeah one more thing, this big install is for an education body.
Just to throw what I use into the mix, on a network of ~100 WinXP desktops:
- Samba - acts as domain controller, triggers login scripts, maps drives etc. System Policy controlled using NTConfig.pol files in the 'netlogon' share, prepared using poledit.exe
- OpenLDAP - authentication backend for Samba, groups/users for the Samba server (plus many other tasks which are unrelated to desktop usage);
- WPKG - for software deployment, runs at each boot-up - really nice.
"If you think the problem is bad now, just wait until we've solved it." --- Arthur Kasspe
"OpenLDAP is too plain and simple .. There are no GUI tools .. I even created one"
What was this tool you created called, is there a copy online anywhere? What's difficult about a Unix admin setting up a script. And you don't have to use the CLI for everything, you put it in a script and let the machine do it.
"you'll need to investigate how to continue making Windows clients authenticate to a non-MS directory"
'These problems have been solved by using OpenLDAP and Samba TNG software'
"ADS hides replication from you (accessible through Sites and Services snap-in though)"
It really amazes me how MS releases a utility with most of the core components missing and then charges you more for the 'snapins'.
davecb5620@gmail.com
This may be a bit of a stretch for the original poster, but if the intention is to lock down the desktop why not abolish it all together and put it all on the server using thin clients?
"I'd just like to echo what a few other posters have suggested: stick with AD for now and migrate to Samba4 when it matures .. Samba4 will be a great drop-in replacement for AD but it's still some way away from being properly production-ready"
'In short, you can join a WinNT, Win2000, WinXP or Win2003 member server to a Samba4 domain, and it will behave much as it does in AD, including Kerberos domain logins where applicable'
Samba is freely available, unlike other SMB/CIFS implementations, and allows for interoperability between Linux/Unix servers and Windows-based clients.
davecb5620@gmail.com
From my experience, in a small-to-medium Linux/*BSD/OS X environment, with NFSv4 or AFS, this will work fine.
However, as other posters here suggest: if you have predominantly windows clients, for your own sanity it would be better just to use AD from the outset.
.:SOLCAVUS:.
We have implemented a similar project in our local school.
OpenLDAP takes a while to configure but it does work eventually. When new students are added to the school DB they are added to the system by a Perl script which generates entries automatically and mails the class tutor with their login details.
Samba once set up works wonderfully for us.
Best of luck and hope it works out well for you.
"Linux is for noobs"-The new MS fud strategy
First of all, why use crappy openldap when you can use the Netspace directory server that red hat bought and opensourced.
I have foung openLDAP to be reliable, compatible and easy to use. Can you elaborate on why you think it is crap?
There is a reason why they paid 23$ millions for it...
And the reasons are?
Then, AD isn't just a LDAP server with usernames and passwords....
Nor is openLDAP just a store for Windows user names and passwords. I use an openLDAP server for Windows services as well as providing user configuration for other services such as sendmail. The great advantage of using FOSS is that you are free from vendor lock in and can consider non-proprietary alternatives in other areas of your network.
Which is why many people can only use Windows setups. There's nothing like AD in the FOSS world. To start with, FOSS client apps should be lockdown-able from the server. But you can't do that...
I mean, in a office with a linux server and some linux clients, try to lockdown some options on Firefox, the desktop, evolution....surprise, you can't do it. Oh, yeah, there're a lot of workarounds everywhere, but they are different if you use KDE or Gnome or depending on the app you are using. It's a horrible mess.
Nowhere in the article do I see a desire to use FOSS desktop clients. The submitter simply wants to replace AD server with a non MS LDAP based alternative.
Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks.
This is otherwise known as vendor lock in. Some of use have tried very hard to break free of it to avoid being held to ransom by a vendor.
Until then, Windows is pretty much the only realistic option. I can't understand why Red Hat, Suse and Ubuntu don't put more efforts on this, it's one of the biggest showstoppers for Linux adoption.
I have been running what you consider an unrealistic option for the best part of a decade. I have yet to be fired. Sirius the consultancy I recommended have a client list of blue chip companines, local govenment and schools. They are all running some form of FOSS backend. You might like to take a fresh look at FOSS, it really works in the real world.
In my previous post I forgot to mention that OGC/Becta are the government agency's responsible for technology in the UK educational environment. It is considerably easier for a UK school to use a Becta accredited supplier than any other supplier. It is an incredible achievement for Sirius to gain that accreditation as no other FOSS consultancy has managed to cut through government red tape thus far.
