Best FOSS Active Directory Alternative? 409
danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"
Depends on usage (Score:2, Insightful)
GOsa is worth a mention (Score:2, Insightful)
GOsa is worth a look but in my experience is VERY hard to implement. It's a web based LDAP front end that manages posix accounts, Samba, email/groupware, Asterisk, fax, automatic installation (via FAI), DNS, DHCP and much more. I think the target market is large organisations with existing inhouse skills in the base technologies and plenty of man hours. I tried getting this working as a lone generalist, and I only got as far as getting posix, Samba, SOGo (a groupware solution), DHCP and DNS working. Scripts to get something working on Debian Lenny are on sourceforge (I finally found a use for my sourceforge project:) : https://sourceforge.net/projects/wfstt/ [sourceforge.net] .
Do you want to play with it, or have it work? (Score:3, Insightful)
Questions you should be asking yourself:
One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain? (There are many other arrangements here that may better fit your needs.)
--Whizzmo
Single computer? (Score:4, Insightful)
...we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server
Whichever system you end up using, I strongly discourage building your network around a single server.
There isn't an alternative. Next question. (Score:5, Insightful)
I've messed with the so-called "Active Directory replacements". They all suck.
The fact is, if you are using Windows clients, Active Directory works, it's simple, and you'd be fucking CRAZY to try to use anything else. Save yourself some pain, and blow $1000 (pounds, whatever) on Server 2003 or 2008.
Seriously. You don't want to do this. It's a fucking nightmare to try to support a Windows domain without a real, genuine Microsoft domain controller.
Did I mention this is a bad idea?
Active Directory is Microsoft's best work (Score:5, Insightful)
I'm not sure I understand the point... I mean I hate Windows as much as the next *nix-lovr, but if your network is a slew of Winboxen... why make a headache for yourself? Active Directory is pretty well received, even as a proprietary LDAP implementation... will a FOSS replacement really be worth the cost savings? If most of the machines to be managed are Windows, I'd use AD for them. If its a mixed network with mostly something else, then I'd attempt to shoehorn the management of the Winboxes with whatever implementation was easiest for the majority of the machines (i.e. if 200 OS X machines & 40 Winbox, I'd use Open Directory... if 90 debian & 15 winbox, likely OpenLDAP, etc.)
You don't hate AD as much as you think you do... do what is easiest... if AD is already deployed, its probably easiest).
stick with AD (Score:2, Insightful)
Re:Not Samba? (Score:1, Insightful)
Huh? What is a racist slur about Samba?
You must have an over active imagination.
Anyhoo, I fail to see why there is such a hullabaloo in the USA about having a coloured prez.
Re:Not Samba? (Score:5, Insightful)
I troll sometimes too, sir. I'm not saying your experience is invalid either, just that it is not valuable in this scenario and therefore a distraction from the real matter at hand.
The problem is that your scenario gives us very little usable information about Samba...
1. Because the people who configured your environment were probably the same people who chose to use Jet in this manner casting doubt on the other implementations.
2. Because there is an obvious bottleneck in Jet that would need to be resolved before anyone would trust the evaluation of a component interacting with the bottleneck.
I'm not picking a fight, just pointing it out. Feel free to call me a troll whenever ;) It is often true.
Re:Do you want to play with it, or have it work? (Score:5, Insightful)
Red Hat offers 24x7 support for Red Hat Enterprise Directory. I'm pretty sure Novell has a similar product for SuSE that they offer 24x7 support on.
It's not like your only choice for 24x7 support is Microsoft.
Re:SME Server 8 (Score:3, Insightful)
And did I mention it installs from a single CD?
Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.
Okay, you made a funny. But consider the implications of that single disk:
Full disclosure: I worked two years for the company that built SME Server. But I went to work for them because I liked the product. 6 years later, I'm still installing and using it on customer sites.
(See my other post below [slashdot.org] for a few caveats about AD. Briefly, LDAP is integrated, but not very tightly. You'll still need to install or build an actual AD solution on top of it to provide what the OP is looking for.)
Re:There isn't an alternative. Next question. (Score:3, Insightful)
Re:There isn't an alternative. Next question. (Score:4, Insightful)
I can second this.
The $1,000 cost saving on the license (or possibly less for an educational license) is absolutely NOT worth it. Don't drink the FOSS koolaid, MS Active Directory is stable and scales. I've seen 1 million account domains runs fine on a couple of pretty average boxes. Your tiny little education environment will work fine on anything. There are netbooks that could handle the load for a "large" school environment.
If you MUST have a single physical Linux server (why?), then just run up a MS Windows based AD controller in a virtual machine. Your problems are then solved, and you won't be chasing down bizarre compatibility issues at 7pm on a Friday because some MS patch or Samba patch didn't like each other.
Not to mention that with ANY domain technology, single servers are just insane. Patching single-server domains is a nightmare, while you can pretty much arbitrarily turn off AD domain controllers at any time if you have two set up correctly. If physical hardware is too expensive, again, virtual machines are your friend.
