Best FOSS Active Directory Alternative?

danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"

Not Samba?

[Tubal-Cain]

The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server

Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?

Re:Not Samba?

And, er, what about OpenLDAP?

Re:Not Samba?

[digitalunity]

How many years ago was this? I'll keep my negative comments about VB6 and Jet to myself, but that this was on NT4 then I would imagine your anecdotal experience is from some time ago.

Samba has made tremendous improvements in the last couple of years in a lot of areas.

Re:Not Samba?

[thePowerOfGrayskull]

I thought Samba was stopped at compatibility as a domain controller (win 2000 style), and did not offer AD features?

Re:Not Samba?

[ushering05401]

The parent is trolling or is apparently unaware that MS specifically told people not to use Jet like this.

Here is an MS quote from back before Jet was deprecated.

"While Microsoft Jet is consciously (and continually) updated with many quality, functional, and performance improvements, it was not intended (or architected)... to be used with high-stress, high-concurrency, 24x7 server applications, such as web, commerce, transactional, messaging servers, and so on" (Source: Microsoft KB article Q222135).

So no 24x7 server apps per MS, I wonder what was slowing down the other poster's 50 concurrent connection scenario.

I could never get Jet to work well > 5 concurrent connections.

Re:Not Samba?

And, er, what about OpenLDAP?

Because er.. that was mentioned in the 'Ask Slashdot'.

Re:Not Samba?

[timmarhy]

it's not a troll if it's true, is it?

that vb jet was a piece of shit isn't in debate here, it's the fact samba wouldn't perform on the same level with beefier hardware. it's a little hard to sell samba over windows as a file sharing solution when it doesn't perform as well, and i was questioning if that's been resolved or not. if you choose to think it's a troll, it's not my problem.

Re:Not Samba?

[ushering05401]

I troll sometimes too, sir. I'm not saying your experience is invalid either, just that it is not valuable in this scenario and therefore a distraction from the real matter at hand.

The problem is that your scenario gives us very little usable information about Samba...

1. Because the people who configured your environment were probably the same people who chose to use Jet in this manner casting doubt on the other implementations.

2. Because there is an obvious bottleneck in Jet that would need to be resolved before anyone would trust the evaluation of a component interacting with the bottleneck.

I'm not picking a fight, just pointing it out. Feel free to call me a troll whenever ;) It is often true.

Re:Not Samba?

[Curien]

A Win2K domain controller *is* AD.

Re:Not Samba?

[Daengbo]

Samba can act as an AD PDC with the option of using LDAP as a backend. The absolute easiest way to set one of these (with LDAP) up is to use eBox on Ubuntu 8.04. Check the box marked "PDC" and ad the accounts. That's my recommendation.

It offers multiple nodes, mail, files, Jabber, and a bunch of other stuff.

Re:Not Samba?

[Vellmont]

Well, I don't know much about how well samba performs when 50 people all try to write to the same file, but my experience with samba over a windows server is that samba is much faster.

In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange. Generally you don't have that many people trying to access a single file. If NT4 is better in this one respect, that's great for you and the other 10 people that are using jet in this crazy manner, but for everyone else it's irrelevant.

Re:Not Samba?

[Z00L00K]

As far as I know any AD solution involving Samba is using OpenLDAP as backend, but I may be wrong.

I am using OpenLDAP in a project and I can just say that it's quirky to say the least and isn't very verbal about configuration errors unless you fiddle with it.

It's also a bit quirky with symmetrical replication, but it's not impossible to make it work.

But on the positive side - it's fast and relatively reliable if you manage to configure it right. You just have to be very patient with it.

Re:Not Samba?

[kitgerrits]

I'm afraid I disagree with you there.

I have set up several domains based on XP clients with a Samba Server as Domain Controller.
It will handle user authentication, profiles, user shares, group shares and domain trusts.
(even sucurity policy through ntconfig.pol )
Using LDAP as authentication backend also gives you a Directory Service (as in Address Book)

From what I have heard, recent versions of Samba (less that 3 years old) can serve up a full AD implementation, but you need a Windows Workstation to administer the domain.

Re:Not Samba?

[mysidia]

Samba could only be a DC on an old Windows NT style domain, not a Windows 2000/2003 style Active Directory domain.

No matter how you slice it, Samba is not a directory service.

See here:

Samba ADS Domain Control Samba-3 is not, and cannot act as, an Active Directory server. It cannot truly function as an Active Directory PDC. The protocols for some of the functionality of Active Directory domain controllers has been partially implemented on an experimental only basis. Please do not expect Samba-3 to support these protocols. Do not depend on any such functionality either now or in the future. The Samba Team may remove these experimental features or may change their behavior. This is mentioned for the benefit of those who have discovered secret capabilities in Samba-3 and who have asked when this functionality will be completed. The answer is maybe someday or maybe never!
To be sure, Samba-3 is designed to provide most of the functionality that Microsoft Windows NT4-style domain controllers have. Samba-3 does not have all the capabilities of Windows NT4, but it does have a number of features that Windows NT4 domain controllers do not have. In short, Samba-3 is not NT4 and it is not Windows Server 200x: it is not an Active Directory server. We hope this is plain and simple enough for all to understand.

Re:Not Samba?

[zig007]

Samba isn't a directory service, it's a Linux-based implementation of CIFS/SMB, and as such, is hardly "drop-in" replacement for AD. Why you got modded up for asking a question that reveals such a fundamental lack of knowledge is beyond me. But, this *is* Slashdot in the 21st century, so I suppose I shouldn't even bother asking.

True.. But you know, Samba 4 is actually supposed to include an ldap backend and will be quite near a drop-in replacement for AD.
It will still possible to use, for example OpenLDAP as the backend if one would like to.

Re:Not Samba?

