Forgot your password?
typodupeerror
Networking IT

Best FOSS Active Directory Alternative? 409

Posted by kdawson
from the war-stories dept.
danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"
This discussion has been archived. No new comments can be posted.

Best FOSS Active Directory Alternative?

Comments Filter:
  • Not Samba? (Score:5, Interesting)

    by Tubal-Cain (1289912) * on Saturday January 17, 2009 @10:41PM (#26502573) Journal

    The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server

    Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?

    • Re:Not Samba? (Score:4, Informative)

      by Anonymous Coward on Saturday January 17, 2009 @10:47PM (#26502629)

      And, er, what about OpenLDAP?

      • Re: (Score:3, Funny)

        by Anonymous Coward

        And, er, what about OpenLDAP?

        Because er.. that was mentioned in the 'Ask Slashdot'.

      • Re:Not Samba? (Score:4, Informative)

        by Z00L00K (682162) on Sunday January 18, 2009 @03:59AM (#26504179) Homepage

        As far as I know any AD solution involving Samba is using OpenLDAP as backend, but I may be wrong.

        I am using OpenLDAP in a project and I can just say that it's quirky to say the least and isn't very verbal about configuration errors unless you fiddle with it.

        It's also a bit quirky with symmetrical replication, but it's not impossible to make it work.

        But on the positive side - it's fast and relatively reliable if you manage to configure it right. You just have to be very patient with it.

      • Re:Not Samba? (Score:5, Interesting)

        by stephenpeters (576955) on Sunday January 18, 2009 @05:59AM (#26504647) Homepage

        I think openLDAP should be one of the first products the submitter tries. In my experience it is reliable scalable and free of proprietary cruft. I have used it for years in a commercial network with Samba. OpenLDAP has allowed my company to drastically cut licensing costs, support costs and lengthen hardware lifecycles. As the submitter is UK based I would recommend they contact Sirius [siriusit.co.uk]. Sirius are the consulting company I use and they are the only UK OGC/Becta accredited FOSS specialist. Sirius have considerable experience in the UK education market and in the submitters position they would be near the top of the list of people to call. Take a look at their client list to see the kind of pedigree they have.

        <disclaimer>

        I have worked closely with Mark Taylor the CEO of Sirius for a long time now. Please consider anything I say about them biased, contact them youself and make up your own mind about them.

        </disclaimer>

    • Re: (Score:3, Interesting)

      I thought Samba was stopped at compatibility as a domain controller (win 2000 style), and did not offer AD features?
    • Mod Parent Down (Score:4, Informative)

      by Frankie70 (803801) on Sunday January 18, 2009 @03:47AM (#26504139)

      Samba isn't an Active Directory alternative.

    • Re:Not Samba? (Score:4, Informative)

      by Alioth (221270) <no@spam> on Sunday January 18, 2009 @08:54AM (#26505393) Journal

      Samba is an implied component of these things. Samba doesn't do directory services (well, not as at the current stable versions - samba 4 which has been brewing for years and years will have its own LDAP service). Usually, an AD replacement consists of some directory service, such as OpenLDAP, with Samba handling the job of serving files and sharing printers. The open source services tend to follow the Unix paradigm of making a service - construct a whole out of components, and choose the components that suit you best. For instance, for our development network at work, we use OpenLDAP as the directory service, and Samba to share files from the server. Samba queries OpenLDAP when someone tries to authenticate. As do our little web applications - when you log onto one, it will query the same OpenLDAP server to authenticate/authorize your login.

  • Depends on usage (Score:2, Insightful)

    by yoshac (603689)
    Depends if you are just using it for windows domain services, or if you need to support things like management, federation etc.
  • by 140Mandak262Jamuna (970587) on Saturday January 17, 2009 @10:44PM (#26502603) Journal
    OK buddy, you have done your job and made enough noises about FOSS. Your $large_discount coupon from MSFT is ready and waiting, mention coupon code EGDI. Coupon good for getting all MSFT software for free. Manufacturers Coupon, Never expires.
  • Mandriva (Score:5, Informative)

    by Anonymous Coward on Saturday January 17, 2009 @10:46PM (#26502623)

    Mandriva Directory Server [mandriva.org] + Pulse 2 [mandriva.org]

    • Re:Mandriva (Score:5, Informative)

      by flydpnkrtn (114575) on Saturday January 17, 2009 @10:56PM (#26502679)

      Wow MDS and Pulse look pretty cool... but the documentation for Pulse 2 is lacking. For example, one of my first questions would be "Do the Windows machines need to run an 'agent' first for pushing software installs?"

