Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best FOSS Active Directory Alternative?

Posted by kdawson on from the war-stories dept.

danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"

30 of 409 comments (clear)

  1. Not Samba? by Tubal-Cain · · Score: 5, Interesting

    The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server

    Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?

    1. Re:Not Samba? by Anonymous Coward · · Score: 4, Informative

      And, er, what about OpenLDAP?

    2. Re:Not Samba? by digitalunity · · Score: 4, Interesting

      How many years ago was this? I'll keep my negative comments about VB6 and Jet to myself, but that this was on NT4 then I would imagine your anecdotal experience is from some time ago.

      Samba has made tremendous improvements in the last couple of years in a lot of areas.

      --
      You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
    3. Re:Not Samba? by ushering05401 · · Score: 5, Informative

      The parent is trolling or is apparently unaware that MS specifically told people not to use Jet like this.

      Here is an MS quote from back before Jet was deprecated.

      "While Microsoft Jet is consciously (and continually) updated with many quality, functional, and performance improvements, it was not intended (or architected)... to be used with high-stress, high-concurrency, 24x7 server applications, such as web, commerce, transactional, messaging servers, and so on" (Source: Microsoft KB article Q222135).

      So no 24x7 server apps per MS, I wonder what was slowing down the other poster's 50 concurrent connection scenario.

      I could never get Jet to work well > 5 concurrent connections.

    4. Re:Not Samba? by ushering05401 · · Score: 5, Insightful

      I troll sometimes too, sir. I'm not saying your experience is invalid either, just that it is not valuable in this scenario and therefore a distraction from the real matter at hand.

      The problem is that your scenario gives us very little usable information about Samba...

      1. Because the people who configured your environment were probably the same people who chose to use Jet in this manner casting doubt on the other implementations.

      2. Because there is an obvious bottleneck in Jet that would need to be resolved before anyone would trust the evaluation of a component interacting with the bottleneck.

      I'm not picking a fight, just pointing it out. Feel free to call me a troll whenever ;) It is often true.

    5. Re:Not Samba? by Daengbo · · Score: 5, Informative

      Samba can act as an AD PDC with the option of using LDAP as a backend. The absolute easiest way to set one of these (with LDAP) up is to use eBox on Ubuntu 8.04. Check the box marked "PDC" and ad the accounts. That's my recommendation.

      It offers multiple nodes, mail, files, Jabber, and a bunch of other stuff.

      --
      Put identity in the browser.
    6. Re:Not Samba? by Vellmont · · Score: 5, Informative

      Well, I don't know much about how well samba performs when 50 people all try to write to the same file, but my experience with samba over a windows server is that samba is much faster.

      In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange. Generally you don't have that many people trying to access a single file. If NT4 is better in this one respect, that's great for you and the other 10 people that are using jet in this crazy manner, but for everyone else it's irrelevant.

      --
      AccountKiller
    7. Re:Not Samba? by sumdumass · · Score: 5, Informative

      I had a similar situation but I wasn't using Jet. Anyways, after pissing around with it for a while, I found the problem was the network card. I noticed this when attempting to run speed tests while data access was gradually being increased in the more to see if I could pinpoint the time of failure. I noticed that I started getting a bunch of resends because packets were getting dropped. This is when I discovered that the 3com built in network cards weren't as good as the PCI variety. I don't know if it was 3com's problem or the main board manufacturer's issue and personally, at this point I don't care.

      Anyways, I added a spare Intel pro card and saw an immediate improvement. Like many, I assumed the on board network adapter would have been sufficient seeing how it was a 3com 3c905 series on a p4 2.8 system with about 2.5 gig memory (it did more the Samba) I ended up dropping another card into the box and separating the SMB services from another service I was running and it seemed to run circles around it's previous performance as well as the NT4 performance. I don't know if yours would have been related but I have known for a while that you need to use good network cards on servers and production machines. I rarely use on board NICs anymore except for home use and often I will either use a 3com or intel pro nic with the intel being the easiest for me to find in my area. All the others seem to shift more of the network job into software using host processes instead of doing it on the device. I'm sure there are more then 3com and Intel with good cards too, they are just the ones I'm familiar with and sticking with.

    8. Re:Not Samba? by stephenpeters · · Score: 5, Interesting

      I think openLDAP should be one of the first products the submitter tries. In my experience it is reliable scalable and free of proprietary cruft. I have used it for years in a commercial network with Samba. OpenLDAP has allowed my company to drastically cut licensing costs, support costs and lengthen hardware lifecycles. As the submitter is UK based I would recommend they contact Sirius. Sirius are the consulting company I use and they are the only UK OGC/Becta accredited FOSS specialist. Sirius have considerable experience in the UK education market and in the submitters position they would be near the top of the list of people to call. Take a look at their client list to see the kind of pedigree they have.

