Best FOSS Active Directory Alternative? 409
danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"
Not Samba? (Score:5, Interesting)
The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server
Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?
Local resources (Score:4, Interesting)
Try talking to Tim Fletcher at Parrswood.
hate to say it... (Score:5, Interesting)
but the first thing to do is look at how these have been deployed
I dont see anyone with production systems on a large domain using anthing other than redhat directory or Novell eDirectory
I see some custom OpenLDAP servers scale really well but thats about it
so given your choice above I would go for Fedora Directory Server and hack
if the choice was mine I would spend a little money and get the Novell eDirectory
regards
John Jones
http://www.johnjones.me.uk - email and digital communication [johnjones.me.uk]
WTF? AD is an LDAP alternative (Score:3, Interesting)
The story goes around that an infamous Australian telecommunications company wanted to put 80,000 people on a single Windows NT domain which put it well past the 16bit limit of users - and thus the active directory project started.
Re:Not Samba? (Score:1, Interesting)
and no, rewriting the application just to suit linux wasn't an option.
That depends...... (Score:5, Interesting)
I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.
Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.
Samba4 is supposed to change this but it may be a while before it's ready for widespread use.
In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.
This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.
Students are great at f**king up machines, group policy is almost a must.
If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.
Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.
Re:Not Samba? (Score:5, Interesting)
How many years ago was this? I'll keep my negative comments about VB6 and Jet to myself, but that this was on NT4 then I would imagine your anecdotal experience is from some time ago.
Samba has made tremendous improvements in the last couple of years in a lot of areas.
Sun Java System Directory Server (Score:3, Interesting)
It may not be opensourced yet, but Sun has released almost their entire enterprise stack for free for anyone to use, including their DSEE [sun.com], with unlimited entries. It can synchronize with AD, and they have a good deployment planning guide [sun.com] for synchronizing with AD and there are guides all over the place [linuxjournal.com] regarding authenticating Windows off of LDAP servers.
Re:Not Samba? (Score:3, Interesting)
Re:There isn't an alternative. Next question. (Score:5, Interesting)
I love Active Directory, but just a little amusing anecdote... The company I'm working for is a 100% Windows shop across the board, has desktops in the 6 figures, yet does NOT use Active Directory...
Their "forests" connect for business reasons to the domains of all of their clients, which makes the machines/accounts in the domain hit the millions...so well, to make that work better, they wrote their own "Active Directory" from scratch...its still running on Windows server, but its not an actual Active Directory(tm) kindda thing.
But yeah, replacing AD for the sake of replacing it, is retarded. Windows Server isn't even that expensive, and for smaller companies, you can get Small Business Server, which is really, really cheap for what it provides.
DoD uses RHDS (FDS) (Score:4, Interesting)
Re:Do you want to play with it, or have it work? (Score:3, Interesting)
In the summary, the poster mentioned wanting to reduce the number of physical servers from two to one. There's no way to do that with active directory (unless you virtualize) because each DC can only handle a single domain. Personally, I think the server count just for DCs is a big problem with the design of active directory. If you had two separate but related organizations, to do things the "right" way you'd need at least six domain controllers (two for an empty root, then two DCs for each of the production domains.)
FreeIPA (Score:1, Interesting)
If you're considering Fedora DS, you also might want to look at FreeIPA.
Re:TCO (Score:5, Interesting)
I have set up four installations of SMEserver 7.x in the past 8 months into small businesses. I think I have put a collective 24 man hours into keeping those sites up. They stay up... keep going and going and going... and running Linux, I don't have nearly as much to worry about with critical worms running around and the like. Meanwhile, keeping up with my Microsoft AD network keeps my family fed and me employed full time. I am not complaining, I am just saying if TCO is largely factored by time/labor? SME server beats Microsoft hands down so far.
Microsoft does not justifiably dominate the market. It simply dominates the way it does with all other things it does. MSIE is the best web browser, I suppose, as evidenced by its dominance as well..?
Re:That depends...... (Score:4, Interesting)
It works OK for older versions of Photoshop, but if your going to go through the effort of running Photoshop in a dodgy reimplementation of the Win32 API, why not just run Windows? You'll get screwed everytime a new version of photoshop comes out that uses Win32 calls in a weird fashion.
A better idea would be a massive campaign to promote a port of Photoshop to GTK or QT. Microsoft will make damn sure that Win32 is a moving target if any massive movement to use WINE is successful.