      "English documentation will soon be available, stay tuned."

      http://pulse2.mandriva.org/wiki/Documentation [mandriva.org]

      • Re: (Score:3, Informative)

        by frenchbedroom (936100)
        I checked out the french docs, and they say that on the client side, you need :
        • an ssh agent, it's the protocol used by Pulse.
        • an inventory agent which will push the software and hardware details of the client to the inventory server

        There's a diagram of the Pulse 2 architecture on page 6 which I'm sure you can understand, the only french words used are actually the same in english (client = client, interface = interface...)

    • by myz24 (256948)

      I've been in the Linux business for a while and I had no idea those two projects existed, thanks

    • Re: (Score:3, Insightful)

      by MikeBabcock (65886)

      You, my friend are why "Ask Slashdot" exists. Those suggesting Samba meanwhile obviously didn't understand the question.

  • SME Server 8 (Score:5, Informative)

    by erroneus (253617) on Saturday January 17, 2009 @10:48PM (#26502639) Homepage

    SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.

    SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?

    • by Kamokazi (1080091) on Saturday January 17, 2009 @10:53PM (#26502667)

      And did I mention it installs from a single CD?

      Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.

      • LOL.... But I remember when installing a full Softlanding Linux distro took about 40 diskettes (or more?)... same for Oracle in SCO.

        • Re: (Score:3, Interesting)

          by Nimey (114278)

          No, but I remember when Debian was only two CDs, and the second wasn't very full.

      • Re: (Score:3, Insightful)

        by grcumb (781340)

        And did I mention it installs from a single CD?

        Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.

        Okay, you made a funny. But consider the implications of that single disk:

        • It's a simple, nicely pared-down server. Installs and configures in about 20 minutes.
        • It's a purpose-driven server whose entire architecture is aimed at solving the most common scenario in Small and Medium Enterprises (SME - get it?): The ability to run in a predictable, stable and usable way for years on end without requiring IT staff to support it - that's something whose value should never be underestimated.
        • These design principles
    • Appears to be /.'ed already. :(
    • by Kindaian (577374)

      It had a grave flaw...

      You couldn't install SQL Server on it!

      (at least on the versions i tested)

      • by erroneus (253617)

        SQL Server? It installs with MySQL. What SQL server do you need? Furthermore, it is a server highly integrated and configured for some rather specific purposes. Attempting to use it as a "general purpose linux distribution" would be a mistake... a common one. You have to change the way you think about this particular distro as it is more of an integration of application suite and distro.

        • by Kindaian (577374)

          Microsoft SQL Server...

          SME Server = Windows not Linux... the last time i checked.

          Unless Microsoft now does a Linux distro?

          zZzZzZ

          • "Exceptionally reliable and easy to use, SME Server can be installed and configured in less than 15 minutes - yet it's powered by a secure and open Linux platform that's fully upgradeable and customizable. Simply install it on any standard PC and in minutes you'll have a robust Linux-based server capable of fully replacing those expensive Windows server licenses and providing a full range of services - including e-mail, firewall, file and print-sharing, web hosting, remote access and more. "

            Source: http://w [contribs.org]

        • by Shados (741919)

          Either you're being sarcastic, either you totally missed what SQL Server means in that context. If the later, I'll give you a hint. The S on Server is a capital letter for a reason.

  • by Pav (4298)

    GOsa is worth a look but in my experience is VERY hard to implement. It's a web based LDAP front end that manages posix accounts, Samba, email/groupware, Asterisk, fax, automatic installation (via FAI), DNS, DHCP and much more. I think the target market is large organisations with existing inhouse skills in the base technologies and plenty of man hours. I tried getting this working as a lone generalist, and I only got as far as getting posix, Samba, SOGo (a groupware solution), DHCP and DNS working. S

  • Local resources (Score:4, Interesting)

    by James Youngman (3732) <jay.gnu@org> on Saturday January 17, 2009 @10:58PM (#26502689) Homepage

    Try talking to Tim Fletcher at Parrswood.

