Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Best FOSS Active Directory Alternative?

kdawson posted more than 5 years ago | from the war-stories dept.

Networking 409

danboid writes "I'm an IT technician at a large school near Manchester, England. We currently have two separate networks (one for pupils, one for staff) each with its own Windows Server 2003 Active Directory box handling authentication and storing users' files. We're planning on restructuring the network soon and we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server running an open source OpenLDAP implementation. The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server; but I've been unable to find meaningful comparisons among the three. I'd like to hear which solution Slashdot readers recommend. What is your experience with ease of implementation / maintenance? Any stories of similar (un)successful migrations? Any other tips for an organization wanting to drop AD for a FOSS equivalent?"

Sorry! There are no comments related to the filter you selected.

Not Samba? (5, Interesting)

Tubal-Cain (1289912) | more than 5 years ago | (#26502573)

The main contenders for this purpose seem to be Fedora Directory Server, OpenDS, and Apache Directory Server

Seeing as you don't even mention Samba, I assume you are trying to avoid drop-in replacements for AD?

Re:Not Samba? (4, Informative)

Anonymous Coward | more than 5 years ago | (#26502629)

And, er, what about OpenLDAP?

Re:Not Samba? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26502643)

The question I have for Obama is this: Who is stimulating the economy? Me, the guy who has provided 14 people good paying jobs and serves over 200,000 people per year with a flourishing business? Or, the single fat colored mammy sitting at home pregnant with her fourth child waiting for her next welfare check?

And as far as FOSS Active Directory alternatives goes, I'm sure B. Hussein Obama doesn't give a rat's ass. For my part, I give FOSS Active Directory alternatives two thumbs up.

Re:Not Samba? (3, Funny)

Anonymous Coward | more than 5 years ago | (#26503047)

And, er, what about OpenLDAP?

Because er.. that was mentioned in the 'Ask Slashdot'.

Re:Not Samba? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26502633)

Hello, and think about your breathing.

Yes that's right, think about your breathing. Why you might ask? Well it's simple!

Your brain usually takes care of breathing for you, but whenever you remember this, you must manually breathe! If you don't you will die.

There are also many variations of this. For example, think about:

Blinking!

Swallowing saliva!

How your feet feel in your socks!

Your parents having hot sweaty sex!

In conclusion, the think about your breathing troll is simply unbeatable. These 4 words can be thrown randomly into article text trolls, into sigs, into anything, and once seen, will force the victim to take care of his breathing manually! This goes far beyond the simple annoying or insulting trolls of yesteryear.

In fact, by even responding to this troll, you are proving that it has claimed another victim -- You!

Re:Not Samba? (1, Interesting)

timmarhy (659436) | more than 5 years ago | (#26502707)

can samba keep up speed wise these days? a few years back we tried to switch an old NT4 file sharing server over to linux/samba, it was for a simple vb6 application which using jet to connect to access db's. samba appeared to have some kind of bottle neck where once you had more than 50 open connections it slowed right down. we tried everything right up to tweaking kernel settings and it was still slower. it wasn't hardware either, the linux system was significantly better resourced than the old nt4 system.

and no, rewriting the application just to suit linux wasn't an option.

Re:Not Samba? (4, Interesting)

digitalunity (19107) | more than 5 years ago | (#26502819)

How many years ago was this? I'll keep my negative comments about VB6 and Jet to myself, but that this was on NT4 then I would imagine your anecdotal experience is from some time ago.

Samba has made tremendous improvements in the last couple of years in a lot of areas.

Re:Not Samba? (1)

timmarhy (659436) | more than 5 years ago | (#26502955)

this was samba 3.0

Re:Not Samba? (5, Informative)

ushering05401 (1086795) | more than 5 years ago | (#26502959)

The parent is trolling or is apparently unaware that MS specifically told people not to use Jet like this.

Here is an MS quote from back before Jet was deprecated.

"While Microsoft Jet is consciously (and continually) updated with many quality, functional, and performance improvements, it was not intended (or architected)... to be used with high-stress, high-concurrency, 24x7 server applications, such as web, commerce, transactional, messaging servers, and so on" (Source: Microsoft KB article Q222135).

So no 24x7 server apps per MS, I wonder what was slowing down the other poster's 50 concurrent connection scenario.

I could never get Jet to work well > 5 concurrent connections.

Re:Not Samba? (0)

Anonymous Coward | more than 5 years ago | (#26502997)

"The parent is trolling" = GP is trolling I assume.

Re:Not Samba? (3, Informative)

timmarhy (659436) | more than 5 years ago | (#26503057)

it's not a troll if it's true, is it?

that vb jet was a piece of shit isn't in debate here, it's the fact samba wouldn't perform on the same level with beefier hardware. it's a little hard to sell samba over windows as a file sharing solution when it doesn't perform as well, and i was questioning if that's been resolved or not. if you choose to think it's a troll, it's not my problem.

Re:Not Samba? (5, Insightful)

ushering05401 (1086795) | more than 5 years ago | (#26503163)

I troll sometimes too, sir. I'm not saying your experience is invalid either, just that it is not valuable in this scenario and therefore a distraction from the real matter at hand.

The problem is that your scenario gives us very little usable information about Samba...

1. Because the people who configured your environment were probably the same people who chose to use Jet in this manner casting doubt on the other implementations.

2. Because there is an obvious bottleneck in Jet that would need to be resolved before anyone would trust the evaluation of a component interacting with the bottleneck.

I'm not picking a fight, just pointing it out. Feel free to call me a troll whenever ;) It is often true.