The mac version of Photoshop is the better version IMHO anyway despite the lack of a true 64-bit port due to Adobe's laziness rewriting using Cocoa instead of Carbon. The MDI interface in the Windows version sucks, especially if you use multiple monitors and want to run other applications at the same time.
If your going to run non-native apps, it's usually better to just say "screw it" and run those apps in the native environment.
Really, I've gone through this fight trying to ditch Windows in an educational environment. You meet stiff resistance from all angles, including the vendors. I've eliminated it where I can but in the end, to ensure a good bullet-proof computing environment where Windows on the desktop in necessary for certain software products, group policy and automated software deployment is a MUST, not a WANT.
In most corporate environments, I've ditched Windows with good success but in a school, things are a bit different. Especially a tech school where our job is to teach people products to get them a job. Our goal is not to "create the thinkers of tomorrow".
We HAVE to have windows desktops. manageable Group policy and automated deployment are not available in other directory environments. You can't easily lock down Windows desktops centrally with other directory environments.
If you have other solutions, prove me wrong so I can use them as ammo to ditch Windows directory servers here. REAL solutions that are as easy to manage for other less-skilled folks I have dealing with daily problems.
Re:That depends...... (Score:3, Interesting)
Re:SME Server 8 (Score:3, Interesting)
No, but I remember when Debian was only two CDs, and the second wasn't very full.
Re:Sun Java System Directory Server (Score:2, Interesting)
I would love to be demonstrated otherwise, if someone knows
Re:Sun Java System Directory Server (Score:2, Interesting)
Anonymous search is common for both AD and LDAP directories. If you set things up correctly, all you can see with this account/password are the same you could see on a linux/unix box by doing a "getent {passwd,group,host...} command.
Re:Do you want to play with it, or have it work? (Score:1, Interesting)
I recently worked with a guy who had this same mantra "I have someone to call who will help me, that's why we use Microsoft.".
This guy never bothered to learn anything from Microsoft because he could just pick up the phone and burn company money on an incident report and get hand held through fixing whatever it was he fucked up that day.
I'm not saying that you 'never' have problems with things other than Microsoft, but when you do you've got more immediate options available such as (1) googling for error messages (2) looking at the source (3) scouring the forums for the project.
Personally for every product I managed to switch from Microsoft to something open source I never had to be woken up at 3am for anything, I'm sure it's possible that would happen but if it did I, or anyone with a web browser, a little unix experience and 2 ounces of brains could solve it too.
Microsoft being available to fix their broken stuff isn't the answer, making resilient software in the first place is. For lack of resilient software from them, I go elsewhere.
And, for the record, I don't care about Microsoft vs. OSS or any of that stuff, I've paid for plenty of great software over the years, if Microsoft makes a good product I've got no qualms about going with them.
However, with terrible piles of crap like Exchange and Vista, the answer isn't who do you call at 3am, it's who do you call at 9am to replace it.
As far as 'who will maintain this when I'm gone?' who gives a fuck? If I get fired, fuck you and the horse you rode in on. If I leave, I'll happily produce documentation that any future employee with a little unix experience could understand.
Plus, fuck you for charging me $250 if it's my fault. I make mistakes just like everyone else, if I'm doing something terribly wrong, fine, but if I made a little mistake or MS didn't document it.. fuck you double?
There's plenty of sharp guys out there who'd chomp at the bit for the opportunity to be woken up @ 3am for $250 to say 'Oh, you need to push the changes out to the cluster.'. That's not a reason to go with microsoft.
It's a reason MANAGERS will go with Microsoft. But, with the recent economic blood-letting of idiots from tech companies you might not be hearing 'Nobody every got fired for buying Microsoft..' much anymore.
Re:Sun Java System Directory Server (Score:2, Interesting)
Re:Not Samba? (Score:3, Interesting)
I'm afraid I disagree with you there.
I have set up several domains based on XP clients with a Samba Server as Domain Controller.
It will handle user authentication, profiles, user shares, group shares and domain trusts.
(even sucurity policy through ntconfig.pol [microsoft.com] )
Using LDAP as authentication backend also gives you a Directory Service (as in Address Book)
From what I have heard, recent versions of Samba (less that 3 years old) can serve up a full AD implementation, but you need a Windows Workstation to administer the domain.
Re:hate to say it... (Score:4, Interesting)
Otherwise there are numerous guides on the web as to how one configures Samba to use OpenLDAP as its authentication source, which makes mass admin of users a piece of cake.
Use the 90 day trial of Novell Identity Manager, plug it into your existing infrastructure and you can even migrate passwords across to your splendid new FOSS solution. Do it right and the lusers won't notice a thing!