  • hate to say it... (Score:5, Interesting)

    by johnjones (14274) on Saturday January 17, 2009 @10:58PM (#26502691) Homepage Journal

    but the first thing to do is look at how these have been deployed

    I dont see anyone with production systems on a large domain using anthing other than redhat directory or Novell eDirectory

    I see some custom OpenLDAP servers scale really well but thats about it

    so given your choice above I would go for Fedora Directory Server and hack

    if the choice was mine I would spend a little money and get the Novell eDirectory

    regards

    John Jones

    http://www.johnjones.me.uk - email and digital communication [johnjones.me.uk]

    • Re:hate to say it... (Score:5, Informative)

      by Korgan (101803) on Saturday January 17, 2009 @11:26PM (#26502865) Homepage
      I agree... I had a similar issue at a school a few years back. Windows + Mac clients on the network. Rather than try to run two directories, we just used Novell eDirectory with (then available) Novell dirXML which allowed all the clients to use a single directory without realising they weren't native Active Directory or OpenDirectory platforms they were talking to. It saved a lot of effort down the line and proved extremely scalable. Also had the benefit of allowing the network to integrate other platforms in the future without much effort if the school wanted to. I'm sure there are plenty of great FOSS solutions out there, but eDirectory make it so much easier and reduced the cost of implementation significantly, even taking into account licensing costs. Sometimes you do just have to weigh up all the angles.
      • Re:hate to say it... (Score:4, Interesting)

        by Shuntros (1059306) on Sunday January 18, 2009 @04:51AM (#26504389)
        Not even any need for IDM any more... The latest Linux offering, Open Enterprise Server 2 (Support Pack 1) has Domain Services for Windoze. No more Novell Client, no more NCP. The backend is still Linux, NSS and eDirectory, but with full and seamless AD emulation. Administer it with MMC, the lot. The only time you'll realise you're not working on a Windoze server is when you right click on a DC and look at the properties to find it's an OES2 box. Worth looking into...

        Otherwise there are numerous guides on the web as to how one configures Samba to use OpenLDAP as its authentication source, which makes mass admin of users a piece of cake.

        Use the 90 day trial of Novell Identity Manager, plug it into your existing infrastructure and you can even migrate passwords across to your splendid new FOSS solution. Do it right and the lusers won't notice a thing!

        I used to consult on such projects, but eventually gave in, took the money and ascended to management. Kinda miss it sometimes.
    • by jd (1658)

      A "large school near Madchester" (a popular alternative spelling) probably means Manchester Grammar or Stockport Grammar. No college or University would ever lower itself by calling itself a school, Aquinas is small and the comprehensives would never hire anyone smart enough to use Slashdot. I regard the other Grammars with some suspicion as well.

      Manchester Grammar would almost certainly need to use Novell, and Stockport Grammar would be definitely Red Hat territory. Remember, when you get into most of the

  • by dbIII (701233) on Saturday January 17, 2009 @10:58PM (#26502695)
    And there are plenty of other inplementations of LDAP around.

    The story goes around that an infamous Australian telecommunications company wanted to put 80,000 people on a single Windows NT domain which put it well past the 16bit limit of users - and thus the active directory project started.

  • That depends...... (Score:5, Interesting)

    by ogdenk (712300) on Saturday January 17, 2009 @11:02PM (#26502717)

    I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.

    Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.

    Samba4 is supposed to change this but it may be a while before it's ready for widespread use.

    In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.

    This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.

    Students are great at f**king up machines, group policy is almost a must.

    If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.

    Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.

    • by the_B0fh (208483)

      Didn't Disney pay codeweavers a bunch of money to make photoshop work well under wine?

      • by ogdenk (712300) on Sunday January 18, 2009 @12:21AM (#26503203)

        It works OK for older versions of Photoshop, but if your going to go through the effort of running Photoshop in a dodgy reimplementation of the Win32 API, why not just run Windows? You'll get screwed everytime a new version of photoshop comes out that uses Win32 calls in a weird fashion.

        A better idea would be a massive campaign to promote a port of Photoshop to GTK or QT. Microsoft will make damn sure that Win32 is a moving target if any massive movement to use WINE is successful.