Re:Not Samba? (0, Troll)

timmarhy (659436) | more than 5 years ago | (#26503209)

i'd say the bottle neck was in samba not in jet, since it worked fine it nt4?

Re:Not Samba? (2, Interesting)

thePowerOfGrayskull (905905) | more than 5 years ago | (#26502885)

I thought Samba was stopped at compatibility as a domain controller (win 2000 style), and did not offer AD features?

Re:Not Samba? (2, Informative)

Curien (267780) | more than 5 years ago | (#26503315)

A Win2K domain controller *is* AD.

Re:Not Samba? (-1, Troll)

larry bagina (561269) | more than 5 years ago | (#26502949)

Probably because they're not racists. Seriously, this is 2009. We're a couple days away from formally confirming a half-black man as President of the United States. Do you really want to use software named after a racist slur?

Re:Not Samba? (0, Redundant)

Anonymous Coward | more than 5 years ago | (#26503065)

Are you for real? Can't tell the difference between Samba (Brazilian music http://example.com/ [example.com] ) and Sambo (a children's book from 1899 http://en.wikipedia.org/wiki/Little_Black_Sambo [wikipedia.org] )?

Re:Not Samba? (1, Insightful)

flyingfsck (986395) | more than 5 years ago | (#26503075)

Huh? What is a racist slur about Samba?

You must have an over active imagination.

Anyhoo, I fail to see why there is such a hullabaloo in the USA about having a coloured prez.

Re:Not Samba? (0, Redundant)

Anonymous Coward | more than 5 years ago | (#26503093)

SambA not SambO.

Samba is a musical style as well as a convenient way of turning SMB protocol into a pronounceable word.

I explain this because prefer to believe you are not too bright instead of assuming that you are not too bright AND a troll.

!Slur Re:Not Samba? (2, Informative)

Anonymous Coward | more than 5 years ago | (#26503151)

The racial slur is sambo [wikipedia.org] , ends in the letter 'o'.

Samba (ending with the letter a) is the first word in the unix dictionary that had an s, m, & b [wikipedia.org] in it.

Samba itself is a musical genre [wikipedia.org] .

And not Sambo either (4, Informative)

tepples (727027) | more than 5 years ago | (#26503175)

Do you really want to use software named after a racist slur?

No, it's not a direct comparison to the GIMP situation. The slur is Sambo [wikipedia.org] ; the software is Samba [wikipedia.org] . There's a difference. But is there a racial slur against trolls?

Re:Not Samba? (1)

sammy baby (14909) | more than 5 years ago | (#26503341)

You're kidding, right?

Please tell me you're kidding.

Depends on usage (2, Insightful)

yoshac (603689) | more than 5 years ago | (#26502599)

Depends if you are just using it for windows domain services, or if you need to support things like management, federation etc.

Mod parent up. (1)

khasim (1285) | more than 5 years ago | (#26502649)

A comparison is useless to you unless you know what your specific, minimum requirements are.

OK your Discount coupon is ready. (5, Funny)

140Mandak262Jamuna (970587) | more than 5 years ago | (#26502603)

OK buddy, you have done your job and made enough noises about FOSS. Your $large_discount coupon from MSFT is ready and waiting, mention coupon code EGDI. Coupon good for getting all MSFT software for free. Manufacturers Coupon, Never expires.

Mandriva (5, Informative)

Anonymous Coward | more than 5 years ago | (#26502623)

Mandriva Directory Server [mandriva.org] + Pulse 2 [mandriva.org]

Re:Mandriva (4, Informative)

flydpnkrtn (114575) | more than 5 years ago | (#26502679)

Wow MDS and Pulse look pretty cool... but the documentation for Pulse 2 is lacking. For example, one of my first questions would be "Do the Windows machines need to run an 'agent' first for pushing software installs?"

"English documentation will soon be available, stay tuned."

http://pulse2.mandriva.org/wiki/Documentation [mandriva.org]

Re:Mandriva (1)

myz24 (256948) | more than 5 years ago | (#26503237)

I've been in the Linux business for a while and I had no idea those two projects existed, thanks

SME Server 8 (5, Informative)

erroneus (253617) | more than 5 years ago | (#26502639)

SME Server is, by my observation, the best Windows network server distro I have yet seen. While I don't agree with many of the underlying philosophies, I cannot deny the results. It is STABLE. It is usable. It is very maintainable. Installation is brain dead simple.

SME Server 8 is in beta at the moment but I recommend giving it a once-over. It is quite impressive. And did I mention it installs from a single CD?

Re:SME Server 8 (5, Funny)

Kamokazi (1080091) | more than 5 years ago | (#26502667)

And did I mention it installs from a single CD?

Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.

Re:SME Server 8 (1)

DiegoBravo (324012) | more than 5 years ago | (#26503037)

LOL.... But I remember when installing a full Softlanding Linux distro took about 40 diskettes (or more?)... same for Oracle in SCO.

Re:SME Server 8 (2, Interesting)

Nimey (114278) | more than 5 years ago | (#26503327)

No, but I remember when Debian was only two CDs, and the second wasn't very full.

Re:SME Server 8 (2, Insightful)

grcumb (781340) | more than 5 years ago | (#26503359)

And did I mention it installs from a single CD?

Impressive. I'm definately going to use this, as putting in a second disk is just way too much work.

Okay, you made a funny. But consider the implications of that single disk:

  • It's a simple, nicely pared-down server. Installs and configures in about 20 minutes.
  • It's a purpose-driven server whose entire architecture is aimed at solving the most common scenario in Small and Medium Enterprises (SME - get it?): The ability to run in a predictable, stable and usable way for years on end without requiring IT staff to support it - that's something whose value should never be underestimated.
  • These design principles extend throughout the server's architecture. It's got template-driven config file management, a really useful event model for automating complex tasks and a really elegant developer API. And it still fits on a single CD.
  • It's small and simple and yet still has what you want in a small office server. I've never seen the KISS principle more sanely applied than in the SME Server. Nothing gets added without a reason and most everything works the way a Lazy admin would want it to.

