Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Searching for a Directory Service Solution?

Cliff posted more than 9 years ago | from the active-directory-or.... dept.

Businesses 367

kumulan wonders: "I've got the responsibility to set up directory services as well as a messaging/groupware system for my organization of app. 100 employees spread out over three locations. We are a startup that is merging three existing smaller companies and, given the state of existing IS infrastructure at each of these locations, the decision has already been made that we are better off starting from scratch. It would be great to hear from Slashdot readers concerning which option is 'better' and why.""For me, the choices are stark and clear:

  1. MS Exchange/Active Directory
  2. A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).
For (2) we have evaluated, and are strongly considering, the following: Of course, Samba 4 will address some of this 'cobbling', but we can't wait for that."

Sorry! There are no comments related to the filter you selected.

Easy. (4, Insightful)

XorNand (517466) | more than 9 years ago | (#13600374)

So, the question seems to be: OSS vs. Microsoft. Am I right? If so, the answer is easy: Which platform are the people who will be managaging the stuff have the most experience with? It may be sacrilege to say it here, but if you've a crew of MCSEs on staff who've never touched Linux, it's going to be more expensive and a bigger hastle go the OSS route.

I forget who said it but "OSS is free like a puppy is free". You need to have the staff to tend to the care and feeding. In the Detroit area at least, Windows guys are a dime a dozen. Competent Windows guys, while a bit more rare, are still easier to find than experienced Linux admins. (Of course, I'm looking at your question from a business consulting standpoint. If you're looking more for a technical recommendation, there's a lot more people here better qualified than me.)

Re:Easy. (4, Insightful)

ndansmith (582590) | more than 9 years ago | (#13600426)

You may be underestimating just how much is actually costs to get a Microsoft enterprise solution off the ground. You have to pay for the Server 2003 software, Exchange, XP Pro (volume), Office, Terminal Services licenses, and don't forget server CALs. Plus, you have to worry about Microsoft "obsoleting" your software via Vista, Longhorn Server, Blackcomb, and beyond; another round of licensing (and by extension of Vista's hardware requirements: another round of hardware updates / replacements).

Sure, it may require a fine tooth comb and/or training to get some qualified Linux guys on board, but I doubt that compares with the expense of purchasing the Microsoft solution.

Re:Easy. (4, Interesting)

XorNand (517466) | more than 9 years ago | (#13600477)

Not really--I myself and am MCSE and run my own consulting company where the majority of my clients run Active Directory. I'm quite aware of the costs. MS includes a license for Outlook when you buy a CAL for Exchange, so that extra expense is negated. OpenOffice also might make a viable office suite for this person, but the question was about directory services. Terminal Services is a non-issue in the same regard.

And it's not as cheap and easy to get quality techies as you might think. Putting your existing staff through a boot camp is only the tip of the iceberg expense-wise, and it's a very inefficent solution.

Re:Easy. (1)

XorNand (517466) | more than 9 years ago | (#13600527)

For the record, I'm also a CNE and greatly prefer NDS to AD. However, it would wrong of me to recommend to a client that they actually consider a new installation of Netware just because it's technically superior, or worse, just because I like it more.

A lot of techies forget that technical and business interests sometimes conflict. In such cases, business interests always need to be given a greater priority.

Re:Easy. (0)

Anonymous Coward | more than 9 years ago | (#13600614)

MS includes a license for Outlook when you buy a CAL for Exchange, so that extra expense is negated.

When did they start doing this? I noticed at my school they announced the included license only in the last year (for the first time). So, for at least 2-3 years before that we'd been having patrons pay for the Office Suite product in order to use their paid-for-by-the-month Exchange accounts.

Re:Easy. (5, Insightful)

zulux (112259) | more than 9 years ago | (#13600445)

if you've a crew of MCSEs on staff who've never touched Linux, it's going to be more expensive and a bigger hastle go the OSS route.

MS's newest/latest/greatest has a large learning curve as well. You old MCSE who knows Windows Domains will have just as much trouble learning Active Directory as he would have learning Samba 3.

I've trained MCSEs in open source technology - about 50% do just fine. The otheres were paper MCSEs and sucked at Windows too.

Re:Easy. (2, Insightful)

hagrin (896731) | more than 9 years ago | (#13600627)

MS's newest/latest/greatest has a large learning curve as well. You old MCSE who knows Windows Domains will have just as much trouble learning Active Directory as he would have learning Samba 3.