        The mac version of Photoshop is the better version IMHO anyway despite the lack of a true 64-bit port due to Adobe's laziness rewriting using Cocoa instead of Carbon. The MDI interface in the Windows version sucks, especially if you use multiple monitors and want to run other applications at the same time.

        If your going to run non-native apps, it's usually better to just say "screw it" and run those apps in the native environment.

        Really, I've gone through this fight trying to ditch Windows in an educational environment. You meet stiff resistance from all angles, including the vendors. I've eliminated it where I can but in the end, to ensure a good bullet-proof computing environment where Windows on the desktop in necessary for certain software products, group policy and automated software deployment is a MUST, not a WANT.

        In most corporate environments, I've ditched Windows with good success but in a school, things are a bit different. Especially a tech school where our job is to teach people products to get them a job. Our goal is not to "create the thinkers of tomorrow".

        We HAVE to have windows desktops. manageable Group policy and automated deployment are not available in other directory environments. You can't easily lock down Windows desktops centrally with other directory environments.

        If you have other solutions, prove me wrong so I can use them as ammo to ditch Windows directory servers here. REAL solutions that are as easy to manage for other less-skilled folks I have dealing with daily problems.

      • by tepples (727027)

        Didn't Disney pay codeweavers a bunch of money to make photoshop work well under wine?

        True, Disney funded getting Adobe Photoshop 7 to work in Wine [codeweavers.com] (pdf). But just because PS 7 works doesn't mean later PS works. Besides, Disney also paid U.S. senators a bunch of money to make copyright work well over the human lifespan.

    • Re: (Score:3, Interesting)

      Not to flame at all... but as an administrator, you should be aware that any "group policies" you enforce or enable remotely, such as software installs and restrictions, are pretty easy to get around. Our college's computers were "locked down" pretty hard, using all the official Microsoft-recommended restrictions, yet I (and most people I knew in my computer-related classes) knew of about 4 different ways to install and run software on a school computer pretty much at will. If I needed them for something,
      • Re: (Score:3, Informative)

        Either that college's IT team did not know what they were doing w/ respect to AD + Group Policy, or they had made some concessions (probably due to some software that didn't like running with zero privs). I work at a hospital on the admin team, and we have 3000 users (approx) in AD, and we use Group Policy to control the user experience quite successfully.
  • by Whizzmo2 (654390) on Saturday January 17, 2009 @11:04PM (#26502727)
    Active Directory is mature, well-understood and well-supported. MS will answer the phone at 3:00 am when you call. While FOSS alternatives have come a long way, many are still under heavy active (ha, ha) development.

    Questions you should be asking yourself:
    • Who will maintain this when I'm gone?
    • Does this solution offer 24/7/365 phone support? (If you don't have a phone support contract, MS will usually charge you $250 if the issue is your fault, and $0 if the issue is a bug in their software. (IANA MS rep, YMMV))

    One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain? (There are many other arrangements here that may better fit your needs.)


    --Whizzmo

    • by Kindaian (577374)

      They will answer, if you have a support incident (and incidents do cost $$$$) to use, otherwise you end talking to a wall. ;)

    • DoD uses RHDS (FDS) (Score:4, Interesting)

      by xzvf (924443) on Saturday January 17, 2009 @11:52PM (#26503033)
      I've seen RHDS (paid support version of FDS, but basically the same code) scale to millions of users. I've had a clustered pair running on blades handling 250K records easily. AD doesn't scale as well, requires tons of supporting software and locks you in to a funky LDAP-like format. If you want to move from RHDS to Novell, or OpenLDAP or even AD all you have to do is dump to ldif. Try going from AD to anything else without a great deal of pain.
    • Re: (Score:3, Interesting)

      by Zak3056 (69287)

      One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain?

      In the summary, the poster mentioned wanting to reduce the number of physical servers from two to one. There's no way to do that with active directory (unless you virtualize) because each DC can only handle a single domain. Personally, I think the server count just for DCs is a big problem with the design of active directory. If you had two separate but relat

      • One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain?

        In the summary, the poster mentioned wanting to reduce the number of physical servers from two to one. There's no way to do that with active directory (unless you virtualize) because each DC can only handle a single domain. Personally, I think the server count just for DCs is a big problem with the design of active directory. If you had two separate but related organizations, to do things the "right" way you'd need at least six domain controllers (two for an empty root, then two DCs for each of the production domains.)