It can be done, but there's a few things you have to bear in mind:
1. Lots of existing products (and this is becoming more common as the years go on) expect an AD-backed domain. Samba + (insert name of LDAP server here) currently can only emulate an NT4-type domain. Samba 4 claims to eliminate this issue but the last time I checked it wasn't even in beta. You'd be nuts to implement it in production at this stage. If your employer's been heavily into Windows for some time, don't be too surprised to find you need to replace quite a lot.
2. Do you have a lot of policies pushed out through AD? (If you're a school, the answer should be "yes". Unless you like making work for yourself...) The closest equivalent is NT4- style policies - which aren't as flexible, don't offer as much and suitable precooked template files are becoming much harder to find.
3. Do you use Exchange anywhere? Exchange doesn't have a directory of its own, relying heavily on AD. You'd have to replace it, and while there are lots of projects claiming to replace Exchange, few come anywhere close in the real world. Most of the projects seem to be driven by people who have heard of Exchange and had it described to them, but never actually used it much.
4. Is your network heavily subnetted? AD doesn't really care about this because it uses DNS to find services it requires (such as the domain controllers). NT-4 type domains use broadcast packets, and can be a dog to get everything working properly where a lot of subnets are involved.
5. The information stored in AD about who owns and has permissions over which files is stored as unique IDs ("SIDS"). As far as I know, there is no easy pre-cooked way to migrate these SIDs between AD and Samba. So you're going to have to be very careful at replicating this information in your shiny new LDAP-backed system otherwise who has access to which files is going to be thrown all over the place. If that means one pupil gets read-access to another pupils work, that's annoying. If that means all the students get write access to a file storing their grades, that goes out annoying and through the other side.
Basically, if you already have a strong investment in Windows servers and associated licenses, this carries very high risk, will cost an inordinate amount of time and inevitably mean substantial upheaval for your end users. And (assuming you currently have AD running fairly nicely and you do a good job), you'll come out the other side with there being little or no perceivable benefit to anyone else.
You're only mentioning OpenLDAP which is a good option but why would you ignore Sun's Java directory server ? I'm using this one at home as part of the Java Enterprise System and based on my own experience I'd say that you don't want to mess with things like OpenLDAP and the likes.
/. about this instead of grabbing your obvious choices to check them out and discover for yourself if these products meet your demands. That is what matters here. And if a quick google search is too much to ask (note how it also mentions the Java Directory Server at page 2?) then I can't help wonder what extra value the open source part will be. It doesn't look to me as if you'll be hunting down the source code and its (sometimes meager) documentation to find ways to enhance said software yourself.
Not because these products would be bad or anything, on the contrary, but because these Sun products are a little more developed and advanced when it comes to system administration. With OpenLDAP you'll be writing up a lot of scripts yourself to get things to work as you want it to. Sun's directory server comes with a full flexed administration interface free of charge. You can script or you can click your way around, you'll be the one deciding that. And also important; this stuff was around long before Fedora and the likes even had these kind of solutions, perhaps with the exception of RedHat's RHEL.
I can't help wonder if you're not falling into the common trap by assuming FOSS to be free software by definition. Sorry but that is NOT the way it works. If you're looking for free software then say so. Or do you plan to tinker with this software yourself as well? Because in that case I can't help being my cynical self by wondering why the heck you'd need to ask people on
Which brings me to my closing point: why change in the first place? Please don't assume that by simply installing a free Linux solution you'll reduce your total cost of ownership. Implementing such a change takes time for research and the implementation itself. And thats not even mentioning possible educational costs. We're not talking about a point and click solution per facto. So also keep this in the back of your mind that by switching environments you might be hitting your budget more than you expected or anticipated. Just because something is free does not make that better by definition.
Alas, I wish you much wisdom in your final pick and good luck with the migration should you decide to go through.
I don't think your trolling but you are surely aware that you can get paid support for almost any distro or FOSS software out there. ReadHat, Novell & Canonical are the first three that spring to mind but there are countless others, both 1st and 3rd party for most distros.
IranAir Flight 655 never forget!
Check out http://www.univention.de/ucs.html . It's a true AD replacement and if you are willing to compile there packages on your own, you won't have to pay fees. If you stick to prebuild binaries, you have to pay.
UCS is either a replacement or a teamplayer *with* AD.
http://www.freeipa.org/
As others have suggested: once you have Windoze-clients, you can't just replace AD. You need it.
