Best FOSS Active Directory Alternative?

danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"

Depends on usage

[yoshac]

Depends if you are just using it for windows domain services, or if you need to support things like management, federation etc.

GOsa is worth a mention

[Pav]

GOsa is worth a look but in my experience is VERY hard to implement. It's a web based LDAP front end that manages posix accounts, Samba, email/groupware, Asterisk, fax, automatic installation (via FAI), DNS, DHCP and much more. I think the target market is large organisations with existing inhouse skills in the base technologies and plenty of man hours. I tried getting this working as a lone generalist, and I only got as far as getting posix, Samba, SOGo (a groupware solution), DHCP and DNS working. Scripts to get something working on Debian Lenny are on sourceforge (I finally found a use for my sourceforge project:) : https://sourceforge.net/projects/wfstt/ [sourceforge.net] .

Do you want to play with it, or have it work?

[Whizzmo2]

Active Directory is mature, well-understood and well-supported. MS will answer the phone at 3:00 am when you call. While FOSS alternatives have come a long way, many are still under heavy active (ha, ha) development.

Questions you should be asking yourself:

• Who will maintain this when I'm gone?
• Does this solution offer 24/7/365 phone support? (If you don't have a phone support contract, MS will usually charge you $250 if the issue is your fault, and $0 if the issue is a bug in their software. (IANA MS rep, YMMV))

One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain? (There are many other arrangements here that may better fit your needs.)


--Whizzmo

Single computer?

[daybot]

...we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server

Whichever system you end up using, I strongly discourage building your network around a single server.

There isn't an alternative. Next question.

[realmolo]

I've messed with the so-called "Active Directory replacements". They all suck.

The fact is, if you are using Windows clients, Active Directory works, it's simple, and you'd be fucking CRAZY to try to use anything else. Save yourself some pain, and blow $1000 (pounds, whatever) on Server 2003 or 2008.

Seriously. You don't want to do this. It's a fucking nightmare to try to support a Windows domain without a real, genuine Microsoft domain controller.

Did I mention this is a bad idea?

Active Directory is Microsoft's best work

[catmistake]

I'm not sure I understand the point... I mean I hate Windows as much as the next *nix-lovr, but if your network is a slew of Winboxen... why make a headache for yourself? Active Directory is pretty well received, even as a proprietary LDAP implementation... will a FOSS replacement really be worth the cost savings? If most of the machines to be managed are Windows, I'd use AD for them. If its a mixed network with mostly something else, then I'd attempt to shoehorn the management of the Winboxes with whatever implementation was easiest for the majority of the machines (i.e. if 200 OS X machines & 40 Winbox, I'd use Open Directory... if 90 debian & 15 winbox, likely OpenLDAP, etc.)

You don't hate AD as much as you think you do... do what is easiest... if AD is already deployed, its probably easiest).

stick with AD

[jdbausch]

Hate on Microsoft all you want, I do it all the time myself, but AD (and Exchange as well) get the job done, are well supported by Microsoft, and in my experience, worth it. If you weren't running windows clients, it would be different, but as many people on here have said, the features of AD are hard to replicate. Perhaps you have philosophical open source / free software motives. But the only reason I could think of for that a smaller organization like yours would move off AD would be to save money on the license, and especially on CALs. But as a school, don't you get them for damn near free anyway?

Re:Not Samba?

[flyingfsck]

Huh? What is a racist slur about Samba?

You must have an over active imagination.

Anyhoo, I fail to see why there is such a hullabaloo in the USA about having a coloured prez.

Re:Not Samba?

[ushering05401]

I troll sometimes too, sir. I'm not saying your experience is invalid either, just that it is not valuable in this scenario and therefore a distraction from the real matter at hand.

The problem is that your scenario gives us very little usable information about Samba...

1. Because the people who configured your environment were probably the same people who chose to use Jet in this manner casting doubt on the other implementations.

2. Because there is an obvious bottleneck in Jet that would need to be resolved before anyone would trust the evaluation of a component interacting with the bottleneck.

I'm not picking a fight, just pointing it out. Feel free to call me a troll whenever ;) It is often true.

Re:Do you want to play with it, or have it work?

[morgan_greywolf]

Red Hat offers 24x7 support for Red Hat Enterprise Directory. I'm pretty sure Novell has a similar product for SuSE that they offer 24x7 support on.

It's not like your only choice for 24x7 support is Microsoft.

Re:SME Server 8

[grcumb]

And did I mention it installs from a single CD?

Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.