        The "empty root" theory was dropped a few years back. It's really not necessary.

        Also, two separate but related organizations need a single domain with two OUs. The ONLY reason to separate into two domains was to have different password policies, and even that reason has gone away with W2K8. You can assign password policies at the group level now.

        So, for any infrastructure that doesn't need DCs at multiple sites, you'd only need two DCs for full local redundancy. You may want to add two more in a separate

        • by Nimey (114278)

          You can assign different password policies (and indeed pretty much any policy) at the OU level with Server 2003. WTF are you talking about?

    • by afabbro (33948)

      Questions you should be asking yourself:

      • Who will maintain this when I'm gone?

      ...which I care about because...?

      • by ozphx (1061292)

        "Yes, Bruce used to work here..."

        "Yup, he was responsible for the 'upgrade'..."

        "Well, no. I'd more describe him as a crazy hippy who tried to save a few thousand bucks by switching all our servers to Linux based on advice he got on some open source message board. Now everything is totally fucked, and we can't find anyone to sort out his mess."

        "Yes, next time we will hire someone who can do their own research."

    • by morgan_greywolf (835522) on Sunday January 18, 2009 @12:31AM (#26503253) Homepage Journal

      Red Hat offers 24x7 support for Red Hat Enterprise Directory. I'm pretty sure Novell has a similar product for SuSE that they offer 24x7 support on.

      It's not like your only choice for 24x7 support is Microsoft.

  • by wmute (29403) on Saturday January 17, 2009 @11:06PM (#26502741)

    I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.

    Good luck, LDAP is a pain in the ass ;)

  • Samba4 (Score:4, Informative)

    by obi (118631) on Saturday January 17, 2009 @11:16PM (#26502811)
    Maybe not exactly the answer you're looking for, seeing as Samba4 is not out yet; however samba4 includes, among other things:

    * Internal LDAP server, with AD semantics
    * Internal Kerberos server, including PAC support

    You can, but don't have to hook it up to an external LDAP server. You can use MMC consoles to manage it. They're even building real Outlook compatible Exchange functionality on top of it (see openchange.org). Not that I'd ever want to run Outlook though.
  • by La Camiseta (59684) <me@nathanclayton.com> on Saturday January 17, 2009 @11:23PM (#26502847) Homepage Journal

    It may not be opensourced yet, but Sun has released almost their entire enterprise stack for free for anyone to use, including their DSEE [sun.com], with unlimited entries. It can synchronize with AD, and they have a good deployment planning guide [sun.com] for synchronizing with AD and there are guides all over the place [linuxjournal.com] regarding authenticating Windows off of LDAP servers.

  • Single computer? (Score:4, Insightful)

    by daybot (911557) * on Saturday January 17, 2009 @11:27PM (#26502873)

    ...we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server

    Whichever system you end up using, I strongly discourage building your network around a single server.

    • Seriously. Unless your students only need the computers for unimportant work what are you doing without a backup?

      We have 5 people who use 2 AD servers (Windows 2008). If one goes down the other takes over and starts rebuilding the first. That's not all that expensive. If you have 300 students plus you have teachers who need to grade papers and upload assignments I would hate to see you get fired because you saved $2000 on an extra server.

  • I've run both OpenLDAP and Fedora DS. Both are relatively easy to setup, but I'd give the nod to FedoraDS which is easier to manage and easier to get replication working. FedoraDS also seems to be more compliant, but that was just my impression based on some limited experience with the schemas.

    Getting Windows to authenticate was relatively simple as there are lots of HOWTOs. If you have Linux clients, it's also relatively easy. CentOS/RedHat, for example, just needs a couple changes via system-config-authen

  • by realmolo (574068) on Saturday January 17, 2009 @11:31PM (#26502907)

    I've messed with the so-called "Active Directory replacements". They all suck.

    The fact is, if you are using Windows clients, Active Directory works, it's simple, and you'd be fucking CRAZY to try to use anything else. Save yourself some pain, and blow $1000 (pounds, whatever) on Server 2003 or 2008.

    Seriously. You don't want to do this. It's a fucking nightmare to try to support a Windows domain without a real, genuine Microsoft domain controller.

    Did I mention this is a bad idea?