[sumdumass]

I had a similar situation but I wasn't using Jet. Anyways, after pissing around with it for a while, I found the problem was the network card. I noticed this when attempting to run speed tests while data access was gradually being increased in the more to see if I could pinpoint the time of failure. I noticed that I started getting a bunch of resends because packets were getting dropped. This is when I discovered that the 3com built in network cards weren't as good as the PCI variety. I don't know if it was 3com's problem or the main board manufacturer's issue and personally, at this point I don't care.

Anyways, I added a spare Intel pro card and saw an immediate improvement. Like many, I assumed the on board network adapter would have been sufficient seeing how it was a 3com 3c905 series on a p4 2.8 system with about 2.5 gig memory (it did more the Samba) I ended up dropping another card into the box and separating the SMB services from another service I was running and it seemed to run circles around it's previous performance as well as the NT4 performance. I don't know if yours would have been related but I have known for a while that you need to use good network cards on servers and production machines. I rarely use on board NICs anymore except for home use and often I will either use a 3com or intel pro nic with the intel being the easiest for me to find in my area. All the others seem to shift more of the network job into software using host processes instead of doing it on the device. I'm sure there are more then 3com and Intel with good cards too, they are just the ones I'm familiar with and sticking with.

Re:Not Samba?

[stephenpeters]

I think openLDAP should be one of the first products the submitter tries. In my experience it is reliable scalable and free of proprietary cruft. I have used it for years in a commercial network with Samba. OpenLDAP has allowed my company to drastically cut licensing costs, support costs and lengthen hardware lifecycles. As the submitter is UK based I would recommend they contact Sirius. Sirius are the consulting company I use and they are the only UK OGC/Becta accredited FOSS specialist. Sirius have considerable experience in the UK education market and in the submitters position they would be near the top of the list of people to call. Take a look at their client list to see the kind of pedigree they have.

<disclaimer>

I have worked closely with Mark Taylor the CEO of Sirius for a long time now. Please consider anything I say about them biased, contact them youself and make up your own mind about them.

</disclaimer>

Re:Not Samba?

[benji+fr]

Jet is often using locks to be sure that no one will overwrite the data you previously edited. Samba 3.0 has some code to manage the buggy Windows sharing protocol locking system.

You should really read man smb.conf and search for "lock" to learn a bit about it.

I'm pretty sure that your earlier problem was a locking one.

Samba has not changed a lot reagarding this locking issue, but you can tweak it perfectly, it just takes a little time to learn how to do it and what to do.

My experience with samba is that (on a big server of course) it can handle hundreds of connections with some Gbps throughoutput (we did it under linux with ethernet bonding and heavy kernel tunning of course...)

Re:Not Samba?

[sandman_eh]

But since you haven't posted anything more we can't be sure.

What did you investigate? What samba tuning parameters did you try?

Last year I had a very similiar problem, which actullay turned out to be network card driver issue. I upgraded from the stock debian stable kernel to one from testing and the problem went away.

My point is a single example without actually knowing what was investigated - is just a worthless anecdote.

Re:Not Samba?

[dkf]

In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange.

It's not that strange in education, especially with large classes (but perhaps more so at Universities than at schools). What happens is you get lots of people get to about the same point in a practical class at about the same time, and then they sit there and repeatedly hammer whatever services you've got up to support them until they get through.

Business usage patterns are different to education ones. You can't really use experience with one to predict the other. (Alas. It'd be so much easier if you could...)

Re:Not Samba?

[Alioth]

Samba is an implied component of these things. Samba doesn't do directory services (well, not as at the current stable versions - samba 4 which has been brewing for years and years will have its own LDAP service). Usually, an AD replacement consists of some directory service, such as OpenLDAP, with Samba handling the job of serving files and sharing printers. The open source services tend to follow the Unix paradigm of making a service - construct a whole out of components, and choose the components that suit you best. For instance, for our development network at work, we use OpenLDAP as the directory service, and Samba to share files from the server. Samba queries OpenLDAP when someone tries to authenticate. As do our little web applications - when you log onto one, it will query the same OpenLDAP server to authenticate/authorize your login.

Re:Not Samba?

[chadruva]

I think Samba is an excellent replacement for windows server for simple filesharing, is usually easy to setup and some distros even drop in powerful GUI configuration tools.

I have used samba in a small office (around 10-15 office workers), with a few shared folders (around 5 GB of documents), at first the company didn't trust our use of Linux, they had a windows 2000 server which was badly managed (and filled with virus/malware and being used as spam relay), we gave them a 1 month complete guarantee that the system will keep up without any problems or we give their money back and install w2k server back.

They are quite happy now as once of properly configured you don't need to mess with it, we even added virus scanning (via clamav and hourly cron, samba clamav plugin taked a noticeable performance hit and was not straightforward to configure) and reporting via email (plus the email system running on the same server).

Re:Not Samba?

[kimvette]

I have found that samba performs better than Windows on equivalent hardware; vastly superior transfer speeds. However, it is a beast to set up and the documentation is grossly inadequate, even for folks who are seasoned in both Linux and Windows/Craptive Directory. How can a F/OSS supporter promote Linux as an AD/SMB solution for benefits like less downtime, live maintenance tasks, FULL automation of things like backups and so forth, FREE antivirus, etc. when the up-front cost for setup takes many times longer? One can have an active directory for a small-to-medium sized company implemented in under three hours (if using multiple servers for Exchange), including file shares, login scripts, email accounts, and backups, or under an hour with SBS (Small Business Server) because the GUI makes the work so quick.

In case you're going to suggest SWAT: I've worked with SWAT and it sucks. I've achieved working results by hand-editing the config files using nano and vi, and every time I've worked with SWAT it has fudged things up.

I suggest Linux to clients whenever it makes sense, however for a PDC for anything but a small (2 to 10) user environment it doesn't make much sense going with a 100% free distro because the GUI sucks and requires too much manual intervention -- despite the long-term TCO being much, much cheaper.