Full disclosure: I worked two years for the company that built SME Server. But I went to work for them because I liked the product. 6 years later, I'm still installing and using it on customer sites.

(See my other post below [slashdot.org] for a few caveats about AD. Briefly, LDAP is integrated, but not very tightly. You'll still need to install or build an actual AD solution on top of it to provide what the OP is looking for.)

Re:SME Server 8 (1)

Penguin Follower (576525) | more than 5 years ago | (#26502685)

Appears to be /.'ed already. :(

Re:SME Server 8 (1)

erroneus (253617) | more than 5 years ago | (#26502733)

go to contribs.org

Re:SME Server 8 (1)

Kindaian (577374) | more than 5 years ago | (#26502693)

It had a grave flaw...

You couldn't install SQL Server on it!

(at least on the versions i tested)

Re:SME Server 8 (1)

erroneus (253617) | more than 5 years ago | (#26502767)

SQL Server? It installs with MySQL. What SQL server do you need? Furthermore, it is a server highly integrated and configured for some rather specific purposes. Attempting to use it as a "general purpose linux distribution" would be a mistake... a common one. You have to change the way you think about this particular distro as it is more of an integration of application suite and distro.

Re:SME Server 8 (1)

Kindaian (577374) | more than 5 years ago | (#26502985)

Microsoft SQL Server...

SME Server = Windows not Linux... the last time i checked.

Unless Microsoft now does a Linux distro?

zZzZzZ

Re:SME Server 8 (1)

Washii (925112) | more than 5 years ago | (#26503119)

SME Server = CentOS = Linux not Windows... the last time i checked (Wikipedia).

Re:SME Server 8 (1)

ushering05401 (1086795) | more than 5 years ago | (#26503121)

"Exceptionally reliable and easy to use, SME Server can be installed and configured in less than 15 minutes - yet it's powered by a secure and open Linux platform that's fully upgradeable and customizable. Simply install it on any standard PC and in minutes you'll have a robust Linux-based server capable of fully replacing those expensive Windows server licenses and providing a full range of services - including e-mail, firewall, file and print-sharing, web hosting, remote access and more. "

Source: http://wiki.contribs.org/SME_Server:About [contribs.org]

Re:SME Server 8 (1)

Shados (741919) | more than 5 years ago | (#26503001)

Either you're being sarcastic, either you totally missed what SQL Server means in that context. If the later, I'll give you a hint. The S on Server is a capital letter for a reason.

Re:SME Server 8 (1)

Raleel (30913) | more than 5 years ago | (#26503183)

I can second SME server. I've been using it for this role since it was E-Smith many years ago. It's a fantastic little distro for a lot of different reasons. Definitely good stuff.

Re:SME Server 8 (5, Informative)

grcumb (781340) | more than 5 years ago | (#26503259)

I can second SME server. I've been using it for this role since it was E-Smith many years ago. It's a fantastic little distro for a lot of different reasons. Definitely good stuff.

I worked for e-smith inc. (later purchased by Mitel Networks) on the team that developed for the SME Server distro.

It's magic for small offices, no doubt. I work in developing countries now, and I find it especially useful in places with no in-house IT capacity. I can get file services, email, web and user management up and running in about 45 minutes.

(I'm not going to link to any particular installations, because, well, slashdot has the capacity to swamp our entire nation's bandwidth.)

BUT! SME Server doesn't have a built-in AD capability. It will act as an excellent small network domain controller. Its user and group management is simplicity done right. But that's not Active Directory per se.

If you want an actual AD roll-out, you'll have to layer it on top of the server's existing capabilities. Note that this is not at all impossible - SME Server can run just about everything CentOS runs with little or no fuss or bother.

To sum up - SME Server would be a great platform for schools to build on - it's low-maintenance, robust and simple enough that even a Windows admin can't complain. But you need to roll part of the solution on your own. Of course, you were going to do that anyway. So definitely look at SME Server. 8^)

Fedora Directory Server.. (1)

prometheon123 (835586) | more than 5 years ago | (#26502657)

..because it's the only one that will allow you to migrate from Active Directory. FDS does Active Directory user and group synchronization. I will say that Active Directory is still a pretty darn good LDAP server. However, switching is a good idea simply because you can use FOSS LDAP user self-service tools like http://lam.sourceforge.net/ [sourceforge.net]

GOsa is worth a mention (2, Insightful)

Pav (4298) | more than 5 years ago | (#26502683)

GOsa is worth a look but in my experience is VERY hard to implement. It's a web based LDAP front end that manages posix accounts, Samba, email/groupware, Asterisk, fax, automatic installation (via FAI), DNS, DHCP and much more. I think the target market is large organisations with existing inhouse skills in the base technologies and plenty of man hours. I tried getting this working as a lone generalist, and I only got as far as getting posix, Samba, SOGo (a groupware solution), DHCP and DNS working. Scripts to get something working on Debian Lenny are on sourceforge (I finally found a use for my sourceforge project:) : https://sourceforge.net/projects/wfstt/ [sourceforge.net] .

Re:GOsa is worth a mention (1)

Pav (4298) | more than 5 years ago | (#26502705)

I should also mention those scripts are really documentation that I could run to very their correctness.