    • by Shados (741919) on Saturday January 17, 2009 @11:37PM (#26502951)

      I love Active Directory, but just a little amusing anecdote... The company I'm working for is a 100% Windows shop across the board, has desktops in the 6 figures, yet does NOT use Active Directory...

      Their "forests" connect for business reasons to the domains of all of their clients, which makes the machines/accounts in the domain hit the millions...so well, to make that work better, they wrote their own "Active Directory" from scratch...its still running on Windows server, but its not an actual Active Directory(tm) kindda thing.

      But yeah, replacing AD for the sake of replacing it, is retarded. Windows Server isn't even that expensive, and for smaller companies, you can get Small Business Server, which is really, really cheap for what it provides.

      • Re: (Score:3, Insightful)

        by madclicker (827757)
        SBS is wonderful, if you have 5 users on the system. Additional licenses will kill you...., oh yeah, love the Exchange integration and no backup AD controllers. SBS is a crippled pos. One other thing I found to be quite interesting with MS AD servers, how does one manage hundreds of systems being re-prepped or replaced from the AD. I haven't found any good way to manage computers in the AD.
    • by bertok (226922) on Sunday January 18, 2009 @01:05AM (#26503457)

      I can second this.

      The $1,000 cost saving on the license (or possibly less for an educational license) is absolutely NOT worth it. Don't drink the FOSS koolaid, MS Active Directory is stable and scales. I've seen 1 million account domains runs fine on a couple of pretty average boxes. Your tiny little education environment will work fine on anything. There are netbooks that could handle the load for a "large" school environment.

      If you MUST have a single physical Linux server (why?), then just run up a MS Windows based AD controller in a virtual machine. Your problems are then solved, and you won't be chasing down bizarre compatibility issues at 7pm on a Friday because some MS patch or Samba patch didn't like each other.

      Not to mention that with ANY domain technology, single servers are just insane. Patching single-server domains is a nightmare, while you can pretty much arbitrarily turn off AD domain controllers at any time if you have two set up correctly. If physical hardware is too expensive, again, virtual machines are your friend.

      Also, as others have pointed out, multiple domains just cause a maintenance headache, and do not add significant security. The access control lists in AD are very fine grained, and allow total lockdown, down to the attribute/object level.

      As a case in point, I've build ASP style AD/Exchange solutions where the client companies could see their own users, global address lists, etc... but weren't even aware of any other clients or users. This is well documented and supported. Lots of Exchange email hosting companies do this, or more paranoid organizations, such as education, where you don't want your students sending emails to staff mailing lists, or calling the hot female teacher's mobile phone at 3 am in the morning.

  • by catmistake (814204) on Saturday January 17, 2009 @11:33PM (#26502913) Journal

    I'm not sure I understand the point... I mean I hate Windows as much as the next *nix-lovr, but if your network is a slew of Winboxen... why make a headache for yourself? Active Directory is pretty well received, even as a proprietary LDAP implementation... will a FOSS replacement really be worth the cost savings? If most of the machines to be managed are Windows, I'd use AD for them. If its a mixed network with mostly something else, then I'd attempt to shoehorn the management of the Winboxes with whatever implementation was easiest for the majority of the machines (i.e. if 200 OS X machines & 40 Winbox, I'd use Open Directory... if 90 debian & 15 winbox, likely OpenLDAP, etc.)

    You don't hate AD as much as you think you do... do what is easiest... if AD is already deployed, its probably easiest).

  • stick with AD (Score:2, Insightful)

    by jdbausch (1419981)
    Hate on Microsoft all you want, I do it all the time myself, but AD (and Exchange as well) get the job done, are well supported by Microsoft, and in my experience, worth it. If you weren't running windows clients, it would be different, but as many people on here have said, the features of AD are hard to replicate. Perhaps you have philosophical open source / free software motives. But the only reason I could think of for that a smaller organization like yours would move off AD would be to save money on
  • Do you really need AD?

    If you want users to be able to login any windows machine with the same username and password you don't want AD, you want samba serving as a domain controller. Try not to use LDAP as a backend, it does work but in small environments its unneeded hassle.

    If you have applications that require AD it's going to be a lot more work than it's worth faking it. It takes a lot of 30 minute reboots to add up to a solid month or two of getting some other solution to behave right.