In the face of a beastly config process and SBS making point-and-click configuration of AD, accounts, email accounts, mail routing, backups, and DNS so quick, the cost of per-user licensing is a net savings compared to the cost of setting up a 100% free Linux distro. Now, when it comes to commercial distros (Red Hat, SLES, etc.) the tables are turned, but the cost savings are not as advantageous as one would want to turn people to Linux when they have only previously heard of Windows and Macintosh (Macintosh is a standalone OS only, right? Sadly, that is still the public perception. Apple ought to market Mac OS X Server Unlimited a hell of a lot more aggressively than they do - and open it up to clones so I can run it on SuperMicro hardware. I could sell that like mad!)

Now, if there are much better SMB docs available, and if swat has matured in the last year to the point where it's usable and reliable, I would LOVE to hear about it because I'd love to punt Microsoft Windows as a first suggestion for small businesses, and even for medium-sized environments.

However, Samba is indeed fast. I've found it to be 100% to 200% faster on equivalent hardware, and I've built Samba servers on outdated Pentium III 1U rack mount servers that outperform Windows on Xeon servers with an equivalent number of users and file sizes - with on-access ClamAV scanning. Not having all of the overhead of Windows and the requirement of Windows antivirus software results in a dramatic performance improvement (for some reason even ClamAV on Windows is much slower than on-access scanning on Linux).

Re:Not Samba?

[kilodelta]

At one job we used OpenLDAP for many thing, like authentication on Plone/Zope, or for email authentication with Qmail.

We kept an aging NT4 server for login authentication on Windows. I kept pushing to setup Samba and use LDAP but nobody wanted to guinea pig it.

So a year or so ago they spent over $250,000 on new servers and windows licenses. Dumbasses.

Re:Not Samba?

[Giloo]

I actually thought about that, and couldn't find any nice interface to be able to manage Samba/LDAP users & configuration. The furthest I could go was going for an OpenLDAP GUI, which is not enough for a "manager" to work on such an environment..

I'd be interested in any FOSS opportunities to manage that using a GUI (may it be web based or not..., but then has to be able to run on Windows :p), without having to go through the hassle of writing it myself (or have it written by someone from scratch).

So, if anybody went through something that might fit here, I'd be really interested! Even if it's alpha, pre alpha, only brain work.. Even if it's not free as in free beer..

Re:Not Samba?

[s4m7]

Andecdotally, I know of a company that is currently switching their file servers over to ZFS and samba because of how seriously it outperforms NTFS and windows on the same hardware. Their new array is a 100TB array, and they have single files that exceed 1TB. It seems more likely that the performance issue you ran into has more to do with configuration than raw performance of samba.

Depends on usage

[yoshac]

Depends if you are just using it for windows domain services, or if you need to support things like management, federation etc.

OK your Discount coupon is ready.

[140Mandak262Jamuna]

OK buddy, you have done your job and made enough noises about FOSS. Your $large_discount coupon from MSFT is ready and waiting, mention coupon code EGDI. Coupon good for getting all MSFT software for free. Manufacturers Coupon, Never expires.

Mandriva

Mandriva Directory Server + Pulse 2

Re:Mandriva

[flydpnkrtn]

Wow MDS and Pulse look pretty cool... but the documentation for Pulse 2 is lacking. For example, one of my first questions would be "Do the Windows machines need to run an 'agent' first for pushing software installs?"

"English documentation will soon be available, stay tuned."

http://pulse2.mandriva.org/wiki/Documentation

Re:Mandriva

[frenchbedroom]

I checked out the french docs, and they say that on the client side, you need :

• an ssh agent, it's the protocol used by Pulse.
• an inventory agent which will push the software and hardware details of the client to the inventory server

There's a diagram of the Pulse 2 architecture on page 6 which I'm sure you can understand, the only french words used are actually the same in english (client = client, interface = interface...)

Re:Mandriva

[MikeBabcock]

You, my friend are why "Ask Slashdot" exists. Those suggesting Samba meanwhile obviously didn't understand the question.

SME Server 8

[erroneus]

SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.

SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?

Re:SME Server 8

[Kamokazi]

And did I mention it installs from a single CD?

Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.

Re:SME Server 8

[grcumb]

I can second SME server. I've been using it for this role since it was E-Smith many years ago. It's a fantastic little distro for a lot of different reasons. Definitely good stuff.

I worked for e-smith inc. (later purchased by Mitel Networks) on the team that developed for the SME Server distro.

It's magic for small offices, no doubt. I work in developing countries now, and I find it especially useful in places with no in-house IT capacity. I can get file services, email, web and user management up and running in about 45 minutes.

(I'm not going to link to any particular installations, because, well, slashdot has the capacity to swamp our entire nation's bandwidth.)

BUT! SME Server doesn't have a built-in AD capability. It will act as an excellent small network domain controller. Its user and group management is simplicity done right. But that's not Active Directory per se.

If you want an actual AD roll-out, you'll have to layer it on top of the server's existing capabilities. Note that this is not at all impossible - SME Server can run just about everything CentOS runs with little or no fuss or bother.

To sum up - SME Server would be a great platform for schools to build on - it's low-maintenance, robust and simple enough that even a Windows admin can't complain. But you need to roll part of the solution on your own. Of course, you were going to do that anyway. So definitely look at SME Server. 8^)

Re:SME Server 8

[Nimey]

No, but I remember when Debian was only two CDs, and the second wasn't very full.

Re:SME Server 8

[grcumb]

And did I mention it installs from a single CD?

Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.

Okay, you made a funny. But consider the implications of that single disk:

• It's a simple, nicely pared-down server. Installs and configures in about 20 minutes.
• It's a purpose-driven server whose entire architecture is aimed at solving the most common scenario in Small and Medium Enterprises (SME - get it?): The ability to run in a predictable, stable and usable way for years on end without requiring IT staff to support it - that's something whose value should never be underestimated.
• These design principles extend throughout the server's architecture. It's got template-driven config file management, a really useful event model for automating complex tasks and a really elegant developer API. And it still fits on a single CD.
• It's small and simple and yet still has what you want in a small office server. I've never seen the KISS principle more sanely applied than in the SME Server. Nothing gets added without a reason and most everything works the way a Lazy admin would want it to.