      <disclaimer>

      I have worked closely with Mark Taylor the CEO of Sirius for a long time now. Please consider anything I say about them biased, contact them youself and make up your own mind about them.

      </disclaimer>

    9. Re:Not Samba? by sandman_eh · · Score: 4, Interesting
      But since you haven't posted anything more we can't be sure.

      What did you investigate? What samba tuning parameters did you try?

      Last year I had a very similiar problem, which actullay turned out to be network card driver issue. I upgraded from the stock debian stable kernel to one from testing and the problem went away.

      My point is a single example without actually knowing what was investigated - is just a worthless anecdote.

      --
      Master of Peng Shui.Ancient oriental art of Penguin Arranging)
    10. Re:Not Samba? by dkf · · Score: 4, Insightful

      In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange.

      It's not that strange in education, especially with large classes (but perhaps more so at Universities than at schools). What happens is you get lots of people get to about the same point in a practical class at about the same time, and then they sit there and repeatedly hammer whatever services you've got up to support them until they get through.

      Business usage patterns are different to education ones. You can't really use experience with one to predict the other. (Alas. It'd be so much easier if you could...)

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
  2. OK your Discount coupon is ready. by 140Mandak262Jamuna · · Score: 5, Funny

    OK buddy, you have done your job and made enough noises about FOSS. Your $large_discount coupon from MSFT is ready and waiting, mention coupon code EGDI. Coupon good for getting all MSFT software for free. Manufacturers Coupon, Never expires.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Mandriva by Anonymous Coward · · Score: 5, Informative

    Mandriva Directory Server + Pulse 2

    1. Re:Mandriva by flydpnkrtn · · Score: 4, Informative

      Wow MDS and Pulse look pretty cool... but the documentation for Pulse 2 is lacking. For example, one of my first questions would be "Do the Windows machines need to run an 'agent' first for pushing software installs?"

      "English documentation will soon be available, stay tuned."

      http://pulse2.mandriva.org/wiki/Documentation

      --
      Here's to the crazy ones
  4. SME Server 8 by erroneus · · Score: 5, Informative

    SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.

    SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?

    1. Re:SME Server 8 by Kamokazi · · Score: 5, Funny

      And did I mention it installs from a single CD?

      Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.

      --
      As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
    2. Re:SME Server 8 by grcumb · · Score: 5, Informative

      I can second SME server. I've been using it for this role since it was E-Smith many years ago. It's a fantastic little distro for a lot of different reasons. Definitely good stuff.

      I worked for e-smith inc. (later purchased by Mitel Networks) on the team that developed for the SME Server distro.

      It's magic for small offices, no doubt. I work in developing countries now, and I find it especially useful in places with no in-house IT capacity. I can get file services, email, web and user management up and running in about 45 minutes.

      (I'm not going to link to any particular installations, because, well, slashdot has the capacity to swamp our entire nation's bandwidth.)

      BUT! SME Server doesn't have a built-in AD capability. It will act as an excellent small network domain controller. Its user and group management is simplicity done right. But that's not Active Directory per se.

      If you want an actual AD roll-out, you'll have to layer it on top of the server's existing capabilities. Note that this is not at all impossible - SME Server can run just about everything CentOS runs with little or no fuss or bother.

      To sum up - SME Server would be a great platform for schools to build on - it's low-maintenance, robust and simple enough that even a Windows admin can't complain. But you need to roll part of the solution on your own. Of course, you were going to do that anyway. So definitely look at SME Server. 8^)

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  5. hate to say it... by johnjones · · Score: 4, Interesting

    but the first thing to do is look at how these have been deployed

    I dont see anyone with production systems on a large domain using anthing other than redhat directory or Novell eDirectory

    I see some custom OpenLDAP servers scale really well but thats about it

    so given your choice above I would go for Fedora Directory Server and hack

    if the choice was mine I would spend a little money and get the Novell eDirectory

    regards

    John Jones

    http://www.johnjones.me.uk - email and digital communication

    1. Re:hate to say it... by Korgan · · Score: 5, Informative

      I agree... I had a similar issue at a school a few years back. Windows + Mac clients on the network. Rather than try to run two directories, we just used Novell eDirectory with (then available) Novell dirXML which allowed all the clients to use a single directory without realising they weren't native Active Directory or OpenDirectory platforms they were talking to. It saved a lot of effort down the line and proved extremely scalable. Also had the benefit of allowing the network to integrate other platforms in the future without much effort if the school wanted to. I'm sure there are plenty of great FOSS solutions out there, but eDirectory make it so much easier and reduced the cost of implementation significantly, even taking into account licensing costs. Sometimes you do just have to weigh up all the angles.