    If you have to use

  • Go for Apple's solution and get an OpenLDAP with Samba compatible with AD and it will act both as an LDAP/multi-master KDC and a genuine Windows PDC. It's better than wasting my taxes trying to do it yourself, you'll get support and it can be done in less than half an hour. With EDU discount you get MacOSX Server Unlimited for $499 and you probably have a G4 or G5 somewhere to install it on (that's all it needs), if not get a Mac Mini or an iMac. You could probably drop it in your current installation and m

  • You want to go from 2 servers to 1 server??? AD works and is easy to setup. Add a 3rd newer server to take on whatever demands you think these 2 older servers can't handle. Throw in DFS and you have a reliable fully redundant network that can handle just about anything you want.

    What the reason for switching? Wanting to get rid of CALs? Problems figuring out AD? I'm just curious because your talking about investing a TON of salary into redoing the entire network when you possibly don't have to. It would be

  • If this is truly a "large school," basing your network on a single server is such a bad idea it is almost criminal, and implementations like this are what give Windows (and Linux for that matter) a bad name.

    I question why you have separate networks for students and teachers, but that aside, why in the world are you giving your network a single point of failure like this? One of Active Directory's strengths is its ability to use multiple servers to achieve redundancy. Why are you running 2 domains with onl

  • None. (Score:3, Insightful)

    by wasabii (693236) on Sunday January 18, 2009 @03:41AM (#26504095)
    There is no comparable solution. Choosing anything else is a massive disservice to your users and the people responsible. AD is set up by default to work properly. It requires minimal maintence. It supports multimaster replication, automatically doing nearly everything required. It uses Kerberos. It does your DNS for you. Windows works perfectly with it. Linux sort of works with it with Samba. Your alternatives in the FOSS space are basically seting up FDS or OpenLDAP by hand. THat means making the schema by hand. OpenLDAP does not do multimaster replication. You will have to hand configure kerberos. You will have to manage most maintence tasks by hand, using tools like some Java LDAP UIs, which expose raw LDAP information to you. You will not have an easy interface to 'create users'. You will have interfaces to edit LDAP databases. FDS is a better LDAP server: but it is STILL JUST AN LDAP SERVER. It does not take care of DNS. It does not do Kerberos. Novel's commercial offerings are the closest: but they are woefully hard to get set up compared to AD, and they cost just about the same.
  • by mritunjai (518932) on Sunday January 18, 2009 @04:51AM (#26504395) Homepage

    1. I hope you understand what you gain and lose by switching.

    2. I have had to endure the pain of selecting from a few LDAP servers few months back. Just go and download Sun Directory Server Enterprise Edition 6.3 (DSEE). Buy a support contract of whatever level you need. Set it up (takes minutes, the docs are EXCELLENT!) and after that forget it even exists. This baby just works!

  • Big install (Score:4, Informative)

    by nighty5 (615965) on Sunday January 18, 2009 @06:05AM (#26504671)

    I've worked on very large directory deployments.

    10 million user accounts.

    We were using Novell e-Directory for the authority user database and AD downstream via DirXML for compatibility/legacy reasons.

    Remember, Novell basically wrote the book on directory services. Microsoft just copied their implementation.

    You can use ZENworks to store Group Policy objects but it will take much more than a Slashdot article to explain these concepts.

    The beauty of eDirectory is that Novell have agents for basically every platform that is worth a damn, try that natively on Windows.

    When you're dealing with something as critical as a central directory you don't want to mess about. If you have to throw some money at it to ensure some accountability and support then do it. Windows AD works as advertised, but it only works with Windows - you're on your own with anything else.

    There is third party companies that have written software that bridge the gap to manage UNIX systems, users, applications, policy which from what I've seen works pretty well.

    At the end of the day it comes down to understanding your environment, budget constraints, support, IT strategy, applications, business/IT partners.

    Oh yeah one more thing, this big install is for an education body.

  • by daveewart (66895) on Sunday January 18, 2009 @07:11AM (#26504961)

    Just to throw what I use into the mix, on a network of ~100 WinXP desktops:

    - Samba - acts as domain controller, triggers login scripts, maps drives etc. System Policy controlled using NTConfig.pol files in the 'netlogon' share, prepared using poledit.exe

    - OpenLDAP - authentication backend for Samba, groups/users for the Samba server (plus many other tasks which are unrelated to desktop usage);

    - WPKG - for software deployment, runs at each boot-up - really nice.

