Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best FOSS Active Directory Alternative?

Posted by kdawson on from the war-stories dept.

danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"

18 of 409 comments (clear)

  1. Not Samba? by Tubal-Cain · · Score: 5, Interesting

    The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server

    Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?

    1. Re:Not Samba? by ushering05401 · · Score: 5, Informative

      The parent is trolling or is apparently unaware that MS specifically told people not to use Jet like this.

      Here is an MS quote from back before Jet was deprecated.

      "While Microsoft Jet is consciously (and continually) updated with many quality, functional, and performance improvements, it was not intended (or architected)... to be used with high-stress, high-concurrency, 24x7 server applications, such as web, commerce, transactional, messaging servers, and so on" (Source: Microsoft KB article Q222135).

      So no 24x7 server apps per MS, I wonder what was slowing down the other poster's 50 concurrent connection scenario.

      I could never get Jet to work well > 5 concurrent connections.

    2. Re:Not Samba? by ushering05401 · · Score: 5, Insightful

      I troll sometimes too, sir. I'm not saying your experience is invalid either, just that it is not valuable in this scenario and therefore a distraction from the real matter at hand.

      The problem is that your scenario gives us very little usable information about Samba...

      1. Because the people who configured your environment were probably the same people who chose to use Jet in this manner casting doubt on the other implementations.

      2. Because there is an obvious bottleneck in Jet that would need to be resolved before anyone would trust the evaluation of a component interacting with the bottleneck.

      I'm not picking a fight, just pointing it out. Feel free to call me a troll whenever ;) It is often true.

    3. Re:Not Samba? by Daengbo · · Score: 5, Informative

      Samba can act as an AD PDC with the option of using LDAP as a backend. The absolute easiest way to set one of these (with LDAP) up is to use eBox on Ubuntu 8.04. Check the box marked "PDC" and ad the accounts. That's my recommendation.

      It offers multiple nodes, mail, files, Jabber, and a bunch of other stuff.

      --
      Put identity in the browser.
    4. Re:Not Samba? by Vellmont · · Score: 5, Informative

      Well, I don't know much about how well samba performs when 50 people all try to write to the same file, but my experience with samba over a windows server is that samba is much faster.

      In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange. Generally you don't have that many people trying to access a single file. If NT4 is better in this one respect, that's great for you and the other 10 people that are using jet in this crazy manner, but for everyone else it's irrelevant.

      --
      AccountKiller
    5. Re:Not Samba? by sumdumass · · Score: 5, Informative

      I had a similar situation but I wasn't using Jet. Anyways, after pissing around with it for a while, I found the problem was the network card. I noticed this when attempting to run speed tests while data access was gradually being increased in the more to see if I could pinpoint the time of failure. I noticed that I started getting a bunch of resends because packets were getting dropped. This is when I discovered that the 3com built in network cards weren't as good as the PCI variety. I don't know if it was 3com's problem or the main board manufacturer's issue and personally, at this point I don't care.

      Anyways, I added a spare Intel pro card and saw an immediate improvement. Like many, I assumed the on board network adapter would have been sufficient seeing how it was a 3com 3c905 series on a p4 2.8 system with about 2.5 gig memory (it did more the Samba) I ended up dropping another card into the box and separating the SMB services from another service I was running and it seemed to run circles around it's previous performance as well as the NT4 performance. I don't know if yours would have been related but I have known for a while that you need to use good network cards on servers and production machines. I rarely use on board NICs anymore except for home use and often I will either use a 3com or intel pro nic with the intel being the easiest for me to find in my area. All the others seem to shift more of the network job into software using host processes instead of doing it on the device. I'm sure there are more then 3com and Intel with good cards too, they are just the ones I'm familiar with and sticking with.

    6. Re:Not Samba? by stephenpeters · · Score: 5, Interesting

      I think openLDAP should be one of the first products the submitter tries. In my experience it is reliable scalable and free of proprietary cruft. I have used it for years in a commercial network with Samba. OpenLDAP has allowed my company to drastically cut licensing costs, support costs and lengthen hardware lifecycles. As the submitter is UK based I would recommend they contact Sirius. Sirius are the consulting company I use and they are the only UK OGC/Becta accredited FOSS specialist. Sirius have considerable experience in the UK education market and in the submitters position they would be near the top of the list of people to call. Take a look at their client list to see the kind of pedigree they have.

      <disclaimer>

      I have worked closely with Mark Taylor the CEO of Sirius for a long time now. Please consider anything I say about them biased, contact them youself and make up your own mind about them.

      </disclaimer>

  2. OK your Discount coupon is ready. by 140Mandak262Jamuna · · Score: 5, Funny

    OK buddy, you have done your job and made enough noises about FOSS. Your $large_discount coupon from MSFT is ready and waiting, mention coupon code EGDI. Coupon good for getting all MSFT software for free. Manufacturers Coupon, Never expires.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Mandriva by Anonymous Coward · · Score: 5, Informative

    Mandriva Directory Server + Pulse 2

  4. SME Server 8 by erroneus · · Score: 5, Informative

    SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.

    SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?

    1. Re:SME Server 8 by Kamokazi · · Score: 5, Funny

      And did I mention it installs from a single CD?

      Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.