Local resources (3, Interesting)

James Youngman (3732) | more than 5 years ago | (#26502689)

Try talking to Tim Fletcher at Parrswood.

hate to say it... (4, Interesting)

johnjones (14274) | more than 5 years ago | (#26502691)

but the first thing to do is look at how these have been deployed

I dont see anyone with production systems on a large domain using anthing other than redhat directory or Novell eDirectory

I see some custom OpenLDAP servers scale really well but thats about it

so given your choice above I would go for Fedora Directory Server and hack

if the choice was mine I would spend a little money and get the Novell eDirectory

regards

John Jones

http://www.johnjones.me.uk - email and digital communication [johnjones.me.uk]

Re:hate to say it... (5, Informative)

Korgan (101803) | more than 5 years ago | (#26502865)

I agree... I had a similar issue at a school a few years back. Windows + Mac clients on the network. Rather than try to run two directories, we just used Novell eDirectory with (then available) Novell dirXML which allowed all the clients to use a single directory without realising they weren't native Active Directory or OpenDirectory platforms they were talking to. It saved a lot of effort down the line and proved extremely scalable. Also had the benefit of allowing the network to integrate other platforms in the future without much effort if the school wanted to. I'm sure there are plenty of great FOSS solutions out there, but eDirectory make it so much easier and reduced the cost of implementation significantly, even taking into account licensing costs. Sometimes you do just have to weigh up all the angles.

Re:hate to say it... (1)

jd (1658) | more than 5 years ago | (#26503069)

A "large school near Madchester" (a popular alternative spelling) probably means Manchester Grammar or Stockport Grammar. No college or University would ever lower itself by calling itself a school, Aquinas is small and the comprehensives would never hire anyone smart enough to use Slashdot. I regard the other Grammars with some suspicion as well.

Manchester Grammar would almost certainly need to use Novell, and Stockport Grammar would be definitely Red Hat territory. Remember, when you get into most of the high-end F/L/OSS stuff, the functionality is almost identical, so what you use is determined more by the colour of the badge than by the product itself.

WTF? AD is an LDAP alternative (2, Interesting)

dbIII (701233) | more than 5 years ago | (#26502695)

And there are plenty of other inplementations of LDAP around.

The story goes around that an infamous Australian telecommunications company wanted to put 80,000 people on a single Windows NT domain which put it well past the 16bit limit of users - and thus the active directory project started.

rethink this (0)

Anonymous Coward | more than 5 years ago | (#26502703)

one server? the whole point is to have at least 2 DCs per domain. sounds like you only have one per domain now. So if you lose a server you lose everything.

really there's no reason to have separate ADs for students and staff. A lot of people who didn't really understand AD did this a few years ago, and it was just never a good idea.

If you plan to build one network, great, but you need at least 2 servers.

Re:rethink this (1)

digitalunity (19107) | more than 5 years ago | (#26502837)

If they're sticking with the same hardware, making the second machine they have now a replication or backup solution may already be part of their plan.

That depends...... (5, Interesting)

ogdenk (712300) | more than 5 years ago | (#26502717)

I'm a network admin for a tech college here in the states. We really use the hell out of group policy. We use an AD server for managing the directory and UNIX (FreeBSD mostly) boxes for handling everything else. The UNIX boxes act as member servers in the domain.

Unfortunately there's nothing that really supports things like group policy and the like for Windows but well..... Windows Server.

Samba4 is supposed to change this but it may be a while before it's ready for widespread use.

In a school environment, you really want the Group Policy and automated software deployment features. Unfortunately, due to the closed nature of Windows, Windows Server is the only product capable of pulling off managing windows desktops well. You can hand-create policy files for machines but it's a pain in the ass and hard to maintain in the long run. Samba3 can act like an NT4 PDC if you wanted to do this though.

This is rapidly changing. If I were you, I'd deploy Linux or BSD for everything BUT the directory servers and then migrate when Samba4 is ready for prime time.

Students are great at f**king up machines, group policy is almost a must.

If you don't need centralized management of the desktops themselves, just the users and groups, etc, then there are several solutions that would work well. In a school though, I really recommend either dumping PC's entirely and go with OSX on the desktop and OSX Server or sticking with AD for directory services.

Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen. OSX happens to be a UNIX with good commercial desktop apps that aren't half-assed and it's semi-open.

Re:That depends...... (0)

Anonymous Coward | more than 5 years ago | (#26502977)

Don't even start with the flames. Linux and BSD are awesome but until you can run Photoshop, Indesign, etc that the syllabii for certain classes call for in a supported fashion, it's NOT going to happen.

what's NOT going to happen?, run an active directory alternative?.

Re:That depends...... (1)

ogdenk (712300) | more than 5 years ago | (#26503249)

Either eliminating Active Directory or eliminating Windows on the desktop in a school environment, take your pick.

You need the support for either locking down Winders desktops server-side or running decent commercial apps natively on another OS that can be managed by a server client-side.

This is the reality at the moment.

Samba 4 may help change things and allow people to migrate to other good client-side OS's when feasible.

Re:That depends...... (0)

Anonymous Coward | more than 5 years ago | (#26503297)

You suggest to eliminate windows clients and/or servers and replace with OS X, because some students may use photoshop, indesign, no wonder you are a network admin in a school.

Re:That depends...... (1)

ogdenk (712300) | more than 5 years ago | (#26503343)

No, I'm saying if you want to eliminate Windows right now, the best solution at the MOMENT is to use OSX and OSX Server.

If you are patient, you can wait for Samba4 to become mature.

Re:That depends...... (1)

ogdenk (712300) | more than 5 years ago | (#26503357)

And BTW, I took the admin job at a tech school because I got sick of office politics and crap products being shoved down my throat and I can teach tomorrow's network admins to be competent and learn other solutions instead of "the microsoft way".