Full disclosure: I worked two years for the company that built SME Server. But I went to work for them because I liked the product. 6 years later, I'm still installing and using it on customer sites.

(See my other post below for a few caveats about AD. Briefly, LDAP is integrated, but not very tightly. You'll still need to install or build an actual AD solution on top of it to provide what the OP is looking for.)

GOsa is worth a mention

[Pav]

GOsa is worth a look but in my experience is VERY hard to implement. It's a web based LDAP front end that manages posix accounts, Samba, email/groupware, Asterisk, fax, automatic installation (via FAI), DNS, DHCP and much more. I think the target market is large organisations with existing inhouse skills in the base technologies and plenty of man hours. I tried getting this working as a lone generalist, and I only got as far as getting posix, Samba, SOGo (a groupware solution), DHCP and DNS working. Scripts to get something working on Debian Lenny are on sourceforge (I finally found a use for my sourceforge project:) : https://sourceforge.net/projects/wfstt/ .

Local resources

[James+Youngman]

Try talking to Tim Fletcher at Parrswood.

hate to say it...

[johnjones]

but the first thing to do is look at how these have been deployed

I dont see anyone with production systems on a large domain using anthing other than redhat directory or Novell eDirectory

I see some custom OpenLDAP servers scale really well but thats about it

so given your choice above I would go for Fedora Directory Server and hack

if the choice was mine I would spend a little money and get the Novell eDirectory

regards

John Jones

http://www.johnjones.me.uk - email and digital communication

Re:hate to say it...

[Korgan]

I agree... I had a similar issue at a school a few years back. Windows + Mac clients on the network. Rather than try to run two directories, we just used Novell eDirectory with (then available) Novell dirXML which allowed all the clients to use a single directory without realising they weren't native Active Directory or OpenDirectory platforms they were talking to. It saved a lot of effort down the line and proved extremely scalable. Also had the benefit of allowing the network to integrate other platforms in the future without much effort if the school wanted to. I'm sure there are plenty of great FOSS solutions out there, but eDirectory make it so much easier and reduced the cost of implementation significantly, even taking into account licensing costs. Sometimes you do just have to weigh up all the angles.

Re:hate to say it...

[Shuntros]

Not even any need for IDM any more... The latest Linux offering, Open Enterprise Server 2 (Support Pack 1) has Domain Services for Windoze. No more Novell Client, no more NCP. The backend is still Linux, NSS and eDirectory, but with full and seamless AD emulation. Administer it with MMC, the lot. The only time you'll realise you're not working on a Windoze server is when you right click on a DC and look at the properties to find it's an OES2 box. Worth looking into...

Otherwise there are numerous guides on the web as to how one configures Samba to use OpenLDAP as its authentication source, which makes mass admin of users a piece of cake.

Use the 90 day trial of Novell Identity Manager, plug it into your existing infrastructure and you can even migrate passwords across to your splendid new FOSS solution. Do it right and the lusers won't notice a thing!

I used to consult on such projects, but eventually gave in, took the money and ascended to management. Kinda miss it sometimes.

WTF? AD is an LDAP alternative

[dbIII]

And there are plenty of other inplementations of LDAP around.

The story goes around that an infamous Australian telecommunications company wanted to put 80,000 people on a single Windows NT domain which put it well past the 16bit limit of users - and thus the active directory project started.

That depends......

[ogdenk]

I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.

Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.

Samba4 is supposed to change this but it may be a while before it's ready for widespread use.

In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.

This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.

Students are great at f**king up machines, group policy is almost a must.

If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.

Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.

Re:That depends......

[ogdenk]

It works OK for older versions of Photoshop, but if your going to go through the effort of running Photoshop in a dodgy reimplementation of the Win32 API, why not just run Windows? You'll get screwed everytime a new version of photoshop comes out that uses Win32 calls in a weird fashion.

A better idea would be a massive campaign to promote a port of Photoshop to GTK or QT. Microsoft will make damn sure that Win32 is a moving target if any massive movement to use WINE is successful.

The mac version of Photoshop is the better version IMHO anyway despite the lack of a true 64-bit port due to Adobe's laziness rewriting using Cocoa instead of Carbon. The MDI interface in the Windows version sucks, especially if you use multiple monitors and want to run other applications at the same time.

If your going to run non-native apps, it's usually better to just say "screw it" and run those apps in the native environment.

Really, I've gone through this fight trying to ditch Windows in an educational environment. You meet stiff resistance from all angles, including the vendors. I've eliminated it where I can but in the end, to ensure a good bullet-proof computing environment where Windows on the desktop in necessary for certain software products, group policy and automated software deployment is a MUST, not a WANT.

In most corporate environments, I've ditched Windows with good success but in a school, things are a bit different. Especially a tech school where our job is to teach people products to get them a job. Our goal is not to "create the thinkers of tomorrow".

We HAVE to have windows desktops. manageable Group policy and automated deployment are not available in other directory environments. You can't easily lock down Windows desktops centrally with other directory environments.

If you have other solutions, prove me wrong so I can use them as ammo to ditch Windows directory servers here. REAL solutions that are as easy to manage for other less-skilled folks I have dealing with daily problems.

Re:That depends......

[Jane+Q.+Public]

Not to flame at all... but as an administrator, you should be aware that any "group policies" you enforce or enable remotely, such as software installs and restrictions, are pretty easy to get around. Our college's computers were "locked down" pretty hard, using all the official Microsoft-recommended restrictions, yet I (and most people I knew in my computer-related classes) knew of about 4 different ways to install and run software on a school computer pretty much at will. If I needed them for something, I could log in using my student ID, and install Dreamweaver complete with DRM or just about any other program, like Open Office, in folders on the desktop, in the 5 minutes before class started. I would just run those programs that were capable of running without elaborate installation directly from my thumbdrive. Despite the fact that installation of ANY software, and running ANY programs not on the "official" list, were strictly prohibited via policies. Microsoft "security" is a joke. I am not trying to flame or troll here, just letting you know, honestly. It might have improved a bit over the last couple of years, but I would not bet my shorts on it.