I've trained MCSEs in open source technology - about 50% do just fine. The otheres were paper MCSEs and sucked at Windows too.


Ok, so you're saying techies trying the latest and greatest without any training fail more often than the users who received your training in OSS solutions? So, obviously, the parent still remains correct - whatever you are trained better in should be the solution that is adopted. Otherwise, the cost savings you get from OSS may never be reaped as their company experiences downtime, frustration, inexperience and getting the proper training they need.

I think it's fairly clear that with the proper training and proven, qualified individuals that any solution will work if properly implemented and maintained.

Re:Easy. (4, Insightful)

Tadrith (557354) | more than 9 years ago | (#13600753)

This is definitely true. I've found it much easier, if instead of thinking of people as Windows techs, or Linux techs, you simply think of them as techs.

A good tech should not be afraid of discovering and learning any system he or she might put their hands on, because part of being a good tech is learning how to keep your mind open and troubleshoot a problem. It doesn't matter if the problem is Windows, Linux, or a coffee maker -- you use the tools that you have to do the best job you can.

I am a programmer for a living, but I also do double time as a technician. I am just as comfortable configuring Windows Server 2003 as I am with Novell Netware 6.5, or any flavor of Linux. I don't see it as my job, or my passion, to devote myself to one platform. My job is to help people with computers and give them advice on what solution works best for them. Of course, I have a primary area of expertise, but that doesn't stop me from learning on my own.

Re:Easy. (0)

paulproteus (112149) | more than 9 years ago | (#13600800)

I am a programmer for a living, but I also do double time as a technician.
You no-good double-timin' scoundrel!

Re:Easy. (2, Informative)

Daengbo (523424) | more than 9 years ago | (#13600465)

While I agree with you, the K12OS mailing list that I continually lurk on has quite a few inexperienced Linux fols, and the single sign-on issue has basically been solved by one of them. David Trask has put together a script which automates setting up smb-ldap for a PDC, and it's here: http://web.vcs.u52.k12.me.us/linux/smbldap/ [k12.me.us]

As for a groupware solution, I currently use egroupware ( http://egroupware.org/ [egroupware.org] ), which is fairly mature, can authenticate to ldap, and can be used both over the web and thorugh Kontact as a client.

Re:Easy. (1)

j-cloth (862412) | more than 9 years ago | (#13600553)

But why would you use a patched together system in production when a coherent system already exists? The cost of AD/2K3 is made up pretty quickly with the time lost reading mailing lists to find a work around to allow single sign-on.

Re:Easy. (4, Interesting)

killjoe (766577) | more than 9 years ago | (#13600505)

Just be sure to include your long term costs when you are evaluating. you should calculate the costs of integration and upgrades too. MS products don't work well with other companies products and will inevitably cost you hundreds of man hours if you are ever presented with the problem of integrating non standard MS software with software from other vendors.

As far as admins go studies have shown that unix admins on average maintain more servers per admin then windows admins. You may be able to do with one unix admin as opposed to two windows admins.

windows machines as a rule run less services per machine then unix machines do. This means more servers, which means, more servers to patch, keep up to date, backup, and admin.

Finally the perenial problem of backups and bare metal recovery. This is trivial in unix but costs thousands if not tens of thousands of dollars for windows.

There is a lot to think about. Just saying I have used windows XP before so i can maintain a active directory/exchange environment is plain old stupid.

Re:Easy. (0)

Anonymous Coward | more than 9 years ago | (#13600630)

Why does it even have to be like that? Sun has an LDAP server product as well.

SHUT THE FUCK UP! SHUT THE FUCK UP! SHUT UP! (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13600687)

Did you hear what I said? SHUT THE FUCK UP!

Re:Easy. (3, Insightful)

TedCheshireAcad (311748) | more than 9 years ago | (#13600695)

Parent has a valid point, setting up and administering your OSS solution will take more work. However, you can tailor it better to your needs.

I worked at Major Software Company in the Bay Area (tm), and their LDAP/Kerberos/Jabber/SMTP infrastructure worked very well, but of course, there were armies of admins to make things run smoothly. It was not without hiccups - but most if not all of the hiccups were minor (failed hard drives, etc.) and remedied within 20 minutes.

My vote is for LDAP. You can do so much with it - authenticating users on your web apps is a cinch, directory lookups are easy, it integrates with every piece of mail client software, and it's free. Just my $.02.