With RHE-IPA, you can (AFAIK) sync the kerberos-part of the two, so you have common passwords (which is all what matters for non-Windoze AD-clients).
The only way to replace AD and continue using Windoze clients is to get rid of Exchange and use something else and replace the desktop-management-stuff also with something else (Novell comes to mind).
However, you will not save money or work/effort...
Windows 2000 - from the guys who brought us edlin
microsoft AD is several well integrated things in one. But in this FOSS world you get all the building blocks, but you may have to assemble them yourself.. /Skolelinux [1] distribution, It's made to be easy to admin for a part time teacher /part time admin. And comes with openldap+bind+saba+winbind out of the box.
Thus you get great flexibitity, and power. But it may be that you are not very interested in tinkering with the internals. And building your enviroment from the ground up.
You should atlest test out the Debian Edu
You can easily join linux, mac, and windows machines into the domain. have central authentication, and roaming profiles. And is tailor made just for your use case.
Debian Edu Homepage http://skolelinux.no/en/
Debian Edu Wiki http://wiki.debian.org/DebianEdu
Ronny Aasen
Thanks to everyone who has posted ideas, suggestions and comments so far- I've just finished reading them all now- much appreciated and very interesting stuff.
A few points that I should've mentioned in the original question are that (as most of you correctly assumed being a UK school) nearly all clients are Win XP SP3 with the odd exceptions of a few Vista, Linux and OSX machines. I say migrating to one server but of course that would have a back-up machine- its just that at the moment we have this crazy configuration of two physically separate networks/domains with their own DCs, switches, ISPs etc- one for students one for staff. I inherited one helluva crazy mess, indeed! What I mean is that all this is going to be amalgamated into one physical network and one domain, not one server.
We don't use Exchange so AD/Exchange inter-op isn't a requirement or an issue.
I was aware of eDirectory but didn't mention that in the question because its not FOSS- however this has been recommended much more than Sun's solutions and Apache hasn't even had a look in. I don't want to rule Novell out as a possibility as it may just be better a better long term solution than sticking with AD/2003. It would seem FDS/FreeIPA is the only serious FOSS solution available for this right now
Of course, AD *should* logically be the easiest one to stick with/ 'migrate' to but that doesn't necessarily make it the best choice. I think we'd be more than willing to hire a consultant to help transitions to an alternative if there were numerous long term benefits.
I'm going to have a play with FreeIPA on a small network of test machines or under VirtualBox and see how that goes first I think.
Why on Earth would anyone write an app that requires sharing MDB files? Even Microsoft warns that the MDB is a "desktop database" format, not really intended for heavy use.
It's almost trivially easy to port any Jet application to use a "real" backend database server (MS SQL, Postgres, MySQL, Oracle, etc.) Even Access works beautifully as an ODBC client.
OpenLDAP is a top notch LDAP implementation. It's only about 60% of a directory solution though. The management and configuration tools are where the difference is.
Now setting up openLDAP isn't that difficult but it's a stretch for a lot of MSCE type IT folks. I'm also going to go ahead and assert that maybe 20% of AD users or LDAP users actually have any idea how the LDAP tree is structured, they basically want a GUI where they can reset passwords and grant access, how the rest of it works they could care less. You've got a fairly steep hill to climb if you want to run OpenLDAP and simply don't care about LDAP.
All that being said, there have been a lot of startups that try to polish some opensource and sell it, Directory Server in a box built on top of OpenLDAP seems like a slam dunk, it's really an exercise in building a UI and writing documentation.
A couple of years ago, with none of us where I was working having worked with it, and figuring ldap was the wave of the future (our other options were NIS and NIS+), I volunteered and implemented openLDAP. I even did an upgrade (2.2 to 2.3).
It was a nightmare. The documentation was *NOT* adequate, the openldap "communities", when I joined them, mostly gave me one of the three responses: a) no answer; b) "it's been discussed before", and c) this isn't the right forum for that question". They were *utterly* unhelpful.
openLDAP's tools and error handling are also inadequate. IMO, it ain't ready for prime time.
Between many days of googling, and responses from a techie mailing list I'm on, and from the Redhat general discussion list, I managed it.
However, I would *not* recommend the openLDAP project, per se. I trust *any* of the others that have been mentioned are better.
mark
If your using Access for a 50 user database with no other real RDBMS backend, you're an idiot and you're asking for trouble.
Your data integrity and performance must not be very important to you.
I was just about to download FreeIPA and try it under VirtualBox but had the good sense to read the FAQ first where it states:
IPA Policy
1.