I used to consult on such projects, but eventually gave in, took the money and ascended to management. Kinda miss it sometimes.
Re:Not Samba? (Score:5, Interesting)
I think openLDAP should be one of the first products the submitter tries. In my experience it is reliable scalable and free of proprietary cruft. I have used it for years in a commercial network with Samba. OpenLDAP has allowed my company to drastically cut licensing costs, support costs and lengthen hardware lifecycles. As the submitter is UK based I would recommend they contact Sirius [siriusit.co.uk]. Sirius are the consulting company I use and they are the only UK OGC/Becta accredited FOSS specialist. Sirius have considerable experience in the UK education market and in the submitters position they would be near the top of the list of people to call. Take a look at their client list to see the kind of pedigree they have.
<disclaimer>
I have worked closely with Mark Taylor the CEO of Sirius for a long time now. Please consider anything I say about them biased, contact them youself and make up your own mind about them.
</disclaimer>
Re:Not Samba? (Score:4, Interesting)
What did you investigate? What samba tuning parameters did you try?
Last year I had a very similiar problem, which actullay turned out to be network card driver issue. I upgraded from the stock debian stable kernel to one from testing and the problem went away.
My point is a single example without actually knowing what was investigated - is just a worthless anecdote.
Notes on a running imlementation (Score:4, Interesting)
We have implemented a similar project in our local school.
OpenLDAP takes a while to configure but it does work eventually. When new students are added to the school DB they are added to the system by a Perl script which generates entries automatically and mails the class tutor with their login details.
Samba once set up works wonderfully for us.
Best of luck and hope it works out well for you.
We already have this (Score:4, Interesting)
It can be done, but there's a few things you have to bear in mind:
1. Lots of existing products (and this is becoming more common as the years go on) expect an AD-backed domain. Samba + (insert name of LDAP server here) currently can only emulate an NT4-type domain. Samba 4 claims to eliminate this issue but the last time I checked it wasn't even in beta. You'd be nuts to implement it in production at this stage. If your employer's been heavily into Windows for some time, don't be too surprised to find you need to replace quite a lot.
2. Do you have a lot of policies pushed out through AD? (If you're a school, the answer should be "yes". Unless you like making work for yourself...) The closest equivalent is NT4- style policies - which aren't as flexible, don't offer as much and suitable precooked template files are becoming much harder to find.
3. Do you use Exchange anywhere? Exchange doesn't have a directory of its own, relying heavily on AD. You'd have to replace it, and while there are lots of projects claiming to replace Exchange, few come anywhere close in the real world. Most of the projects seem to be driven by people who have heard of Exchange and had it described to them, but never actually used it much.
4. Is your network heavily subnetted? AD doesn't really care about this because it uses DNS to find services it requires (such as the domain controllers). NT-4 type domains use broadcast packets, and can be a dog to get everything working properly where a lot of subnets are involved.
5. The information stored in AD about who owns and has permissions over which files is stored as unique IDs ("SIDS"). As far as I know, there is no easy pre-cooked way to migrate these SIDs between AD and Samba. So you're going to have to be very careful at replicating this information in your shiny new LDAP-backed system otherwise who has access to which files is going to be thrown all over the place. If that means one pupil gets read-access to another pupils work, that's annoying. If that means all the students get write access to a file storing their grades, that goes out annoying and through the other side.
Basically, if you already have a strong investment in Windows servers and associated licenses, this carries very high risk, will cost an inordinate amount of time and inevitably mean substantial upheaval for your end users. And (assuming you currently have AD running fairly nicely and you do a good job), you'll come out the other side with there being little or no perceivable benefit to anyone else.
Re:Not Samba? (Score:3, Interesting)
I think Samba is an excellent replacement for windows server for simple filesharing, is usually easy to setup and some distros even drop in powerful GUI configuration tools.
I have used samba in a small office (around 10-15 office workers), with a few shared folders (around 5 GB of documents), at first the company didn't trust our use of Linux, they had a windows 2000 server which was badly managed (and filled with virus/malware and being used as spam relay), we gave them a 1 month complete guarantee that the system will keep up without any problems or we give their money back and install w2k server back.
They are quite happy now as once of properly configured you don't need to mess with it, we even added virus scanning (via clamav and hourly cron, samba clamav plugin taked a noticeable performance hit and was not straightforward to configure) and reporting via email (plus the email system running on the same server).