Re:Easy. (5, Informative)

sillypixie (696077) | more than 9 years ago | (#13600725)

I think you are missing more than a few options there.

IBM has directory services.

Sun has directory services.

Novell has directory services.

My thoughts:

- the problem with IBM's directory is that it sits on top of DB2. This abrogates one of the coolest parts about directories - that you don't need a DBA. And a mistuned IBM directory is an ugly, ugly thing.

- the Sun/Netscape/iPlanet/SJSDS-whatever-they-call-it-t his-second tends to run well directly out-of-the-box without the need for much in the way of expertise, in smaller environments. I would call this directory the defacto standard (although this statement may now be obsoleted by the advance of AD - hard to say). If you are using other SUN infrastructure, or if you are using the Sun Calendaring/Messaging product (which I would recommend as a very solid alternative to MS exchange), this DS is an excellent choice.

- Novell - well if you are a Novell shop, you will use NDS. You will use everything else Novell has. It is sort of like joining a secret cult.

- OSS - I would consider this an advanced option. My suggestion is, if you know nothing about directory services, that you would be better off with something a little more... packaged. I'm sure many here will rabidly disagree with me, but I certainly would consider that choice as risky. A second issue is that many LDAP-enabled products that you may wish to run on top of your directory layer (provisioning, WSSO, etc) only support commercial directory servers.

- Microsoft - well, you're probably going to have to install this one anyways, in order to get a LAN. Although I'm a unix chick at heart, I must admit that I have seen many well-run AD directories. If you aren't already in the UNIX world for any good reason, AD is probably a logical direction. Many many companies have cut their directory services teeth this way. The disadvantage is that your Enterprise Directory is also your NOS, which can be a pain from a licensing perspective, if you want to store authentication-only users as well.

FWIW, hope that helps...

one caveat (1)

HBI (604924) | more than 9 years ago | (#13600843)

AD does not scale well up into the million object range and beyond.

Just trust me on this one. It's intended for the average case, not the huge-ass case. You find limitations on the number of GPOs. You find problems with everything when you start in with huge numbers.

That said, if all you care about is Windows, AD is the easiest of all the options.

En abyme (3, Funny)

timeToy (643583) | more than 9 years ago | (#13600376)

There is no directory service for directories services ?

Perfect directory service solution (0, Funny)

Anonymous Coward | more than 9 years ago | (#13600377)

1. Install Windows XP SP1

2. leave open without a router

3. never patch, and notice people turn your computer into a fileserver solution

4. Profit!!!!!
 

You want to save money? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#13600388)

Jump on Macs and OS X. A bunch of Mac minis and an Xserve will save you a ton in the long run. The minis only use up 80 watts per machine. Couple them with some inexpensive LCD monitors (I like Acer) and you have a winning combination of security, stability, and economy.

Re:You want to save money? (2, Funny)

Mr. Underbridge (666784) | more than 9 years ago | (#13600416)

Christ on a motorcycle, it doesn't matter what machine he runs, that doesn't solve his problem. Goddamn, at least keep the evangelism moderately relevant.

3. Mac OS X Server (4, Insightful)

dgatwood (11270) | more than 9 years ago | (#13600389)

Considered Open Directory [apple.com] ?

Re:3. Mac OS X Server (0)

Anonymous Coward | more than 9 years ago | (#13600422)

Open directory is (as I understand it) basically openLDAP [openldap.org] with a config file and a nice GUI. Don't get me wrong, GUIs are useful, but if you want to go OSS, cut out the middleman.

Of course since the questioner didn't mention openLDAP to begin with, he's probably better off with a "managed" solution like MS or Apple.

Re:3. Mac OS X Server (3, Insightful)

Penis_Envy (62993) | more than 9 years ago | (#13600576)

The questioner did mention openldap. The advantage of going to the apple solution would be the integration that it would provide, rather than "cobbling" together the solution themselves (as they said themself.) It's not just the GUI. Then again, it would be one more thing to manage/maintain.

Re:3. Mac OS X Server (0)

Anonymous Coward | more than 9 years ago | (#13600799)

With http://firstclass.com/ [firstclass.com] for group messaging.

Works for an org I know that manages 1000+ staff members...

Other options? (5, Interesting)

MonoNexo (843458) | more than 9 years ago | (#13600398)

What ever happened to Novell? I used that at the college I attended - web apps, email, directory, rempote access, etc. Is this no longer a valid option, or was it just forgotten on the above list?