Re:That depends......

[Penguin+Follower]

Either that college's IT team did not know what they were doing w/ respect to AD + Group Policy, or they had made some concessions (probably due to some software that didn't like running with zero privs). I work at a hospital on the admin team, and we have 3000 users (approx) in AD, and we use Group Policy to control the user experience quite successfully.

Do you want to play with it, or have it work?

[Whizzmo2]

Active Directory is mature, well-understood and well-supported. MS will answer the phone at 3:00 am when you call. While FOSS alternatives have come a long way, many are still under heavy active (ha, ha) development.

Questions you should be asking yourself:

• Who will maintain this when I'm gone?
• Does this solution offer 24/7/365 phone support? (If you don't have a phone support contract, MS will usually charge you $250 if the issue is your fault, and $0 if the issue is a bug in their software. (IANA MS rep, YMMV))

One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain? (There are many other arrangements here that may better fit your needs.)


--Whizzmo

Re:Do you want to play with it, or have it work?

[Zak3056]

One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain?

In the summary, the poster mentioned wanting to reduce the number of physical servers from two to one. There's no way to do that with active directory (unless you virtualize) because each DC can only handle a single domain. Personally, I think the server count just for DCs is a big problem with the design of active directory. If you had two separate but related organizations, to do things the "right" way you'd need at least six domain controllers (two for an empty root, then two DCs for each of the production domains.)

Re:Do you want to play with it, or have it work?

[morgan_greywolf]

Red Hat offers 24x7 support for Red Hat Enterprise Directory. I'm pretty sure Novell has a similar product for SuSE that they offer 24x7 support on.

It's not like your only choice for 24x7 support is Microsoft.

Sun Java System Directory Server

[wmute]

I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.

Good luck, LDAP is a pain in the ass ;)

Re:Sun Java System Directory Server

[SportyGeek]

There's a nasty little caveat to using linux clients to authenticate securely to Sun's LDAP server: if you're using a proxy account for authentication, you need to place a plaintext file (ldap.conf, I believe) so that it can be read (cannot use a hash). I've still yet to figure out a workaround to prevent the need to place the password in plaintext where the only thing I can do is chmod 400 the file.

I would love to be demonstrated otherwise, if someone knows :)

Re:Sun Java System Directory Server

[Fyzzler]

That account only has to have read only search to the directory. You can setup ACI's to prevent it being able to do anything but return authentication search results.

Anonymous search is common for both AD and LDAP directories. If you set things up correctly, all you can see with this account/password are the same you could see on a linux/unix box by doing a "getent {passwd,group,host...} command.

Re:Sun Java System Directory Server

[SportyGeek]

Thanks for the reply, Fyzzler. I have looked at anonymous querying, but for DDoS purposes, it does not seem prudent. However, I'll read up on configuring ACI's, but it would still be nice to eventually not have to rely on a plain-text password, anywhere.

Samba4

[obi]

Maybe not exactly the answer you're looking for, seeing as Samba4 is not out yet; however samba4 includes, among other things:

* Internal LDAP server, with AD semantics
* Internal Kerberos server, including PAC support

You can, but don't have to hook it up to an external LDAP server. You can use MMC consoles to manage it. They're even building real Outlook compatible Exchange functionality on top of it (see openchange.org). Not that I'd ever want to run Outlook though.

Sun Java System Directory Server

[La+Camiseta]

It may not be opensourced yet, but Sun has released almost their entire enterprise stack for free for anyone to use, including their DSEE, with unlimited entries. It can synchronize with AD, and they have a good deployment planning guide for synchronizing with AD and there are guides all over the place regarding authenticating Windows off of LDAP servers.

Single computer?

[daybot]

...we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server

Whichever system you end up using, I strongly discourage building your network around a single server.

There isn't an alternative. Next question.

[realmolo]

I've messed with the so-called "Active Directory replacements". They all suck.

The fact is, if you are using Windows clients, Active Directory works, it's simple, and you'd be fucking CRAZY to try to use anything else. Save yourself some pain, and blow $1000 (pounds, whatever) on Server 2003 or 2008.

Seriously. You don't want to do this. It's a fucking nightmare to try to support a Windows domain without a real, genuine Microsoft domain controller.

Did I mention this is a bad idea?

Re:There isn't an alternative. Next question.

[Shados]

I love Active Directory, but just a little amusing anecdote... The company I'm working for is a 100% Windows shop across the board, has desktops in the 6 figures, yet does NOT use Active Directory...

Their "forests" connect for business reasons to the domains of all of their clients, which makes the machines/accounts in the domain hit the millions...so well, to make that work better, they wrote their own "Active Directory" from scratch...its still running on Windows server, but its not an actual Active Directory(tm) kindda thing.

But yeah, replacing AD for the sake of replacing it, is retarded. Windows Server isn't even that expensive, and for smaller companies, you can get Small Business Server, which is really, really cheap for what it provides.

Re:There isn't an alternative. Next question.

[madclicker]

SBS is wonderful, if you have 5 users on the system. Additional licenses will kill you...., oh yeah, love the Exchange integration and no backup AD controllers. SBS is a crippled pos. One other thing I found to be quite interesting with MS AD servers, how does one manage hundreds of systems being re-prepped or replaced from the AD. I haven't found any good way to manage computers in the AD.

Re:There isn't an alternative. Next question.

[bertok]

I can second this.