    2. Re:hate to say it... by Shuntros · · Score: 4, Interesting

      Not even any need for IDM any more... The latest Linux offering, Open Enterprise Server 2 (Support Pack 1) has Domain Services for Windoze. No more Novell Client, no more NCP. The backend is still Linux, NSS and eDirectory, but with full and seamless AD emulation. Administer it with MMC, the lot. The only time you'll realise you're not working on a Windoze server is when you right click on a DC and look at the properties to find it's an OES2 box. Worth looking into...

      Otherwise there are numerous guides on the web as to how one configures Samba to use OpenLDAP as its authentication source, which makes mass admin of users a piece of cake.

      Use the 90 day trial of Novell Identity Manager, plug it into your existing infrastructure and you can even migrate passwords across to your splendid new FOSS solution. Do it right and the lusers won't notice a thing!

      I used to consult on such projects, but eventually gave in, took the money and ascended to management. Kinda miss it sometimes.

  6. That depends...... by ogdenk · · Score: 5, Interesting

    I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.

    Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.

    Samba4 is supposed to change this but it may be a while before it's ready for widespread use.

    In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.

    This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.

    Students are great at f**king up machines, group policy is almost a must.

    If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.

    Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.

    1. Re:That depends...... by ogdenk · · Score: 4, Interesting

      It works OK for older versions of Photoshop, but if your going to go through the effort of running Photoshop in a dodgy reimplementation of the Win32 API, why not just run Windows? You'll get screwed everytime a new version of photoshop comes out that uses Win32 calls in a weird fashion.

      A better idea would be a massive campaign to promote a port of Photoshop to GTK or QT. Microsoft will make damn sure that Win32 is a moving target if any massive movement to use WINE is successful.

      The mac version of Photoshop is the better version IMHO anyway despite the lack of a true 64-bit port due to Adobe's laziness rewriting using Cocoa instead of Carbon. The MDI interface in the Windows version sucks, especially if you use multiple monitors and want to run other applications at the same time.

      If your going to run non-native apps, it's usually better to just say "screw it" and run those apps in the native environment.

      Really, I've gone through this fight trying to ditch Windows in an educational environment. You meet stiff resistance from all angles, including the vendors. I've eliminated it where I can but in the end, to ensure a good bullet-proof computing environment where Windows on the desktop in necessary for certain software products, group policy and automated software deployment is a MUST, not a WANT.

      In most corporate environments, I've ditched Windows with good success but in a school, things are a bit different. Especially a tech school where our job is to teach people products to get them a job. Our goal is not to "create the thinkers of tomorrow".

      We HAVE to have windows desktops. manageable Group policy and automated deployment are not available in other directory environments. You can't easily lock down Windows desktops centrally with other directory environments.

      If you have other solutions, prove me wrong so I can use them as ammo to ditch Windows directory servers here. REAL solutions that are as easy to manage for other less-skilled folks I have dealing with daily problems.

  7. Sun Java System Directory Server by wmute · · Score: 5, Informative

    I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.

    Good luck, LDAP is a pain in the ass ;)

  8. There isn't an alternative. Next question. by realmolo · · Score: 5, Insightful

    I've messed with the so-called "Active Directory replacements". They all suck.

    The fact is, if you are using Windows clients, Active Directory works, it's simple, and you'd be fucking CRAZY to try to use anything else. Save yourself some pain, and blow $1000 (pounds, whatever) on Server 2003 or 2008.

    Seriously. You don't want to do this. It's a fucking nightmare to try to support a Windows domain without a real, genuine Microsoft domain controller.

    Did I mention this is a bad idea?

    1. Re:There isn't an alternative. Next question. by Shados · · Score: 4, Interesting

      I love Active Directory, but just a little amusing anecdote... The company I'm working for is a 100% Windows shop across the board, has desktops in the 6 figures, yet does NOT use Active Directory...

      Their "forests" connect for business reasons to the domains of all of their clients, which makes the machines/accounts in the domain hit the millions...so well, to make that work better, they wrote their own "Active Directory" from scratch...its still running on Windows server, but its not an actual Active Directory(tm) kindda thing.