Grow up. I had over a decade of REAL IT experience before I started teaching. It wasn't as a grunt tech either.

Re:That depends...... (1)

the_B0fh (208483) | more than 5 years ago | (#26502983)

Didn't Disney pay codeweavers a bunch of money to make photoshop work well under wine?

Re:That depends...... (4, Interesting)

ogdenk (712300) | more than 5 years ago | (#26503203)

It works OK for older versions of Photoshop, but if your going to go through the effort of running Photoshop in a dodgy reimplementation of the Win32 API, why not just run Windows? You'll get screwed everytime a new version of photoshop comes out that uses Win32 calls in a weird fashion.

A better idea would be a massive campaign to promote a port of Photoshop to GTK or QT. Microsoft will make damn sure that Win32 is a moving target if any massive movement to use WINE is successful.

The mac version of Photoshop is the better version IMHO anyway despite the lack of a true 64-bit port due to Adobe's laziness rewriting using Cocoa instead of Carbon. The MDI interface in the Windows version sucks, especially if you use multiple monitors and want to run other applications at the same time.

If your going to run non-native apps, it's usually better to just say "screw it" and run those apps in the native environment.

Really, I've gone through this fight trying to ditch Windows in an educational environment. You meet stiff resistance from all angles, including the vendors. I've eliminated it where I can but in the end, to ensure a good bullet-proof computing environment where Windows on the desktop in necessary for certain software products, group policy and automated software deployment is a MUST, not a WANT.

In most corporate environments, I've ditched Windows with good success but in a school, things are a bit different. Especially a tech school where our job is to teach people products to get them a job. Our goal is not to "create the thinkers of tomorrow".

We HAVE to have windows desktops. manageable Group policy and automated deployment are not available in other directory environments. You can't easily lock down Windows desktops centrally with other directory environments.

If you have other solutions, prove me wrong so I can use them as ammo to ditch Windows directory servers here. REAL solutions that are as easy to manage for other less-skilled folks I have dealing with daily problems.

Re:That depends...... (1)

tepples (727027) | more than 5 years ago | (#26503243)

Didn't Disney pay codeweavers a bunch of money to make photoshop work well under wine?

True, Disney funded getting Adobe Photoshop 7 to work in Wine [codeweavers.com] (pdf). But just because PS 7 works doesn't mean later PS works. Besides, Disney also paid U.S. senators a bunch of money to make copyright work well over the human lifespan.

Re:That depends...... (1)

narrowhouse (1949) | more than 5 years ago | (#26503195)

You may want to take a look at the pulse2 link from a little earlier in the thread.

http://pulse2.mandriva.org/ [mandriva.org]

Re:That depends...... (2, Interesting)

Jane Q. Public (1010737) | more than 5 years ago | (#26503325)

Not to flame at all... but as an administrator, you should be aware that any "group policies" you enforce or enable remotely, such as software installs and restrictions, are pretty easy to get around. Our college's computers were "locked down" pretty hard, using all the official Microsoft-recommended restrictions, yet I (and most people I knew in my computer-related classes) knew of about 4 different ways to install and run software on a school computer pretty much at will. If I needed them for something, I could log in using my student ID, and install Dreamweaver complete with DRM or just about any other program, like Open Office, in folders on the desktop, in the 5 minutes before class started. I would just run those programs that were capable of running without elaborate installation directly from my thumbdrive. Despite the fact that installation of ANY software, and running ANY programs not on the "official" list, were strictly prohibited via policies. Microsoft "security" is a joke. I am not trying to flame or troll here, just letting you know, honestly. It might have improved a bit over the last couple of years, but I would not bet my shorts on it.

Do you want to play with it, or have it work? (3, Insightful)

Whizzmo2 (654390) | more than 5 years ago | (#26502727)

Active Directory is mature, well-understood and well-supported. MS will answer the phone at 3:00 am when you call. While FOSS alternatives have come a long way, many are still under heavy active (ha, ha) development.

Questions you should be asking yourself:
  • Who will maintain this when I'm gone?
  • Does this solution offer 24/7/365 phone support? (If you don't have a phone support contract, MS will usually charge you $250 if the issue is your fault, and $0 if the issue is a bug in their software. (IANA MS rep, YMMV))

One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain? (There are many other arrangements here that may better fit your needs.)


--Whizzmo

Re:Do you want to play with it, or have it work? (0, Troll)

cratermoon (765155) | more than 5 years ago | (#26502975)

"MS will answer the phone at 3:00 am when you call." So you're saying being able to get some underpaid call center script-reading non-english-speaking drone (no offense to the person who is just trying to make a living) is worth paying money for?

Re:Do you want to play with it, or have it work? (0)

Anonymous Coward | more than 5 years ago | (#26503141)

have you ever called Microsoft support?

Re:Do you want to play with it, or have it work? (1)

/dev/trash (182850) | more than 5 years ago | (#26503143)

yes

Re:Do you want to play with it, or have it work? (1)

Kindaian (577374) | more than 5 years ago | (#26503007)

They will answer, if you have a support incident (and incidents do cost $$$$) to use, otherwise you end talking to a wall. ;)

Do you want to pound it, or have it work? (1)

Ostracus (1354233) | more than 5 years ago | (#26503097)

How much for the wall?

DoD uses RHDS (FDS) (3, Interesting)

xzvf (924443) | more than 5 years ago | (#26503033)

I've seen RHDS (paid support version of FDS, but basically the same code) scale to millions of users. I've had a clustered pair running on blades handling 250K records easily. AD doesn't scale as well, requires tons of supporting software and locks you in to a funky LDAP-like format. If you want to move from RHDS to Novell, or OpenLDAP or even AD all you have to do is dump to ldif. Try going from AD to anything else without a great deal of pain.