The $1,000 cost saving on the license (or possibly less for an educational license) is absolutely NOT worth it. Don't drink the FOSS koolaid, MS Active Directory is stable and scales. I've seen 1 million account domains runs fine on a couple of pretty average boxes. Your tiny little education environment will work fine on anything. There are netbooks that could handle the load for a "large" school environment.

If you MUST have a single physical Linux server (why?), then just run up a MS Windows based AD controller in a virtual machine. Your problems are then solved, and you won't be chasing down bizarre compatibility issues at 7pm on a Friday because some MS patch or Samba patch didn't like each other.

Not to mention that with ANY domain technology, single servers are just insane. Patching single-server domains is a nightmare, while you can pretty much arbitrarily turn off AD domain controllers at any time if you have two set up correctly. If physical hardware is too expensive, again, virtual machines are your friend.

Also, as others have pointed out, multiple domains just cause a maintenance headache, and do not add significant security. The access control lists in AD are very fine grained, and allow total lockdown, down to the attribute/object level.

As a case in point, I've build ASP style AD/Exchange solutions where the client companies could see their own users, global address lists, etc... but weren't even aware of any other clients or users. This is well documented and supported. Lots of Exchange email hosting companies do this, or more paranoid organizations, such as education, where you don't want your students sending emails to staff mailing lists, or calling the hot female teacher's mobile phone at 3 am in the morning.

Active Directory is Microsoft's best work

[catmistake]

I'm not sure I understand the point... I mean I hate Windows as much as the next *nix-lovr, but if your network is a slew of Winboxen... why make a headache for yourself? Active Directory is pretty well received, even as a proprietary LDAP implementation... will a FOSS replacement really be worth the cost savings? If most of the machines to be managed are Windows, I'd use AD for them. If its a mixed network with mostly something else, then I'd attempt to shoehorn the management of the Winboxes with whatever implementation was easiest for the majority of the machines (i.e. if 200 OS X machines & 40 Winbox, I'd use Open Directory... if 90 debian & 15 winbox, likely OpenLDAP, etc.)

You don't hate AD as much as you think you do... do what is easiest... if AD is already deployed, its probably easiest).

stick with AD

[jdbausch]

Hate on Microsoft all you want, I do it all the time myself, but AD (and Exchange as well) get the job done, are well supported by Microsoft, and in my experience, worth it. If you weren't running windows clients, it would be different, but as many people on here have said, the features of AD are hard to replicate. Perhaps you have philosophical open source / free software motives. But the only reason I could think of for that a smaller organization like yours would move off AD would be to save money on the license, and especially on CALs. But as a school, don't you get them for damn near free anyway?

DoD uses RHDS (FDS)

[xzvf]

I've seen RHDS (paid support version of FDS, but basically the same code) scale to millions of users. I've had a clustered pair running on blades handling 250K records easily. AD doesn't scale as well, requires tons of supporting software and locks you in to a funky LDAP-like format. If you want to move from RHDS to Novell, or OpenLDAP or even AD all you have to do is dump to ldif. Try going from AD to anything else without a great deal of pain.

Re:TCO

[erroneus]

I have set up four installations of SMEserver 7.x in the past 8 months into small businesses. I think I have put a collective 24 man hours into keeping those sites up. They stay up... keep going and going and going... and running Linux, I don't have nearly as much to worry about with critical worms running around and the like. Meanwhile, keeping up with my Microsoft AD network keeps my family fed and me employed full time. I am not complaining, I am just saying if TCO is largely factored by time/labor? SME server beats Microsoft hands down so far.

Microsoft does not justifiably dominate the market. It simply dominates the way it does with all other things it does. MSIE is the best web browser, I suppose, as evidenced by its dominance as well..?

!Slur Re:Not Samba?

The racial slur is sambo, ends in the letter 'o'.

Samba (ending with the letter a) is the first word in the unix dictionary that had an s, m, & b in it.

Samba itself is a musical genre.

And not Sambo either

[tepples]

Do you really want to use software named after a racist slur?

No, it's not a direct comparison to the GIMP situation. The slur is Sambo ; the software is Samba . There's a difference. But is there a racial slur against trolls?

quick survey

[glitch23]

The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server;

OpenLDAP is too plain and simple. It isn't user-friendly. There are no GUI tools that come with it although there are various tools people have made that you can use to manage it. I even created one myself as a senior project because it doesn't come with one and having to use the CLI commands for everything is just more trouble than it is worth when you want to get up and running quickly.

I haven't ever used Apache Directory Server so I can't speak to that but Fedora Directory Server comes from the Netscape Directory Server of yore. NDS went under and Sun Directory Server took its place. Netscape and Sun Directory Servers are basically the same thing, even the GUIs are the same except for name/logo changes here and there. FDS should be pretty good based on the NDS/SDS pedigree. OpenDS is new and runs using Java therefore it automatically requires more resources than the others which are built with C/C++. I'd let OpenDS mature a bit more before using it. Of the ones you mention I'd pick Fedora Directory Server.

But I have some questions. Do you plan to migrate clients over to a non-Windows OS? If not you'll need to investigate how to continue making Windows clients authenticate to a non-MS directory. It is possible to make this happen but past methods of doing so (a few years ago for me) have been kludgey at best. Windows likes to talk to ADS. If you migrate to Linux clients your job gets much easier because you don't have to worry about Windows SIDs and similar critical components of a Windows infrastructure.

Do you have people who know directory servers and understand LDAP? Be aware that ADS makes things easy for a Windows administrator. Even Sun Directory Server does not automatically enable replication when you have it installed on 2 servers. I highly doubt the other implementations you are looking at do the same. Therefore you will have to really understand how directory servers work underneath when working with these other implementations. You have to create replication agreements yourself and understand the underlying LDAP structure. ADS hides replication from you (accessible through Sites and Services snap-in though) until something breaks. The schema is hidden from you as well unless you need to access it (not even in the default list of MMC snap-ins but it can be added). Make sure you have people who can administer directory server installations, not just ADS installations, when you do this migration.