Re:Other options? (5, Informative)

killjoe (766577) | more than 9 years ago | (#13600525)

It's all still there, it's still viable, it's still better then what MS offers, it's still cheaper then MS.

Just because something doesn't get a lot of press doesn't mean it's gone.

Re:Other options? (0)

Anonymous Coward | more than 9 years ago | (#13600697)

> better then what MS offers, it's still cheaper then MS

I think you mean better than. "Then" means soon after that or following next.

That's what I thought. (4, Informative)

lsommerer (89441) | more than 9 years ago | (#13600530)

That's what I thought when I read the requirements. Netware (or whatever they are calling it now that it runs on Linux) and Groupwise should be all you need.

I don't know about cost. We have their educational license, and that includes Netware and 3 other products (we use Groupwise, ZENworks and iFolder) for less than $3.50 per student. The license covers as many servers as we care to run those products on.

Don't listen to these fools (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13600411)

Go with the Microsoft solution, Linux is written by communists, BSD is written by suckers.

Re:Don't listen to these fools (0)

Anonymous Coward | more than 9 years ago | (#13600450)

Yea...listen to that little red, horned devil on your shoulder. Or you can listen to the force and shun the dark side and the son of Satan.

If you're open to different hardware... (0)

Anonymous Coward | more than 9 years ago | (#13600412)

...check out Kerio Mailserver on Mac OS X Server.

I'm currently evaluating the combination above to see how good a job it will do replacing Windows and Exchange. Looks promising so far, and it supports MAPI-- so end users can use Outlook.

Look at OpenExchange (4, Informative)

adturner (6453) | more than 9 years ago | (#13600420)

It's a standards based (LDAP) mail/groupware app which supports standard SMTP/IMAP clients as well as Outlook/Palm clients (for an additional fee).

Seems competitively priced to Exchange and there's also a free pure OSS version available (although if you want offical support and a nice installer, you need to pay for it).

http://www.openexchange.com/ [openexchange.com]

I haven't personally used it, but I've been looking at it as an Exchange alternative (I really really hate exchange) for the small company where I work.

Re:Look at OpenExchange (0)

Anonymous Coward | more than 9 years ago | (#13600475)

Look at cybozu solution (www.cybozu.com). I have implemented it on Linux and Windows solution and it is does support Outlook.

There is also a very interesting email solution released by Zimbari (www.zimbari.com) which runs on Linux.

Re:Look at OpenExchange (1)

Doc Ruby (173196) | more than 9 years ago | (#13600488)

Open-Xchange uses OpenLDAP by default, though they claim any (standards-compliant) LDAP server can be plugged into it. And there is documentation of people plugging Samba into it, the way a Windows Domain Controller would plug into Active Directory.

The LDAP datastore is kept separate from the rest of the data (which is in Postgres), and I've heard of some problems with "LDAP clients", like Evolution, which can't write Contacts to the server. Which allows those Contacts to get out of sync with Contacts entered through the Web interface. Though perhaps there is a solution from installing OpenLDAP with Postgres as its datastore, and patching the two Contacts DBs together, but that sounds like LDAP wizardry to me. Outlook seems to work without a hitch, using their OX "driver" (which is $ware).

The OX user community is active and lively, collaborative. And OX is a very exciting groupware platform that's just being born. It could use more commercial deployments and the "non-negotiable" specs that developers there would adapt to.

STOP.... (4, Insightful)

ellem (147712) | more than 9 years ago | (#13600424)

just save yourself the trouble

W2K3.

Just shut up, buy it and be done with it. It'll hook up with whatever you're running and it is fine as long as you take the same precautions any decent Sys Admin would.

Re:STOP.... (0)

Anonymous Coward | more than 9 years ago | (#13600452)

it is fine as long as you take the same precautions any decent Sys Admin would

You mean turn on all the services and connect it directly to intarweb?

Re:STOP.... (0)

Anonymous Coward | more than 9 years ago | (#13600618)

You're a moron. Just as you wouldn't hook a Linux/Unix box destined for life as a server directly to the network, you'd not do that with a Windows server, either. You install, download SP1 off of another machine, and apply the SP. Then you attach it behind a firewall, like any other server.

I'm so fucking sick of this mindset on this site ... time to find a real 'news for nerds' site.

Re:STOP.... (1)

master_meio (834537) | more than 9 years ago | (#13600809)

I'm so fucking sick of this mindset on this site ... time to find a real 'news for nerds' site.