Q: Can I specify different policies for different groups?
A: No. The current release of IPA supports one policy for all.
The PRD for v2 does not explicitly list this requirement. There is, however, some requirement to improve password policies but not to that scope. This will be added to a future feature set. /end quote
Hence it seems FOSS advocates are waiting for IPA v2 or samba 4.x until they have a good chance of really booting MS and proprietary solutions out of the server room at least.
It's not "free" but have you checked Apples Leopard server platform? It is easy to manage and can work as a PDC for Win32 machines right out of the box. It integrates with existing domains as a BDC so you can play with it. It has comprehensive directory and service list that makes it a good choice for looking into. Add to that it is a one off cost of less than $1000au for the "unlimited" version.. no CALs to buy for anything.. ever. EB
<parentQuote>Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks.
</parentQuote>
This is otherwise known as vendor lock in. Some of use have tried very hard to break free of it to avoid being held to ransom by a vendor.
</quote>
No, it's not. You've obviously never used GPOs to control the behavior of applications from the backoffice all the way out to the laptops in the field, setting enforced application permissions, client-side secure certificates, and Windows Update parameters. This is just ONE small part of getting AD working in your organization.
And it's arguably the single BEST reason for having AD to begin with.
Just because it has some good uses doesn't mean it's not vendor lock-in, and it doesn't mean the vendor won't effectively be holding your IT operations for ransom. You may think this is an OK trade-off for having systems that work very well together and allow you a great deal of control over clients, but not everyone would agree. You are basically putting yourself in a situation where Microsoft could raise their price 1,000% per seat and you would be forced to pay. They also can, and do, force you to upgrade, even if you don't see a need to. Now it might be that this loss of control is worth being able to push out and enforce client side Windows Update parameters...but it's definitely not as clear cut a case as you're trying to make it.
I ran an OpenLDAP server as the one repository of directory and login information for a small company for over 5 years and it generally worked very well... with some caveats.
1) Integrating OSX systems into the mix is not trivial or particularly well documented. Our Macs' ability to recognize group permissions, specifically, would come and go with different MacOS updates. If "proper" Mac support is important to you, you should seriously consider using Apple Directory Server (which the Windows and Linux systems will be perfectly happy with).
2) On several instances we suffered corruption of the openLDAP database, so back up regularly and push changes to your slave. (In all of our cases the corruption that broke the server did not propagate to the slave.) The bad thing about this is that it fails in a reasonably silent manner where slapd just stops responding and them quietly refuses to start. The fix in these case was to wipe the ldap database, slapcat from the slave, then slapadd everything back on the master.
3) Failover can be tricky. Even with multiple servers configured in ldap.conf and similar locations, most clients seem "latch on" to a particular server and then not let go. At some point you'll want to set things up for a more automated failover and/or load balancing. For that purpose, we have been looking into switching to CentOS Directory Server (like Fedora or Redhat), which has a more robust master/master sync arrangement and thus better supports load balancing. Losing LDAP service will bring your entire network to an unpleasant halt... so engineering in some redundancy should be a priority and will make your life much easier in the long run.
I'd take a serious look at CentOS Directory Server (and CentOS itself) for this purpose before finalizing your decision.
That a single network is a good idea. I work in education in Aust, and govt policy is admin network, which contains students confidential records, is always kept phisically isoalated form the student network.
The only point at which the networks connect is the outgoing router, and connections between the 2 are not allowed by the router.
I would suggest this is a much more secure option. You may find education dept policy requires seperate networks anyway.
What ogdenk said.
Using Access in this manner is crazy and a huge performance issue all on its own, not to mention data integrity.
Good luck.
- Michael T. Babcock (Yes, I blog)
How is Samba a drop-in replacement for AD? Does it have the same system of hierarchical groups and policies?
+++ATH0
Okay, I get your point, AD is vendor lock-in, that's not the point I'm trying to argue. I'm trying to argue that it's valid for the FOSS movement to support the features that Windows/AD does with GPOs. This has nothing to do with lock-in and everything to do with allowing Corp. admins to secure and manage their desktops using a single tool.
:-)
GPOs may be a bad way of doing this, but it's THE way the Windows world is working, and no one has yet to come up with something better. It would be nice if this changed.
Comment removed based on user account deletion
Ya'know... there's a very good reason to keep 2 servers.
Server A: Primary Domain Controller
Server B: Secondary Domain Controller
If you only have one, hardware failures do happen.