      But yeah, replacing AD for the sake of replacing it, is retarded. Windows Server isn't even that expensive, and for smaller companies, you can get Small Business Server, which is really, really cheap for what it provides.

  9. Active Directory is Microsoft's best work by catmistake · · Score: 4, Insightful

    I'm not sure I understand the point... I mean I hate Windows as much as the next *nix-lovr, but if your network is a slew of Winboxen... why make a headache for yourself? Active Directory is pretty well received, even as a proprietary LDAP implementation... will a FOSS replacement really be worth the cost savings? If most of the machines to be managed are Windows, I'd use AD for them. If its a mixed network with mostly something else, then I'd attempt to shoehorn the management of the Winboxes with whatever implementation was easiest for the majority of the machines (i.e. if 200 OS X machines & 40 Winbox, I'd use Open Directory... if 90 debian & 15 winbox, likely OpenLDAP, etc.)

    You don't hate AD as much as you think you do... do what is easiest... if AD is already deployed, its probably easiest).

    --
    The Admin and the Engineer
  10. Re:TCO by erroneus · · Score: 4, Interesting

    I have set up four installations of SMEserver 7.x in the past 8 months into small businesses. I think I have put a collective 24 man hours into keeping those sites up. They stay up... keep going and going and going... and running Linux, I don't have nearly as much to worry about with critical worms running around and the like. Meanwhile, keeping up with my Microsoft AD network keeps my family fed and me employed full time. I am not complaining, I am just saying if TCO is largely factored by time/labor? SME server beats Microsoft hands down so far.

    Microsoft does not justifiably dominate the market. It simply dominates the way it does with all other things it does. MSIE is the best web browser, I suppose, as evidenced by its dominance as well..?

  11. And not Sambo either by tepples · · Score: 4, Informative

    Do you really want to use software named after a racist slur?

    No, it's not a direct comparison to the GIMP situation. The slur is Sambo ; the software is Samba . There's a difference. But is there a racial slur against trolls?

  12. Re:Do you want to play with it, or have it work? by morgan_greywolf · · Score: 5, Insightful

    Red Hat offers 24x7 support for Red Hat Enterprise Directory. I'm pretty sure Novell has a similar product for SuSE that they offer 24x7 support on.

    It's not like your only choice for 24x7 support is Microsoft.

    --
    My blog
  13. Re:No openldap by stephenpeters · · Score: 5, Insightful

    First of all, why use crappy openldap when you can use the Netspace directory server that red hat bought and opensourced.

    I have foung openLDAP to be reliable, compatible and easy to use. Can you elaborate on why you think it is crap?

    There is a reason why they paid 23$ millions for it...

    And the reasons are?

    Then, AD isn't just a LDAP server with usernames and passwords....

    Nor is openLDAP just a store for Windows user names and passwords. I use an openLDAP server for Windows services as well as providing user configuration for other services such as sendmail. The great advantage of using FOSS is that you are free from vendor lock in and can consider non-proprietary alternatives in other areas of your network.

    Which is why many people can only use Windows setups. There's nothing like AD in the FOSS world. To start with, FOSS client apps should be lockdown-able from the server. But you can't do that...

    I mean, in a office with a linux server and some linux clients, try to lockdown some options on Firefox, the desktop, evolution....surprise, you can't do it. Oh, yeah, there're a lot of workarounds everywhere, but they are different if you use KDE or Gnome or depending on the app you are using. It's a horrible mess.

    Nowhere in the article do I see a desire to use FOSS desktop clients. The submitter simply wants to replace AD server with a non MS LDAP based alternative.

    Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks.

    This is otherwise known as vendor lock in. Some of use have tried very hard to break free of it to avoid being held to ransom by a vendor.

    Until then, Windows is pretty much the only realistic option. I can't understand why Red Hat, Suse and Ubuntu don't put more efforts on this, it's one of the biggest showstoppers for Linux adoption.

    I have been running what you consider an unrealistic option for the best part of a decade. I have yet to be fired. Sirius the consultancy I recommended have a client list of blue chip companines, local govenment and schools. They are all running some form of FOSS backend. You might like to take a fresh look at FOSS, it really works in the real world.

    In my previous post I forgot to mention that OGC/Becta are the government agency's responsible for technology in the UK educational environment. It is considerably easier for a UK school to use a Becta accredited supplier than any other supplier. It is an incredible achievement for Sirius to gain that accreditation as no other FOSS consultancy has managed to cut through government red tape thus far.