Re:Not Samba? (Score:3, Interesting)
I have found that samba performs better than Windows on equivalent hardware; vastly superior transfer speeds. However, it is a beast to set up and the documentation is grossly inadequate, even for folks who are seasoned in both Linux and Windows/Craptive Directory. How can a F/OSS supporter promote Linux as an AD/SMB solution for benefits like less downtime, live maintenance tasks, FULL automation of things like backups and so forth, FREE antivirus, etc. when the up-front cost for setup takes many times longer? One can have an active directory for a small-to-medium sized company implemented in under three hours (if using multiple servers for Exchange), including file shares, login scripts, email accounts, and backups, or under an hour with SBS (Small Business Server) because the GUI makes the work so quick.
In case you're going to suggest SWAT: I've worked with SWAT and it sucks. I've achieved working results by hand-editing the config files using nano and vi, and every time I've worked with SWAT it has fudged things up.
I suggest Linux to clients whenever it makes sense, however for a PDC for anything but a small (2 to 10) user environment it doesn't make much sense going with a 100% free distro because the GUI sucks and requires too much manual intervention -- despite the long-term TCO being much, much cheaper.
In the face of a beastly config process and SBS making point-and-click configuration of AD, accounts, email accounts, mail routing, backups, and DNS so quick, the cost of per-user licensing is a net savings compared to the cost of setting up a 100% free Linux distro. Now, when it comes to commercial distros (Red Hat, SLES, etc.) the tables are turned, but the cost savings are not as advantageous as one would want to turn people to Linux when they have only previously heard of Windows and Macintosh (Macintosh is a standalone OS only, right? Sadly, that is still the public perception. Apple ought to market Mac OS X Server Unlimited a hell of a lot more aggressively than they do - and open it up to clones so I can run it on SuperMicro hardware. I could sell that like mad!)
Now, if there are much better SMB docs available, and if swat has matured in the last year to the point where it's usable and reliable, I would LOVE to hear about it because I'd love to punt Microsoft Windows as a first suggestion for small businesses, and even for medium-sized environments.
However, Samba is indeed fast. I've found it to be 100% to 200% faster on equivalent hardware, and I've built Samba servers on outdated Pentium III 1U rack mount servers that outperform Windows on Xeon servers with an equivalent number of users and file sizes - with on-access ClamAV scanning. Not having all of the overhead of Windows and the requirement of Windows antivirus software results in a dramatic performance improvement (for some reason even ClamAV on Windows is much slower than on-access scanning on Linux).
Re:No openldap (Score:1, Interesting)
OpenLDAP is a top notch LDAP implementation. It's only about 60% of a directory solution though. The management and configuration tools are where the difference is.
Now setting up openLDAP isn't that difficult but it's a stretch for a lot of MSCE type IT folks. I'm also going to go ahead and assert that maybe 20% of AD users or LDAP users actually have any idea how the LDAP tree is structured, they basically want a GUI where they can reset passwords and grant access, how the rest of it works they could care less. You've got a fairly steep hill to climb if you want to run OpenLDAP and simply don't care about LDAP.
All that being said, there have been a lot of startups that try to polish some opensource and sell it, Directory Server in a box built on top of OpenLDAP seems like a slam dunk, it's really an exercise in building a UI and writing documentation.
Re:Thin clients (Score:2, Interesting)
If I had originally built the network where I'm at, believe me, I would have gone with thin clients for a majority of the labs. Would have cut our TCO dramatically. No moving parts, no HD's to fail and they are easily managed.
Thin clients are awesome in an environment like this if you can convince mgmt that you need a killer server. The thin clients themselves are cheap but you want something pretty beefy server-side.
Moving to thin clients at a previous employer for most things cut the number of helpdesk calls by at least half and failure rates weren't even 25% of what they were with PC's on their desk. There's some gotchas here and there but I didn't regret it one bit.
Re:Not Samba? (Score:2, Interesting)
I actually thought about that, and couldn't find any nice interface to be able to manage Samba/LDAP users & configuration. The furthest I could go was going for an OpenLDAP GUI, which is not enough for a "manager" to work on such an environment..
I'd be interested in any FOSS opportunities to manage that using a GUI (may it be web based or not..., but then has to be able to run on Windows :p), without having to go through the hassle of writing it myself (or have it written by someone from scratch).
So, if anybody went through something that might fit here, I'd be really interested! Even if it's alpha, pre alpha, only brain work.. Even if it's not free as in free beer..
Re:No openldap (Score:2, Interesting)
Re:Not Samba? (Score:4, Interesting)