Goodbye, and God speed. [google.com]

Re:STOP.... (2, Insightful)

j-cloth (862412) | more than 9 years ago | (#13600485)

You have to use the right tool for the job. In this case there is no directory server that can touch AD. Any other solution is just trying to replicate it.
Exchange, I'm no so sold on, but it works and is well documented enough that you can do most of things with it that you will want.

Re:STOP.... (3, Interesting)

aaronl (43811) | more than 9 years ago | (#13600628)

Novell with NDS does all that AD does, and a lot more. It is an incredibly well designed directory server, and it existed before AD. The big reason to go with AD is because of group policy; I don't know if NDS has an equivalent to it.

It might still be that W2k3 is the right tool, but please, have your information straight!

Can't touch this! (1)

ink (4325) | more than 9 years ago | (#13600730)

In this case there is no directory server that can touch AD.

Yes, but don't you want your directory server to interoperate with other systems? Isn't that the whole point? I'm half joking, but half serious as well; one of the main gripes I have with AD is the lack of customization that one can perform with it. It's great when you want to integrate it with Microsoft Remote Acess or Microsoft SQL Server or any of a dozen other Microsoft products, but try getting it to authenticate against opensource P2PP/PPP (which easily integrates with other LDAP solutions).

Mod parent hilarious (2, Insightful)

Anonymous Coward | more than 9 years ago | (#13600688)

W2K3 ... is fine as long as you take the same precautions any decent Sys Admin would.

Myself being a decent Sysadmin, I can tell you my first priority is always to banish MS products to the extent possible. It takes time, but if you're starting from scratch this is an excellent opportunity to avoid future problems.

Start by NEVER running anything mission critical under MS - especially a directory service.

Continue by banning Internet Explorer companywide, and finish by

Don't get me wrong; MS Windoze does have its strong spots. It is superb for playing games, hosting virus servers, spam drones, and spyware. If you want East European crime gangs to install packet sniffers, keystroke loggers, and Trojan Horses on your network, there is no platform more ideal than Microsoft Windows. But of course these strengths have nothing to do with running a secure business.

Since you probably will have to run MS Office, do a trial run of MS Office under Mac OS X. You'll be quite impressed: You can have MS Office without all the client problems! Who would have believed such a thing could be possible? You may even find that OpenOffice is far more than sufficient.

Deploy OpenOffice far & wide, but keep a couple spare seats of MS Office (for the Mac) onhand "just in case" some executive starts whining about different software, so you can just install it here or there selectively and shut them up. (That's the main purpose for buying MS Office. To shut people up.)

The executives may question issuing Powerbooks for the traveling employees, but they WILL NOT complain when you show them the respective overhead and MIS support estimate numbers and corporate security differences when viruses and so on are all taken into acount. Your company will remain freer of viruses when those traveling notebooks get plugged into the internet at hotels, then subsequently carried back to the office and plugged in again. Windows notebooks are one of the most notorious and uncontrollable computer virus vectors for spyware/crimeware.

Re:Mod parent hilarious (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13600741)

You sound like a real authority ...
on what penguin dick tastes like.

There are Other Options (5, Informative)

Anonymous Coward | more than 9 years ago | (#13600439)

Other Options to Consider:

Novell:
Linux Small Business Suite
http://www.novell.com/products/linuxsmallbiz/ [novell.com]
It includes edirectory, groupwise for email, suse enterprise server,Novell ZENworks Linux Management Client

IBM (Lotus)
http://www.lotus.com/lotus/general.nsf/wdocs/nd7co ntent [lotus.com]
You can use Domino as an ldap server.
Other IBM Software on Linux:
http://www-306.ibm.com/software/os/linux/software/ [ibm.com]
or
http://www-1.ibm.com/linux/matrix/ [ibm.com]

Re:There are Other Options (1)

spazimodo (97579) | more than 9 years ago | (#13600669)

I would second Domino. Exchange is definitely a lot more popular in the SMB space, but I think a pretty compelling argument can be made for Domino.

I (along with one other admin) support around 9000 mailboxes for a F500 on Domino 6.5 on Linux. We still have plenty of time for other projects. Exchange is easier to set up, but Domino is far easier to keep running. (try manipulating messages in an active mail queue in Exchange.)

The major complaint about Domino is the unappealing client. I happen to like it, but then I'm a Lotus fanboi :) (Though I also think that OWA2003 is a much nicer webmail client, in Internet Explorer at least, than DWA6.5) For multiple sites however Domino replication could be a huge benefit since I think the performance is substantially better over slow connections than the equivalent in Exchange/Outlook.