Re:Do you want to play with it, or have it work? (2, Interesting)

Zak3056 (69287) | more than 5 years ago | (#26503079)

One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain?

In the summary, the poster mentioned wanting to reduce the number of physical servers from two to one. There's no way to do that with active directory (unless you virtualize) because each DC can only handle a single domain. Personally, I think the server count just for DCs is a big problem with the design of active directory. If you had two separate but related organizations, to do things the "right" way you'd need at least six domain controllers (two for an empty root, then two DCs for each of the production domains.)

Re:Do you want to play with it, or have it work? (1)

agallagh42 (301559) | more than 5 years ago | (#26503291)

One more question: Why not just combine the two AD forests into one tree, with the student account domain as a child domain of the teachers' domain?

In the summary, the poster mentioned wanting to reduce the number of physical servers from two to one. There's no way to do that with active directory (unless you virtualize) because each DC can only handle a single domain. Personally, I think the server count just for DCs is a big problem with the design of active directory. If you had two separate but related organizations, to do things the "right" way you'd need at least six domain controllers (two for an empty root, then two DCs for each of the production domains.)

The "empty root" theory was dropped a few years back. It's really not necessary.

Also, two separate but related organizations need a single domain with two OUs. The ONLY reason to separate into two domains was to have different password policies, and even that reason has gone away with W2K8. You can assign password policies at the group level now.

So, for any infrastructure that doesn't need DCs at multiple sites, you'd only need two DCs for full local redundancy. You may want to add two more in a separate site if you want remote redundancy as well (or just one in each site if money is tight).

You don't really need to start scaling up to more DCs until you get into tens of thousands of users range.

Re:Do you want to play with it, or have it work? (1)

Nimey (114278) | more than 5 years ago | (#26503339)

You can assign different password policies (and indeed pretty much any policy) at the OU level with Server 2003. WTF are you talking about?

Re:Do you want to play with it, or have it work? (0)

Anonymous Coward | more than 5 years ago | (#26503233)

Active Directory is mature, well-understood and well-supported. MS will answer the phone at 3:00 am when you call.

I had cause to be on the phone to them at around 3am after all of Shell's active directory controllers went down in a cascade failure last year. Everytime they were rebooted they went down again. MS seemed to try quite their best to help but it still took over a week to resolve the situation. I believe MS charged around 150,000 euros for support on a bug in their software but that cost was nothing compared to having thousands of staff doing nothing for around a week.

If we had open source authentication we could have fixed it within that time, we had the people to rewrite just about anything.

I found it really odd how management canceled all plans to investigate non AD authentication the day after AD became stable again even though they were told a repeat was entirely possible. They went to great lengths to cover everything up and pretend it never happened.

Re:Do you want to play with it, or have it work? (1)

afabbro (33948) | more than 5 years ago | (#26503235)

Questions you should be asking yourself:

  • Who will maintain this when I'm gone?

...which I care about because...?

Re:Do you want to play with it, or have it work? (1)

ozphx (1061292) | more than 5 years ago | (#26503305)

"Yes, Bruce used to work here..."

"Yup, he was responsible for the 'upgrade'..."

"Well, no. I'd more describe him as a crazy hippy who tried to save a few thousand bucks by switching all our servers to Linux based on advice he got on some open source message board. Now everything is totally fucked, and we can't find anyone to sort out his mess."

"Yes, next time we will hire someone who can do their own research."

Re:Do you want to play with it, or have it work? (5, Insightful)

morgan_greywolf (835522) | more than 5 years ago | (#26503253)

Red Hat offers 24x7 support for Red Hat Enterprise Directory. I'm pretty sure Novell has a similar product for SuSE that they offer 24x7 support on.

It's not like your only choice for 24x7 support is Microsoft.

Sun Java System Directory Server (5, Informative)

wmute (29403) | more than 5 years ago | (#26502741)

I don't often recommend SUN products with the exception of Solaris but Sun Java System Directory Server Enterprise Edition has actually proven to be a very stable solution. I don't believe its open source but I believe it is free. There is also an identity synchronization tool that allows you to sync your LDAP to AD servers if needed. Handles multimaster replication between however many nodes flawlessly with very good performance in my experience. It'll run on Windows,Linux, or of course Solaris.

Good luck, LDAP is a pain in the ass ;)

Re:Sun Java System Directory Server (1)

CAFED00D (1337179) | more than 5 years ago | (#26502941)

I'll second that. I've used this product in it's various incarnations over the last 8 or 9 years. It's stable. It's free. It's easy to install. And it has a nice, shiny web interface.

Re:Sun Java System Directory Server (1)

teaDrunk (849107) | more than 5 years ago | (#26502971)

Seconded. (actually thirded, see post below from La Camiseta, right on spot).
Sun Directory Server is good. But really, only if you really want to lose AD.

Re:Sun Java System Directory Server (1)

morgan_greywolf (835522) | more than 5 years ago | (#26503273)

LDAP is only a pain in the ass when you first set it up. Once you get it going, it's far easier than alternatives such as NIS/NIS+. Note that AD is LDAP-based.

A wise directory architect/administrator will plan his schema out carefully first, taking into account all of the possible current and future requirements, including replication and high-availability requirements in addition to the data elements themselves. Only then, after he has buy-in from both management and the user-base, will he begin to implement.

I speak from personal experience.