  • by Skrynesaver (994435) on Sunday January 18, 2009 @08:36AM (#26505329) Homepage

    We have implemented a similar project in our local school.

    • Debian server
    • OpenLDAP
    • Samba
    • Edubuntu on the client machines
    • A combination of XP and LTSP to Edubuntu in the computer lab

    OpenLDAP takes a while to configure but it does work eventually. When new students are added to the school DB they are added to the system by a Perl script which generates entries automatically and mails the class tutor with their login details.

    Samba once set up works wonderfully for us.

    Best of luck and hope it works out well for you.

  • We already have this (Score:4, Interesting)

    by jimicus (737525) on Sunday January 18, 2009 @09:30AM (#26505551)

    It can be done, but there's a few things you have to bear in mind:

    1. Lots of existing products (and this is becoming more common as the years go on) expect an AD-backed domain. Samba + (insert name of LDAP server here) currently can only emulate an NT4-type domain. Samba 4 claims to eliminate this issue but the last time I checked it wasn't even in beta. You'd be nuts to implement it in production at this stage. If your employer's been heavily into Windows for some time, don't be too surprised to find you need to replace quite a lot.

    2. Do you have a lot of policies pushed out through AD? (If you're a school, the answer should be "yes". Unless you like making work for yourself...) The closest equivalent is NT4- style policies - which aren't as flexible, don't offer as much and suitable precooked template files are becoming much harder to find.

    3. Do you use Exchange anywhere? Exchange doesn't have a directory of its own, relying heavily on AD. You'd have to replace it, and while there are lots of projects claiming to replace Exchange, few come anywhere close in the real world. Most of the projects seem to be driven by people who have heard of Exchange and had it described to them, but never actually used it much.

    4. Is your network heavily subnetted? AD doesn't really care about this because it uses DNS to find services it requires (such as the domain controllers). NT-4 type domains use broadcast packets, and can be a dog to get everything working properly where a lot of subnets are involved.

    5. The information stored in AD about who owns and has permissions over which files is stored as unique IDs ("SIDS"). As far as I know, there is no easy pre-cooked way to migrate these SIDs between AD and Samba. So you're going to have to be very careful at replicating this information in your shiny new LDAP-backed system otherwise who has access to which files is going to be thrown all over the place. If that means one pupil gets read-access to another pupils work, that's annoying. If that means all the students get write access to a file storing their grades, that goes out annoying and through the other side.

    Basically, if you already have a strong investment in Windows servers and associated licenses, this carries very high risk, will cost an inordinate amount of time and inevitably mean substantial upheaval for your end users. And (assuming you currently have AD running fairly nicely and you do a good job), you'll come out the other side with there being little or no perceivable benefit to anyone else.

  • by danboid (300692) on Sunday January 18, 2009 @11:58AM (#26506357)

    Thanks to everyone who has posted ideas, suggestions and comments so far- I've just finished reading them all now- much appreciated and very interesting stuff.

    A few points that I should've mentioned in the original question are that (as most of you correctly assumed being a UK school) nearly all clients are Win XP SP3 with the odd exceptions of a few Vista, Linux and OSX machines. I say migrating to one server but of course that would have a back-up machine- its just that at the moment we have this crazy configuration of two physically separate networks/domains with their own DCs, switches, ISPs etc- one for students one for staff. I inherited one helluva crazy mess, indeed! What I mean is that all this is going to be amalgamated into one physical network and one domain, not one server.

    We don't use Exchange so AD/Exchange inter-op isn't a requirement or an issue.

    I was aware of eDirectory but didn't mention that in the question because its not FOSS- however this has been recommended much more than Sun's solutions and Apache hasn't even had a look in. I don't want to rule Novell out as a possibility as it may just be better a better long term solution than sticking with AD/2003. It would seem FDS/FreeIPA is the only serious FOSS solution available for this right now

    Of course, AD *should* logically be the easiest one to stick with/ 'migrate' to but that doesn't necessarily make it the best choice. I think we'd be more than willing to hire a consultant to help transitions to an alternative if there were numerous long term benefits.

    I'm going to have a play with FreeIPA on a small network of test machines or under VirtualBox and see how that goes first I think.

"One Architecture, One OS" also translates as "One Egg, One Basket".

Working...