I will not give in to the terrorists. I will not become fearful.
I'm just going to put this lightly.
You follow through with this idea, you're going to lose your job. Not only are you going to lose your job, but you're going to make it so FOSS software is almost never considered in your school again--for any project. Because the beancounters are going to look back and see just how much money they wasted, how much time and effort they wasted, only to hire a consultant to come fix the mess you made whom is going to reinstall Windows anyway.
Just my 2 cents.
I've been using smbldap-tools for some time with a sync on imap + sendmail .
It helps me to have one password for mail and workstation since 4 years .
But it is hard to update but it is very lovely especialy when you have lvm to manage storage better
the best part is one script to creat user , mail , and add to group and lvm2
windows 2008 server is getting as good but it is missing lvm and a directory more open .
good luck when had a site with 500 users in a parent company
I know Novell has been the target of a lot of criticism lately (some of it fair, some of it totally bogus), but if you are truly scanning the market for alternatives you should take a look at the products they offer.
:-)
Novell has made a business out of Identity Management and network security. It is what they do. Not all of it is Open Source, but all of it runs on open platforms and is easy to integrate with. Their products run on Linux (SUSE Enterprise, but I suppose other distros would work as well).
I think you will find Novells products very mature and rich in features. They integrate a lot better with a FOSS based infrastructure than most alternatives, and the quality is commercial-grade (in the positive sense). There are ready-to-go tools for migrating ADs to new non-Microsoft servers, and do Identity Management with many different security technologies concurrently.
After evaluating it you may decide you don't like it (perhaps because of a religious opposition to closed source binaries or simply because you don't like the flavor of the UI) but at least you would be making a qualified choice.
- Jesper
My security clearance is so high I have to kill myself if I remember I have it...
GPO's only really lock down a machine for the uninformed. Worrying about them not being available is like worrying that there is no sand available to stick your head into so that you can pretend no-one can see you. 1st and foremost, if the person has physical access to the system GPO's will not stop anything. In most businesses the employee's have the client system on/under their desk. Breaking in, is as simple as rebooting with the right CD in the drive.
You ARE the uninformed.
No comprende? Let me type that a little slower for you...
The major frustrations that I have with OpenLDAP/Samba (currently wrestling with eliminating Active Directory myself) is that there are very few *good* guides out there that explain the process. Most of the guides out there are do XYZ and you're done, but only if you're on this specific version of Linux.
Nobody bothers to explain how to verify that things are working. Or why they chose the settings that they did. Or what settings are required and which ones were only due to some local mandate.
All of this, I think, is why there's a lot of frustration out there with OpenLDAP. Yes, it's a complex piece of software, but I think a lot of it is due to poor documentation.
Wolde you bothe eate your cake, and have your cake?
I second Fedora Directory Server/Redhat Directory Server. Also, you may want to checkout FreeIPA
FDS/RDS have a very nice Java GUI to manage or you can use standard ldap command line tools.
http://directory.fedoraproject.org/
http://freeipa.org/page/Main_Page
FreeIPA Is what makes your Plain Jane LDAP server more AD like
Goodness, you are naive. Or missing the point.
GPO's only really lock down a machine for the uninformed.
Which is the point. No, GPOs (note the absence of the apostrophe) won't stop teh 1334 h@xor from breaking into the machine. Group policies just (mostly) stop the Admin assistant or the junior accountant in Finance from loading some stupid browser cursors (and associated spyware).
Breaking in, is as simple as rebooting with the right CD in the drive.
If it's that simple where you work, that needs to be fixed. And whoever's responsible for that travesty needs to be fired. Every pc I've worked with since about 2000 has (A) bios passwords, (B) boot order selection (so you can disallow booting off any media besides the chosen hard drive), and (C) DMI reporting of case intrusion, so you can't get easily get away with cracking the case to clear the password (or, for that matter, installing another hard drive instead of the normal boot drive, which is how I'd do it).
GPOs allow the workgroup administrator to apply consistent identity-based policies on client systems. They are, in fact, a non-negotiable necessity in most business settings. Handwaving and straw-manning the requirement away won't work; instead, OS workgroup server technology has to present a viable alternative implementation.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Maybe you are doing it wrong.. i run a domain with around 40.000 accounts and i can't even remember the last time i logged in on an active directory controller..
Nobody bothers to explain how to verify that things are working. Or why they chose the settings that they did. Or what settings are required and which ones were only due to some local mandate.