Okay, you made a funny. But consider the implications of that single disk:

• It's a simple, nicely pared-down server. Installs and configures in about 20 minutes.
• It's a purpose-driven server whose entire architecture is aimed at solving the most common scenario in Small and Medium Enterprises (SME - get it?): The ability to run in a predictable, stable and usable way for years on end without requiring IT staff to support it - that's something whose value should never be underestimated.
• These design principles extend throughout the server's architecture. It's got template-driven config file management, a really useful event model for automating complex tasks and a really elegant developer API. And it still fits on a single CD.
• It's small and simple and yet still has what you want in a small office server. I've never seen the KISS principle more sanely applied than in the SME Server. Nothing gets added without a reason and most everything works the way a Lazy admin would want it to.

Full disclosure: I worked two years for the company that built SME Server. But I went to work for them because I liked the product. 6 years later, I'm still installing and using it on customer sites.

(See my other post below [slashdot.org] for a few caveats about AD. Briefly, LDAP is integrated, but not very tightly. You'll still need to install or build an actual AD solution on top of it to provide what the OP is looking for.)

Re:There isn't an alternative. Next question.

[madclicker]

SBS is wonderful, if you have 5 users on the system. Additional licenses will kill you...., oh yeah, love the Exchange integration and no backup AD controllers. SBS is a crippled pos. One other thing I found to be quite interesting with MS AD servers, how does one manage hundreds of systems being re-prepped or replaced from the AD. I haven't found any good way to manage computers in the AD.

Re:There isn't an alternative. Next question.

[bertok]

I can second this.

The $1,000 cost saving on the license (or possibly less for an educational license) is absolutely NOT worth it. Don't drink the FOSS koolaid, MS Active Directory is stable and scales. I've seen 1 million account domains runs fine on a couple of pretty average boxes. Your tiny little education environment will work fine on anything. There are netbooks that could handle the load for a "large" school environment.

If you MUST have a single physical Linux server (why?), then just run up a MS Windows based AD controller in a virtual machine. Your problems are then solved, and you won't be chasing down bizarre compatibility issues at 7pm on a Friday because some MS patch or Samba patch didn't like each other.

Not to mention that with ANY domain technology, single servers are just insane. Patching single-server domains is a nightmare, while you can pretty much arbitrarily turn off AD domain controllers at any time if you have two set up correctly. If physical hardware is too expensive, again, virtual machines are your friend.

Also, as others have pointed out, multiple domains just cause a maintenance headache, and do not add significant security. The access control lists in AD are very fine grained, and allow total lockdown, down to the attribute/object level.

As a case in point, I've build ASP style AD/Exchange solutions where the client companies could see their own users, global address lists, etc... but weren't even aware of any other clients or users. This is well documented and supported. Lots of Exchange email hosting companies do this, or more paranoid organizations, such as education, where you don't want your students sending emails to staff mailing lists, or calling the hot female teacher's mobile phone at 3 am in the morning.

Re:Active Directory is NOT ldap.

[glitch23]

I agree with your statements regarding what ADS provides and what OpenLDAP does not. The fact that OpenLDAP gives you a backend and nothing else is one reason I did not recommend it to the submitter however your subject for your post is not correct. ADS *is* LDAP. It uses LDAP underneath just as any other directory server does on the market today. Many also can integrate with Kerberos just as ADS does. I hate when people call ADS "Active Directory" and then they refer to Sun's implementation as an "LDAP server" or whatever. The fact is ADS is as much LDAP as any other. MS has just added attributes to the schema to fit a Windows infrastructure but then again so has Sun for Solaris clients. The LDAP schema was meant to be extended and can even be extended by the administrators to add custom attributes and object classes for companies who want to integrate their products with it. MS is no different in what they did. It's their own implementation of it just as Sun has their implementation. If someone wants an unadulterated implementation of a directory server they should go for OpenLDAP but they will be sorry (if only due to lack of management tools).

None.

[wasabii]

There is no comparable solution. Choosing anything else is a massive disservice to your users and the people responsible. AD is set up by default to work properly. It requires minimal maintence. It supports multimaster replication, automatically doing nearly everything required. It uses Kerberos. It does your DNS for you. Windows works perfectly with it. Linux sort of works with it with Samba. Your alternatives in the FOSS space are basically seting up FDS or OpenLDAP by hand. THat means making the schema by hand. OpenLDAP does not do multimaster replication. You will have to hand configure kerberos. You will have to manage most maintence tasks by hand, using tools like some Java LDAP UIs, which expose raw LDAP information to you. You will not have an easy interface to 'create users'. You will have interfaces to edit LDAP databases. FDS is a better LDAP server: but it is STILL JUST AN LDAP SERVER. It does not take care of DNS. It does not do Kerberos. Novel's commercial offerings are the closest: but they are woefully hard to get set up compared to AD, and they cost just about the same.