Samba4 (3, Informative)

obi (118631) | more than 5 years ago | (#26502811)

Maybe not exactly the answer you're looking for, seeing as Samba4 is not out yet; however samba4 includes, among other things:

* Internal LDAP server, with AD semantics
* Internal Kerberos server, including PAC support

You can, but don't have to hook it up to an external LDAP server. You can use MMC consoles to manage it. They're even building real Outlook compatible Exchange functionality on top of it (see openchange.org). Not that I'd ever want to run Outlook though.

Sun Java System Directory Server (2, Interesting)

La Camiseta (59684) | more than 5 years ago | (#26502847)

It may not be opensourced yet, but Sun has released almost their entire enterprise stack for free for anyone to use, including their DSEE [sun.com] , with unlimited entries. It can synchronize with AD, and they have a good deployment planning guide [sun.com] for synchronizing with AD and there are guides all over the place [linuxjournal.com] regarding authenticating Windows off of LDAP servers.

Active Directory is NOT ldap. (0)

Anonymous Coward | more than 5 years ago | (#26502869)

Active Directory has the following features:

* LDAP directory services
* Kerberos Authentication
* Integrates natively with Exchange
* Integrates natively with Windows clients
* Provides management user interface.
* Provides ways to manage Windows clients remotely through things like Group policy objects.
* etc etc.

OpenLDAP provides LDAP. Ok... what about that? It provides the fucking _protocol_. No management facilities that are worth talking about, no schemas, etc etc.

So if you were to use OpenLDAP as a 'AD alternative' that means you'd have to create 95% of what AD provides out of the box yourself.

NO windows management.
NO user management
NO exchange compatibility
NO nothing.

Just LDAP. Woohoo. That and $1.50 will buy you a candy bar.

The closest you can get to Active Directory using open source software at the moment is:

Samba4 --- which is beta and still provides no management facilities to speak of. Provides user management, tools to impliment GPO, windows-compatible Kerberos and Windows-compatible LDAP services. Also is compatible with Linux systems (of course).

FreeIPA -- which is the community version of Redhat's IPA. This provides basic Kerberos/LDAP/etc for people that want to move away from using NIS and don't want to go to Windows. It still provides no compatibility or integration with Windows or other popular items.

In other words there is NO equivelant to Active Directory that you can get in OSS world. You can get bits and peices and can get them working together to get close to AD, maybe enough to satisfy business requirements if your lucky, but your going to put many weeks into deploying something with less functionality then you can get from Active Directory out of the box.

Single computer? (3, Insightful)

daybot (911557) | more than 5 years ago | (#26502873)

...we'd like to be able to replace the two aging AD servers with a single, more powerful Linux server

Whichever system you end up using, I strongly discourage building your network around a single server.

Re:Single computer? (1)

im_thatoneguy (819432) | more than 5 years ago | (#26503197)

Seriously. Unless your students only need the computers for unimportant work what are you doing without a backup?

We have 5 people who use 2 AD servers (Windows 2008). If one goes down the other takes over and starts rebuilding the first. That's not all that expensive. If you have 300 students plus you have teachers who need to grade papers and upload assignments I would hate to see you get fired because you saved $2000 on an extra server.

Fedora DS (1)

digitalhermit (113459) | more than 5 years ago | (#26502897)

I've run both OpenLDAP and Fedora DS. Both are relatively easy to setup, but I'd give the nod to FedoraDS which is easier to manage and easier to get replication working. FedoraDS also seems to be more compliant, but that was just my impression based on some limited experience with the schemas.

Getting Windows to authenticate was relatively simple as there are lots of HOWTOs. If you have Linux clients, it's also relatively easy. CentOS/RedHat, for example, just needs a couple changes via system-config-authentication. You'll also need to configure things like posix groups and host/service based authentication.

There isn't an alternative. Next question. (5, Insightful)

realmolo (574068) | more than 5 years ago | (#26502907)

I've messed with the so-called "Active Directory replacements". They all suck.

The fact is, if you are using Windows clients, Active Directory works, it's simple, and you'd be fucking CRAZY to try to use anything else. Save yourself some pain, and blow $1000 (pounds, whatever) on Server 2003 or 2008.

Seriously. You don't want to do this. It's a fucking nightmare to try to support a Windows domain without a real, genuine Microsoft domain controller.

Did I mention this is a bad idea?

Re:There isn't an alternative. Next question. (4, Interesting)

Shados (741919) | more than 5 years ago | (#26502951)

I love Active Directory, but just a little amusing anecdote... The company I'm working for is a 100% Windows shop across the board, has desktops in the 6 figures, yet does NOT use Active Directory...

Their "forests" connect for business reasons to the domains of all of their clients, which makes the machines/accounts in the domain hit the millions...so well, to make that work better, they wrote their own "Active Directory" from scratch...its still running on Windows server, but its not an actual Active Directory(tm) kindda thing.

But yeah, replacing AD for the sake of replacing it, is retarded. Windows Server isn't even that expensive, and for smaller companies, you can get Small Business Server, which is really, really cheap for what it provides.

Active Directory is Microsoft's best work (4, Insightful)

catmistake (814204) | more than 5 years ago | (#26502913)

I'm not sure I understand the point... I mean I hate Windows as much as the next *nix-lovr, but if your network is a slew of Winboxen... why make a headache for yourself? Active Directory is pretty well received, even as a proprietary LDAP implementation... will a FOSS replacement really be worth the cost savings? If most of the machines to be managed are Windows, I'd use AD for them. If its a mixed network with mostly something else, then I'd attempt to shoehorn the management of the Winboxes with whatever implementation was easiest for the majority of the machines (i.e. if 200 OS X machines & 40 Winbox, I'd use Open Directory... if 90 debian & 15 winbox, likely OpenLDAP, etc.)