Also, as others have pointed out, multiple domains just cause a maintenance headache, and do not add significant security. The access control lists in AD are very fine grained, and allow total lockdown, down to the attribute/object level.
As a case in point, I've build ASP style AD/Exchange solutions where the client companies could see their own users, global address lists, etc... but weren't even aware of any other clients or users. This is well documented and supported. Lots of Exchange email hosting companies do this, or more paranoid organizations, such as education, where you don't want your students sending emails to staff mailing lists, or calling the hot female teacher's mobile phone at 3 am in the morning.
Re:Active Directory is NOT ldap. (Score:2, Insightful)
None. (Score:3, Insightful)
Re:Active Directory is Microsoft's best work (Score:1, Insightful)
see a post above, it's about choice...
once you go to AD, there's no way back, which is not a really good strategy/risk decision
if instead you choose a server/service that can be easily exported/dumped should your new/future requirements need it, then you have the choice and you can pick another one by simply using the standard LDIF and no tweaks
yeah, I know, it's the same old story about Microsoft and lock-in, but it's true
Re:Not Samba? (Score:3, Insightful)
You should really read man smb.conf and search for "lock" to learn a bit about it.
I'm pretty sure that your earlier problem was a locking one.
Samba has not changed a lot reagarding this locking issue, but you can tweak it perfectly, it just takes a little time to learn how to do it and what to do.
My experience with samba is that (on a big server of course) it can handle hundreds of connections with some Gbps throughoutput (we did it under linux with ethernet bonding and heavy kernel tunning of course...)
Re:Not Samba? (Score:5, Insightful)
In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange.
It's not that strange in education, especially with large classes (but perhaps more so at Universities than at schools). What happens is you get lots of people get to about the same point in a practical class at about the same time, and then they sit there and repeatedly hammer whatever services you've got up to support them until they get through.
Business usage patterns are different to education ones. You can't really use experience with one to predict the other. (Alas. It'd be so much easier if you could...)
Re:No openldap (Score:5, Insightful)
First of all, why use crappy openldap when you can use the Netspace directory server that red hat bought and opensourced [redhat.com].
I have foung openLDAP to be reliable, compatible and easy to use. Can you elaborate on why you think it is crap?
There is a reason why they paid 23$ millions for it...
And the reasons are?
Then, AD isn't just a LDAP server with usernames and passwords....
Nor is openLDAP just a store for Windows user names and passwords. I use an openLDAP server for Windows services as well as providing user configuration for other services such as sendmail. The great advantage of using FOSS is that you are free from vendor lock in and can consider non-proprietary alternatives in other areas of your network.
Which is why many people can only use Windows setups. There's nothing like AD in the FOSS world. To start with, FOSS client apps should be lockdown-able from the server. But you can't do that...
I mean, in a office with a linux server and some linux clients, try to lockdown some options on Firefox, the desktop, evolution....surprise, you can't do it. Oh, yeah, there're a lot of workarounds everywhere, but they are different if you use KDE or Gnome or depending on the app you are using. It's a horrible mess.
Nowhere in the article do I see a desire to use FOSS desktop clients. The submitter simply wants to replace AD server with a non MS LDAP based alternative.
Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks.
This is otherwise known as vendor lock in. Some of use have tried very hard to break free of it to avoid being held to ransom by a vendor.
Until then, Windows is pretty much the only realistic option. I can't understand why Red Hat, Suse and Ubuntu don't put more efforts on this, it's one of the biggest showstoppers for Linux adoption.
I have been running what you consider an unrealistic option for the best part of a decade. I have yet to be fired. Sirius [siriusit.co.uk] the consultancy I recommended have a client list of blue chip companines, local govenment and schools. They are all running some form of FOSS backend. You might like to take a fresh look at FOSS, it really works in the real world.
In my previous post I forgot to mention that OGC [ogc.gov.uk]/Becta [becta.org.uk] are the government agency's responsible for technology in the UK educational environment. It is considerably easier for a UK school to use a Becta accredited supplier than any other supplier. It is an incredible achievement for Sirius to gain that accreditation as no other FOSS consultancy has managed to cut through government red tape thus far.
Re:Not Samba? (Score:3, Insightful)
We kept an aging NT4 server for login authentication on Windows. I kept pushing to setup Samba and use LDAP but nobody wanted to guinea pig it.
So a year or so ago they spent over $250,000 on new servers and windows licenses. Dumbasses.
Re:50 people hit same file Re:Not Samba? (Score:3, Insightful)
What ogdenk said [slashdot.org].
Using Access in this manner is crazy and a huge performance issue all on its own, not to mention data integrity.
Good luck.
Re:Mandriva (Score:3, Insightful)
You, my friend are why "Ask Slashdot" exists. Those suggesting Samba meanwhile obviously didn't understand the question.