Re:Active Directory is Microsoft's best work

[Anonymous Coward]

see a post above, it's about choice...

once you go to AD, there's no way back, which is not a really good strategy/risk decision

if instead you choose a server/service that can be easily exported/dumped should your new/future requirements need it, then you have the choice and you can pick another one by simply using the standard LDIF and no tweaks

yeah, I know, it's the same old story about Microsoft and lock-in, but it's true

Re:Not Samba?

[benji fr]

Jet is often using locks to be sure that no one will overwrite the data you previously edited. Samba 3.0 has some code to manage the buggy Windows sharing protocol locking system.

You should really read man smb.conf and search for "lock" to learn a bit about it.

I'm pretty sure that your earlier problem was a locking one.

Samba has not changed a lot reagarding this locking issue, but you can tweak it perfectly, it just takes a little time to learn how to do it and what to do.

My experience with samba is that (on a big server of course) it can handle hundreds of connections with some Gbps throughoutput (we did it under linux with ethernet bonding and heavy kernel tunning of course...)

Re:Not Samba?

[dkf]

In any case judging samba performance on the basis of a very odd use-case like 50 users hitting a single file is kind of strange.

It's not that strange in education, especially with large classes (but perhaps more so at Universities than at schools). What happens is you get lots of people get to about the same point in a practical class at about the same time, and then they sit there and repeatedly hammer whatever services you've got up to support them until they get through.

Business usage patterns are different to education ones. You can't really use experience with one to predict the other. (Alas. It'd be so much easier if you could...)

Re:No openldap

[stephenpeters]

First of all, why use crappy openldap when you can use the Netspace directory server that red hat bought and opensourced [redhat.com].

I have foung openLDAP to be reliable, compatible and easy to use. Can you elaborate on why you think it is crap?

There is a reason why they paid 23$ millions for it...

And the reasons are?

Then, AD isn't just a LDAP server with usernames and passwords....

Nor is openLDAP just a store for Windows user names and passwords. I use an openLDAP server for Windows services as well as providing user configuration for other services such as sendmail. The great advantage of using FOSS is that you are free from vendor lock in and can consider non-proprietary alternatives in other areas of your network.

Which is why many people can only use Windows setups. There's nothing like AD in the FOSS world. To start with, FOSS client apps should be lockdown-able from the server. But you can't do that...

I mean, in a office with a linux server and some linux clients, try to lockdown some options on Firefox, the desktop, evolution....surprise, you can't do it. Oh, yeah, there're a lot of workarounds everywhere, but they are different if you use KDE or Gnome or depending on the app you are using. It's a horrible mess.

Nowhere in the article do I see a desire to use FOSS desktop clients. The submitter simply wants to replace AD server with a non MS LDAP based alternative.

Windows clients and servers, on the other hand, are VERY well coupled. The day someone cares to fix this in the FOSS world, a lot of people will start using Linux in corporate networks.

This is otherwise known as vendor lock in. Some of use have tried very hard to break free of it to avoid being held to ransom by a vendor.

Until then, Windows is pretty much the only realistic option. I can't understand why Red Hat, Suse and Ubuntu don't put more efforts on this, it's one of the biggest showstoppers for Linux adoption.

I have been running what you consider an unrealistic option for the best part of a decade. I have yet to be fired. Sirius [siriusit.co.uk] the consultancy I recommended have a client list of blue chip companines, local govenment and schools. They are all running some form of FOSS backend. You might like to take a fresh look at FOSS, it really works in the real world.

In my previous post I forgot to mention that OGC [ogc.gov.uk]/Becta [becta.org.uk] are the government agency's responsible for technology in the UK educational environment. It is considerably easier for a UK school to use a Becta accredited supplier than any other supplier. It is an incredible achievement for Sirius to gain that accreditation as no other FOSS consultancy has managed to cut through government red tape thus far.

Re:Not Samba?

[kilodelta]

At one job we used OpenLDAP for many thing, like authentication on Plone/Zope, or for email authentication with Qmail.

We kept an aging NT4 server for login authentication on Windows. I kept pushing to setup Samba and use LDAP but nobody wanted to guinea pig it.

So a year or so ago they spent over $250,000 on new servers and windows licenses. Dumbasses.

Re:50 people hit same file Re:Not Samba?

[MikeBabcock]

What ogdenk said [slashdot.org].

Using Access in this manner is crazy and a huge performance issue all on its own, not to mention data integrity.

Good luck.

Re:Mandriva

[MikeBabcock]

You, my friend are why "Ask Slashdot" exists. Those suggesting Samba meanwhile obviously didn't understand the question.