Having been the primary Sys Admin for a major telco, one of the few with Sniffer experience supporting in excess of 10,000 desktops in multiple geographic locations, I can attest that most Sys Admins think they know how a proprietary tool works and are similarly flabbergasted and surprised when the proprietary tool / software / app / protocol / whatever opens a gaping security hole or violates the protocol they mistakenly believed was sacrosanct; something they could never see if they do NOT get a packet sniffer and start sniffing to see what is actually truly going on. Heck I was sent to training with Network General for the Distributed Sniffer, however, I had to perform the baselines on my own time...rolling stones and moss and all that... for most of us Sys Admins, we pay the price if we do NOT take our own time in spite of the manager or company.
Now I do NOT blame the Sys Admins, as they are NEVER given the time (or enough time) to base line; and learn how various things work together before there is a problem...before there is a need to know. By learn I mean, work with, play with and use the appropriate software and hardware tools to see what is actually happening, not what the manual states is suppose to happen. Also to play what if with those tools and see what happens when they generate various errors in order to be ready when the need arises.
Also I would guess that over 70% of the companies (probably much higher) employing System Administrators out there, even today, DO NOT allow time for monitoring of servers, networks, etc... No that seems to be something they just expect a Sys Admin to know how to do when something goes wrong. I would rather not assume either, admittedly sometimes we have no other choice and that does suck.
And for those that think I might be trying to start some sort of flame war about a company that begins with an M, give it a rest as my first experience of this type was when a Sun authorization server violated the Token Ring Protocol responding to packets that were NOT meant for it.
I will agree with you that the documentation is poor in many cases and the explanations are made poorer due to someone taking that documentation as gospel, can you say General Protection Fault.... at least that is shorter than the 40 page troubleshooting guide provided by that nameless company that never worked....but I digress. I am sure I am not the only person that gave the a one finger salute and simply turned off/on the computer.
Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities
You're almost there, but not quite. OSS definitely has the identity based stuff taken care of, in fact AD stole most of it from the FOSS world (Kerberos + ldap). It's the other stuff, the central configuration of proxies, certificates and other applications that we're missing. Not just configuration, but ENFORCEMENT.
This may not be important to the GP, but it's important to a lot of people.
You are basically putting yourself in a situation where Microsoft could raise their price 1,000% per seat and you would be forced to pay.
In what conceivable way are they 'forced to pay'.
If they're in a subscription the pricing is locked for the duration. If they are not then its already paid for and they own it.
If MS were to raise the price 1000% then the business goes into the following decision tree:
* is the cost increase more expensive than the concrete and non-concrete migration costs to move away, or greater than the risk/cost of running unsupported software?
** if yes, then either migrate or stay where you're at
** if no, then pay microsoft next time you want to buy more stuff
There's no 'force'. There's simply the product cost, vs. the migration cost. Whichever one is cheaper, the business is likely to make that choice. This isnt something immoral, its just business and economics. Every business on the planet will try to make it painful for you to switch away from them.
If MS has developed such a good product (by some criteria that matches market selection) that everyone has it, and no one wants to go off it, and they can raise their prices and have people still stay with them, then they're being an effective business. This happens all the time where people will pay a premium for quality.
Now its arguable that most people would label what MS does as 'quality' per se, but its quality by some form of market selection, as people continue to buy from them.
This is really simple stuff, and no one is pointing a gun at anyone's head and saying 'you must pay now'. Thats one of the really annoying mythologies that floats around here.
Comment removed based on user account deletion
With a more reasonable increase, the customer is more likely to feel "forced"[1] into paying the extra, because it amounts to less than the cost of a migration project.
In no case is it forced or coerced. Thats my point. The use of words like those are deliberately chosen to confuse and mis-inform people.
That's how vendor lock-in works. If you don't understand that, then I recommend you don't buy any software or make software purchasing recommendations ... heck, just stop using software until you understand the concept.
Nice high-horse you've got there.
There is no such a thing as vendor-lock-in. It's an emotionally laden word that doesnt really mean what people think it means.
There are simply choices and marginal costs.
Some businesses are better at constructing the business relationship such that they can make the marginal cost of moving to another product always slightly higher than the cost of staying with.
Thats not a 'lock in', its not 'forcing', and its not 'coercing'. In all cases, the business/customer in question can do whatever they want, and move to whatever competing product they want. Or they can stay. In both cases there are costs.
Talking with words like lock-in and force and coerce just tries to create an emotional feeling associated with the subject matter. It's a manipulation technique.