Re:Active Directory is NOT ldap.

[glitch23]

I agree with your statements regarding what ADS provides and what OpenLDAP does not. The fact that OpenLDAP gives you a backend and nothing else is one reason I did not recommend it to the submitter however your subject for your post is not correct. ADS *is* LDAP. It uses LDAP underneath just as any other directory server does on the market today. Many also can integrate with Kerberos just as ADS does. I hate when people call ADS "Active Directory" and then they refer to Sun's implementation as an "LDAP server" or whatever. The fact is ADS is as much LDAP as any other. MS has just added attributes to the schema to fit a Windows infrastructure but then again so has Sun for Solaris clients. The LDAP schema was meant to be extended and can even be extended by the administrators to add custom attributes and object classes for companies who want to integrate their products with it. MS is no different in what they did. It's their own implementation of it just as Sun has their implementation. If someone wants an unadulterated implementation of a directory server they should go for OpenLDAP but they will be sorry (if only due to lack of management tools).

Comment removed

[account_deleted]

Comment removed based on user account deletion

None.

[wasabii]

There is no comparable solution. Choosing anything else is a massive disservice to your users and the people responsible. AD is set up by default to work properly. It requires minimal maintence. It supports multimaster replication, automatically doing nearly everything required. It uses Kerberos. It does your DNS for you. Windows works perfectly with it. Linux sort of works with it with Samba. Your alternatives in the FOSS space are basically seting up FDS or OpenLDAP by hand. THat means making the schema by hand. OpenLDAP does not do multimaster replication. You will have to hand configure kerberos. You will have to manage most maintence tasks by hand, using tools like some Java LDAP UIs, which expose raw LDAP information to you. You will not have an easy interface to 'create users'. You will have interfaces to edit LDAP databases. FDS is a better LDAP server: but it is STILL JUST AN LDAP SERVER. It does not take care of DNS. It does not do Kerberos. Novel's commercial offerings are the closest: but they are woefully hard to get set up compared to AD, and they cost just about the same.

Mod Parent Down

[Frankie70]

Samba isn't an Active Directory alternative.

If you really want an alternative...

[mritunjai]

1. I hope you understand what you gain and lose by switching.

2. I have had to endure the pain of selecting from a few LDAP servers few months back. Just go and download Sun Directory Server Enterprise Edition 6.3 (DSEE). Buy a support contract of whatever level you need. Set it up (takes minutes, the docs are EXCELLENT!) and after that forget it even exists. This baby just works!

Big install

[nighty5]

I've worked on very large directory deployments.

10 million user accounts.

We were using Novell e-Directory for the authority user database and AD downstream via DirXML for compatibility/legacy reasons.

Remember, Novell basically wrote the book on directory services. Microsoft just copied their implementation.

You can use ZENworks to store Group Policy objects but it will take much more than a Slashdot article to explain these concepts.

The beauty of eDirectory is that Novell have agents for basically every platform that is worth a damn, try that natively on Windows.

When you're dealing with something as critical as a central directory you don't want to mess about. If you have to throw some money at it to ensure some accountability and support then do it. Windows AD works as advertised, but it only works with Windows - you're on your own with anything else.

There is third party companies that have written software that bridge the gap to manage UNIX systems, users, applications, policy which from what I've seen works pretty well.

At the end of the day it comes down to understanding your environment, budget constraints, support, IT strategy, applications, business/IT partners.

Oh yeah one more thing, this big install is for an education body.

OpenLDAP master+slaves, Samba, WPKG

[daveewart]

Just to throw what I use into the mix, on a network of ~100 WinXP desktops:

- Samba - acts as domain controller, triggers login scripts, maps drives etc. System Policy controlled using NTConfig.pol files in the 'netlogon' share, prepared using poledit.exe

- OpenLDAP - authentication backend for Samba, groups/users for the Samba server (plus many other tasks which are unrelated to desktop usage);

- WPKG - for software deployment, runs at each boot-up - really nice.

freeIPA

[DecayingInsect]

If you are looking merely to replace or emulate the ldap/kerberos functionality of AD you could take a look at freeIPA , a project under active development, sponsored by Redhat and based on Redhat/Fedora Directory Server, but with an enhanced web-GUI and some additional functionality

From my experience, in a small-to-medium Linux/*BSD/OS X environment, with NFSv4 or AFS, this will work fine.

However, as other posters here suggest: if you have predominantly windows clients, for your own sanity it would be better just to use AD from the outset.

Notes on a running imlementation

[Skrynesaver]

We have implemented a similar project in our local school.

• Debian server
• OpenLDAP
• Samba
• Edubuntu on the client machines
• A combination of XP and LTSP to Edubuntu in the computer lab

OpenLDAP takes a while to configure but it does work eventually. When new students are added to the school DB they are added to the system by a Perl script which generates entries automatically and mails the class tutor with their login details.

Samba once set up works wonderfully for us.

Best of luck and hope it works out well for you.

Re:No openldap

[stephenpeters]

First of all, why use crappy openldap when you can use the Netspace directory server that red hat bought and opensourced.

I have foung openLDAP to be reliable, compatible and easy to use. Can you elaborate on why you think it is crap?

There is a reason why they paid 23$ millions for it...

And the reasons are?

Then, AD isn't just a LDAP server with usernames and passwords....

Nor is openLDAP just a store for Windows user names and passwords. I use an openLDAP server for Windows services as well as providing user configuration for other services such as sendmail. The great advantage of using FOSS is that you are free from vendor lock in and can consider non-proprietary alternatives in other areas of your network.

Which is why many people can only use Windows setups. There's nothing like AD in the FOSS world. To start with, FOSS client apps should be lockdown-able from the server. But you can't do that...

I mean, in a office with a linux server and some linux clients, try to lockdown some options on Firefox, the desktop, evolution....surprise, you can't do it. Oh, yeah, there're a lot of workarounds everywhere, but they are different if you use KDE or Gnome or depending on the app you are using. It's a horrible mess.