You don't hate AD as much as you think you do... do what is easiest... if AD is already deployed, its probably easiest).

TCO (0)

Anonymous Coward | more than 5 years ago | (#26503019)

There are many, many places, where the TCO for FOSS solutions is better than that of the proprietary systems. Domain management services are not one of them; the license costs for domain controllers are much less than the additional labor you'll spend on the FOSS solutions, for anything but large networks (tens of thousands of machines.)

In other news, the comparison of Active Directory to FOSS "directory servers" is misleading at best; LDAP and fileshares are a tiny piece of AD, and one that Microsoft gives away freely for any most OS's of theirs. (The LDAP aspect isn't broadly known - the product in question is AD LDS, formerly ADAM; aside from being a little off LDAP standards, it is as efficient and reliable as anything out there.)

I hate to say it, but there's nothing even close to AD; Microsoft justifiably dominates the market here.

Re:TCO (4, Interesting)

erroneus (253617) | more than 5 years ago | (#26503135)

I have set up four installations of SMEserver 7.x in the past 8 months into small businesses. I think I have put a collective 24 man hours into keeping those sites up. They stay up... keep going and going and going... and running Linux, I don't have nearly as much to worry about with critical worms running around and the like. Meanwhile, keeping up with my Microsoft AD network keeps my family fed and me employed full time. I am not complaining, I am just saying if TCO is largely factored by time/labor? SME server beats Microsoft hands down so far.

Microsoft does not justifiably dominate the market. It simply dominates the way it does with all other things it does. MSIE is the best web browser, I suppose, as evidenced by its dominance as well..?

stick with AD (2, Insightful)

jdbausch (1419981) | more than 5 years ago | (#26503023)

Hate on Microsoft all you want, I do it all the time myself, but AD (and Exchange as well) get the job done, are well supported by Microsoft, and in my experience, worth it. If you weren't running windows clients, it would be different, but as many people on here have said, the features of AD are hard to replicate. Perhaps you have philosophical open source / free software motives. But the only reason I could think of for that a smaller organization like yours would move off AD would be to save money on the license, and especially on CALs. But as a school, don't you get them for damn near free anyway?

FreeIPA (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26503131)

If you're considering Fedora DS, you also might want to look at FreeIPA.

Depdends on what you need (1)

1s44c (552956) | more than 5 years ago | (#26503153)

Do you really need AD?

If you want users to be able to login any windows machine with the same username and password you don't want AD, you want samba serving as a domain controller. Try not to use LDAP as a backend, it does work but in small environments its unneeded hassle.

If you have applications that require AD it's going to be a lot more work than it's worth faking it. It takes a lot of 30 minute reboots to add up to a solid month or two of getting some other solution to behave right.

If you have to use AD make sure you have firewalls, virus scanners, and physical security in place for the controller. Absolutely do not let some joker use it as their personal web browsing station.

not free but opensource (1)

guruevi (827432) | more than 5 years ago | (#26503155)

Go for Apple's solution and get an OpenLDAP with Samba compatible with AD and it will act both as an LDAP/multi-master KDC and a genuine Windows PDC. It's better than wasting my taxes trying to do it yourself, you'll get support and it can be done in less than half an hour. With EDU discount you get MacOSX Server Unlimited for $499 and you probably have a G4 or G5 somewhere to install it on (that's all it needs), if not get a Mac Mini or an iMac. You could probably drop it in your current installation and migrate it with minimal interruptions.

Keep AD and buy a 3rd servert (1)

bogie (31020) | more than 5 years ago | (#26503171)

You want to go from 2 servers to 1 server??? AD works and is easy to setup. Add a 3rd newer server to take on whatever demands you think these 2 older servers can't handle. Throw in DFS and you have a reliable fully redundant network that can handle just about anything you want.

What the reason for switching? Wanting to get rid of CALs? Problems figuring out AD? I'm just curious because your talking about investing a TON of salary into redoing the entire network when you possibly don't have to. It would be one thing if you or someone on staff had a lot of experience with AD alternatives but that really doesn't seem to be the case. Your just hoping to find out what might be a good alternative and going to just "figure it out as you go along". That is not a recipe for success. Sorry if I'm sound harsh but I've been there and done that and you don't want to spend 6 months struggling with something you have zero experience with when you can spend a month on something you already know.

If the AD install is truly fucked then I guess keep researching if you want. But otherwise if you have 2 working reliable networks your making a really big mistake redoing the whole thing just to go FOSS. This goes double if your 100% Windows on the client side. And trust me this is coming from someone who has been pushing OSS on the server front for 10 years.

Hire someone that knows what they are doing... (1)

BigDish (636009) | more than 5 years ago | (#26503267)

If this is truly a "large school," basing your network on a single server is such a bad idea it is almost criminal, and implementations like this are what give Windows (and Linux for that matter) a bad name.

I question why you have separate networks for students and teachers, but that aside, why in the world are you giving your network a single point of failure like this? One of Active Directory's strengths is its ability to use multiple servers to achieve redundancy. Why are you running 2 domains with only one DC, and why would you design a new implementation with a single DC/LDAP server/whatever? What happens when that machine has a catastrophic software/hardware problem?

Also, change for the sake of change is a poor idea. If you have a legitimate reason to say that $FOSS_LDAP_SERVER is a better fit for your environment, that's one thing, but by not even considering that AD *MIGHT* be the best fit for your environment, you are doing your employer and clients a disservice.

Hire a consultant or someone that knows what they are doing - regardless of which platform is picked. From the question, it sounds like you don't.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?