I also suggest looking at IMP/Horde (http://www.horde.org/ [horde.org] ) as a front end for IMAP. I think IMP is a fantastic mail client, and previously while consulting for small and mid size businesses I found that people loved it.

Re:There are Other Options (1)

Khan (19367) | more than 9 years ago | (#13600752)

I also recommend Domino. I have been running a Domino 5x server for 4500 clients for the last 4 years on 1 server (with a 2nd in failover mode). Running and taking care of the server is cake. The Domino Admin. client blows away the Exchange admin. client by a long shot. Every Exchange admin. that sees what I can do via Domino is in awe. The Notes client has gotten better and for a company of 100, it'll be a breeze to manage. And it runs under Linux so you can save on the cost of a Win2K3 server license.

Re:There are Other Options (1)

darqchild (570580) | more than 9 years ago | (#13600729)

Our company tried lotus. It's awful. Active directory is more reliable.

After our experiences with lotus, upper management told us to roll our own.

Still in the process of doing that. The only thing missing is a decent calendar.

Re:There are Other Options (1)

IgorMrBean (528387) | more than 9 years ago | (#13600801)

I would definitivly say Novell eDirectory They are doing directory services for so many years, and eDirectory is fully cross-platform, full-replication, etc.etc.. Linux Small Business is not suitable here, because it is for less than 50 employees.... But an OpenEnterprise [novell.com] server would be good for them. It can run ZENworks 7, and Groupwise 7 (full linux/windows/mac support)

Novell NDS (3, Interesting)

kalibyrn (699826) | more than 9 years ago | (#13600443)

There's also Novell's NDS... That could be your third option perhaps...

Re:Novell NDS (0)

Anonymous Coward | more than 9 years ago | (#13600660)

Novells's server also has its calendar system well integrated for freely available tools in Linux, UNIX,and MacOS, unlike every other commercial grade server.

Oracle *has* one they bought from Stettor, which bought it from Netscape, which got it from etc., etc., etc. The unfortunate result is that "integrating the software into their new business model" is the only thing they've been able to do for the last 3 years or so, and it's thus woefully out of date and has never properly been streamlined or debugged. Installing Oracle to support is a huge burden not suggested for anyone with only 100 users.

Re:Novell NDS (1)

IgorMrBean (528387) | more than 9 years ago | (#13600820)

Precision : NDS (Novell Directory Services) is no longer existing. It was part of Netware, and has been seperate from it's core to be eDirectory [novell.com] . eDirectory runs on Windows, Linux, Netware, Unix, Solaris

Another Consideration (5, Insightful)

joelleo (900926) | more than 9 years ago | (#13600446)

What exactly is the newly merged company doing? Is it supposed to be geeky-cool? Is it doing something totally unrelated to computers or technology? Is the IT infrastructure just a means to an end - users getting their work done?

If the company is trying to do something geeky-cool, you may be best served by using a "cobbled-together" open source architecture. It'll show your boy's and girl's prowess on the console and could be used as a Hercules-on-a-pedestal showcase for your talents.

On the other hand, in either of the other two cases, you're most likely going to be using MS on the desktop and your people aren't going to care that you've implemented OpenLDAP as long as their Word, Excel and Outlook work. In this situation, as has already been noted, you'd probably be best served by implementing Windows Server 2003 + Active Directory. An additional benefit is the expertise is relatively cheap and available, and may already be in-house with your amalgamated IT staff.

Good luck!

Re:Another Consideration (3, Insightful)

benjamindees (441808) | more than 9 years ago | (#13600583)

may already be in-house with your amalgamated IT staff.

Or there very likely isn't an IT staff, almagamated or not. Three companies that join to form 100 employees, with poor infrastructure, typically means one company of 50 employees and a "Windows admin/something else" and two companies of 25 employees each that paid somebody to setup their networks five years ago and have since just watched it deteriorate.

It sounds like the inquisitor is about to inhereit a huge mess without necessarily the skills or resources to deal with it. If that's the case, I'd suggest taking a long-term approach:

1) Decide who will manage the network (this is a full time job),
    A) if it's you, then
          i) choose what you're most comfortable with, else
    B) if it's not you, then
          i) put an ad in the employment section, outlining your requirements in a non-specific way, contact outsourcing firms, and take applications.