Nowhere in the article do I see a desire to use FOSS desktop clients. The submitter simply wants to replace AD server with a non MS LDAP based alternative.

Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks.

This is otherwise known as vendor lock in. Some of use have tried very hard to break free of it to avoid being held to ransom by a vendor.

Until then, Windows is pretty much the only realistic option. I can't understand why Red Hat, Suse and Ubuntu don't put more efforts on this, it's one of the biggest showstoppers for Linux adoption.

I have been running what you consider an unrealistic option for the best part of a decade. I have yet to be fired. Sirius the consultancy I recommended have a client list of blue chip companines, local govenment and schools. They are all running some form of FOSS backend. You might like to take a fresh look at FOSS, it really works in the real world.

In my previous post I forgot to mention that OGC/Becta are the government agency's responsible for technology in the UK educational environment. It is considerably easier for a UK school to use a Becta accredited supplier than any other supplier. It is an incredible achievement for Sirius to gain that accreditation as no other FOSS consultancy has managed to cut through government red tape thus far.

We already have this

[jimicus]

It can be done, but there's a few things you have to bear in mind:

1. Lots of existing products (and this is becoming more common as the years go on) expect an AD-backed domain. Samba + (insert name of LDAP server here) currently can only emulate an NT4-type domain. Samba 4 claims to eliminate this issue but the last time I checked it wasn't even in beta. You'd be nuts to implement it in production at this stage. If your employer's been heavily into Windows for some time, don't be too surprised to find you need to replace quite a lot.

2. Do you have a lot of policies pushed out through AD? (If you're a school, the answer should be "yes". Unless you like making work for yourself...) The closest equivalent is NT4- style policies - which aren't as flexible, don't offer as much and suitable precooked template files are becoming much harder to find.

3. Do you use Exchange anywhere? Exchange doesn't have a directory of its own, relying heavily on AD. You'd have to replace it, and while there are lots of projects claiming to replace Exchange, few come anywhere close in the real world. Most of the projects seem to be driven by people who have heard of Exchange and had it described to them, but never actually used it much.

4. Is your network heavily subnetted? AD doesn't really care about this because it uses DNS to find services it requires (such as the domain controllers). NT-4 type domains use broadcast packets, and can be a dog to get everything working properly where a lot of subnets are involved.

5. The information stored in AD about who owns and has permissions over which files is stored as unique IDs ("SIDS"). As far as I know, there is no easy pre-cooked way to migrate these SIDs between AD and Samba. So you're going to have to be very careful at replicating this information in your shiny new LDAP-backed system otherwise who has access to which files is going to be thrown all over the place. If that means one pupil gets read-access to another pupils work, that's annoying. If that means all the students get write access to a file storing their grades, that goes out annoying and through the other side.

Basically, if you already have a strong investment in Windows servers and associated licenses, this carries very high risk, will cost an inordinate amount of time and inevitably mean substantial upheaval for your end users. And (assuming you currently have AD running fairly nicely and you do a good job), you'll come out the other side with there being little or no perceivable benefit to anyone else.

Thanks for the feedback!

[danboid]

Thanks to everyone who has posted ideas, suggestions and comments so far- I've just finished reading them all now- much appreciated and very interesting stuff.

A few points that I should've mentioned in the original question are that (as most of you correctly assumed being a UK school) nearly all clients are Win XP SP3 with the odd exceptions of a few Vista, Linux and OSX machines. I say migrating to one server but of course that would have a back-up machine- its just that at the moment we have this crazy configuration of two physically separate networks/domains with their own DCs, switches, ISPs etc- one for students one for staff. I inherited one helluva crazy mess, indeed! What I mean is that all this is going to be amalgamated into one physical network and one domain, not one server.

We don't use Exchange so AD/Exchange inter-op isn't a requirement or an issue.

I was aware of eDirectory but didn't mention that in the question because its not FOSS- however this has been recommended much more than Sun's solutions and Apache hasn't even had a look in. I don't want to rule Novell out as a possibility as it may just be better a better long term solution than sticking with AD/2003. It would seem FDS/FreeIPA is the only serious FOSS solution available for this right now

Of course, AD *should* logically be the easiest one to stick with/ 'migrate' to but that doesn't necessarily make it the best choice. I think we'd be more than willing to hire a consultant to help transitions to an alternative if there were numerous long term benefits.

I'm going to have a play with FreeIPA on a small network of test machines or under VirtualBox and see how that goes first I think.

Re:Thin clients

[ogdenk]

If I had originally built the network where I'm at, believe me, I would have gone with thin clients for a majority of the labs. Would have cut our TCO dramatically. No moving parts, no HD's to fail and they are easily managed.

Thin clients are awesome in an environment like this if you can convince mgmt that you need a killer server. The thin clients themselves are cheap but you want something pretty beefy server-side.

Moving to thin clients at a previous employer for most things cut the number of helpdesk calls by at least half and failure rates weren't even 25% of what they were with PC's on their desk. There's some gotchas here and there but I didn't regret it one bit.

Re:No openldap

[rainsford]

Just because it has some good uses doesn't mean it's not vendor lock-in, and it doesn't mean the vendor won't effectively be holding your IT operations for ransom. You may think this is an OK trade-off for having systems that work very well together and allow you a great deal of control over clients, but not everyone would agree. You are basically putting yourself in a situation where Microsoft could raise their price 1,000% per seat and you would be forced to pay. They also can, and do, force you to upgrade, even if you don't see a need to. Now it might be that this loss of control is worth being able to push out and enforce client side Windows Update parameters...but it's definitely not as clear cut a case as you're trying to make it.

Re:50 people hit same file Re:Not Samba?

[MikeBabcock]

What ogdenk said.

Using Access in this manner is crazy and a huge performance issue all on its own, not to mention data integrity.

Good luck.