      --
      As our way of thanking you for your positive contributions to Slashdot, you are eligible to disable Slashdot 2.0.
    2. Re:SME Server 8 by grcumb · · Score: 5, Informative

      I can second SME server. I've been using it for this role since it was E-Smith many years ago. It's a fantastic little distro for a lot of different reasons. Definitely good stuff.

      I worked for e-smith inc. (later purchased by Mitel Networks) on the team that developed for the SME Server distro.

      It's magic for small offices, no doubt. I work in developing countries now, and I find it especially useful in places with no in-house IT capacity. I can get file services, email, web and user management up and running in about 45 minutes.

      (I'm not going to link to any particular installations, because, well, slashdot has the capacity to swamp our entire nation's bandwidth.)

      BUT! SME Server doesn't have a built-in AD capability. It will act as an excellent small network domain controller. Its user and group management is simplicity done right. But that's not Active Directory per se.

      If you want an actual AD roll-out, you'll have to layer it on top of the server's existing capabilities. Note that this is not at all impossible - SME Server can run just about everything CentOS runs with little or no fuss or bother.

      To sum up - SME Server would be a great platform for schools to build on - it's low-maintenance, robust and simple enough that even a Windows admin can't complain. But you need to roll part of the solution on your own. Of course, you were going to do that anyway. So definitely look at SME Server. 8^)

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  5. That depends...... by ogdenk · · Score: 5, Interesting

    I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.

    Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.

    Samba4 is supposed to change this but it may be a while before it's ready for widespread use.

    In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.

    This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.

    Students are great at f**king up machines, group policy is almost a must.

    If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.

    Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.

  6. Sun Java System Directory Server by wmute · · Score: 5, Informative

    I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.

    Good luck, LDAP is a pain in the ass ;)

  7. Re:hate to say it... by Korgan · · Score: 5, Informative

    I agree... I had a similar issue at a school a few years back. Windows + Mac clients on the network. Rather than try to run two directories, we just used Novell eDirectory with (then available) Novell dirXML which allowed all the clients to use a single directory without realising they weren't native Active Directory or OpenDirectory platforms they were talking to. It saved a lot of effort down the line and proved extremely scalable. Also had the benefit of allowing the network to integrate other platforms in the future without much effort if the school wanted to. I'm sure there are plenty of great FOSS solutions out there, but eDirectory make it so much easier and reduced the cost of implementation significantly, even taking into account licensing costs. Sometimes you do just have to weigh up all the angles.

  8. There isn't an alternative. Next question. by realmolo · · Score: 5, Insightful

    I've messed with the so-called "Active Directory replacements". They all suck.

    The fact is, if you are using Windows clients, Active Directory works, it's simple, and you'd be fucking CRAZY to try to use anything else. Save yourself some pain, and blow $1000 (pounds, whatever) on Server 2003 or 2008.

    Seriously. You don't want to do this. It's a fucking nightmare to try to support a Windows domain without a real, genuine Microsoft domain controller.

    Did I mention this is a bad idea?

  9. Re:Do you want to play with it, or have it work? by morgan_greywolf · · Score: 5, Insightful

    Red Hat offers 24x7 support for Red Hat Enterprise Directory. I'm pretty sure Novell has a similar product for SuSE that they offer 24x7 support on.

    It's not like your only choice for 24x7 support is Microsoft.

    --
    My blog
  10. Re:No openldap by stephenpeters · · Score: 5, Insightful

    First of all, why use crappy openldap when you can use the Netspace directory server that red hat bought and opensourced.

    I have foung openLDAP to be reliable, compatible and easy to use. Can you elaborate on why you think it is crap?

    There is a reason why they paid 23$ millions for it...

    And the reasons are?

    Then, AD isn't just a LDAP server with usernames and passwords....

    Nor is openLDAP just a store for Windows user names and passwords. I use an openLDAP server for Windows services as well as providing user configuration for other services such as sendmail. The great advantage of using FOSS is that you are free from vendor lock in and can consider non-proprietary alternatives in other areas of your network.

    Which is why many people can only use Windows setups. There's nothing like AD in the FOSS world. To start with, FOSS client apps should be lockdown-able from the server. But you can't do that...

    I mean, in a office with a linux server and some linux clients, try to lockdown some options on Firefox, the desktop, evolution....surprise, you can't do it. Oh, yeah, there're a lot of workarounds everywhere, but they are different if you use KDE or Gnome or depending on the app you are using. It's a horrible mess.

    Nowhere in the article do I see a desire to use FOSS desktop clients. The submitter simply wants to replace AD server with a non MS LDAP based alternative.

    Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks.

    This is otherwise known as vendor lock in. Some of use have tried very hard to break free of it to avoid being held to ransom by a vendor.

    Until then, Windows is pretty much the only realistic option. I can't understand why Red Hat, Suse and Ubuntu don't put more efforts on this, it's one of the biggest showstoppers for Linux adoption.

    I have been running what you consider an unrealistic option for the best part of a decade. I have yet to be fired. Sirius the consultancy I recommended have a client list of blue chip companines, local govenment and schools. They are all running some form of FOSS backend. You might like to take a fresh look at FOSS, it really works in the real world.

    In my previous post I forgot to mention that OGC/Becta are the government agency's responsible for technology in the UK educational environment. It is considerably easier for a UK school to use a Becta accredited supplier than any other supplier. It is an incredible achievement for Sirius to gain that accreditation as no other FOSS consultancy has managed to cut through government red tape thus far.