You may be suprised at what you get. Linux and Open Source can save a ton of money and hassle long term, especially when implemented from scratch, but you have to know what you're doing. If you don't know or aren't sure, get help. A company of 100 employees can easily justify having two admins, especially when combined with the savings Linux and OSS are capable of.

Re:Another Consideration (4, Interesting)

Penguinshit (591885) | more than 9 years ago | (#13600724)


Cost is definitely a major factor here.

While going the W2K3 route would be easy and very functional, one has to take into account the cost of the eventual [forced] upgrades. A company of 100 folks probably isn't turning a wild profit in terms of real money, and what money there is will undoubtedly get funneled into R&D or advertising or SomethingOtherThanITInfrastructure. This is where the long-term cost savings on a "cobbled" solution will pay off handsomely.

The decision is best made right now.

Re:Another Consideration (2, Interesting)

Penguinshit (591885) | more than 9 years ago | (#13600811)


Troll?

I dare that coward asshat who modded me troll to come out from under his/her rock and prove the honesty of that mod.

I guess that person never heard of the "Software Assurance" program from Microsoft that forces upgrades every two years (with the alternative being a highly-inflated upgrade price whenever one is eventually required to upgrade). Everything else I said comes directly from my decades of personal experience in administering Microsoft and Unix/Linux (as well as Mac) networks.

I've got karma to burn. But leave your bullshit agendas out of the moderation (that goes both ways).

Fedora Directory Server (4, Interesting)

LnxAddct (679316) | more than 9 years ago | (#13600454)

Use Fedora Directory Server or Red Hat Directory server. It is derived from the acclaimed Netscape Directory Server. It is easy to set up, scalable and *just works*. For groupware just use phpGroupware or something. If all you need is mail access, I recommend Roundcube for the web access, it uses Ajax to give a nice user experience akin to Yahoo or Gmail. Keep an eye on the Hula Project too, it looks like when a release it made it will be real nice.
Regards,
Steve

Roundcube... holy crap Batman, that's awesome! (1)

DamienMcKenna (181101) | more than 9 years ago | (#13600822)

I'd not seen it before but Roundcube is pretty darn nice! Now if only the Horde team would merge in some of its UI...

Damien

Communigate pro (1)

not_sleepy (887090) | more than 9 years ago | (#13600456)

Stalker.com and rad thru alll the possibilities! It runs on almost anything.

NDS (2, Informative)

discordja (612393) | more than 9 years ago | (#13600470)

I'm sure some /.ers can give you a better view of the quality of Netscape Directory Server but from the rumblings I've heard it's a complete package and it's pretty damned amazing (not to mention it supposedly scales through the roof).

You can check out the documents here [redhat.com]

Re:NDS (1)

tonyr60 (32153) | more than 9 years ago | (#13600591)

Netscape Directory Server is now Sun One Directory Server and it is pretty damned amazing. Performance leaves AD for dead.

Re:NDS (0)

Anonymous Coward | more than 9 years ago | (#13600652)

Not to mention, you can couple it together with the Sun identity server/identity manager.

I help maintain a Sun ONE Directory Server LDAP deployment that has well over 100,000,000 records at the moment. Our solution is integrated with Sun ONE Messaging Server so we provide POP, IMAP and Webmail for our users, too.

It's not cheap, but once you've learned it and paid for it you can do some amazing things with it and it's such a perfectly complete solution that I wouldn't trade it for anything. I can't even think of how much my job would suck using any other directory product right now.

Re:NDS (1)

Penguinshit (591885) | more than 9 years ago | (#13600748)


I can, too, can vouch for the Sun ONE Directory Server. I use it to handle authorization for various websites (which also use the Sun ONE applet server) as well as the email security for a couple of start-ups. Postfix and Courier work very well with it.

I one day hope to test the scalability...
:-)

One vote for... (1)

PooR_IndiaN (876413) | more than 9 years ago | (#13600473)


MS Exchange/Active Directory (Cause I'm a Support Tech for AD!)

Re:One vote for... (1)

PooR_IndiaN (876413) | more than 9 years ago | (#13600518)


forgot to type in (FLAMEBAIT)

Novell (5, Informative)

Anonymous Coward | more than 9 years ago | (#13600492)

I don't know what your selection criteria are, but it seems to me that you have another choice: Novell's products. More specifically:
1. Directory Services: eDirectory. It runs on multiple OS platforms such as Windows, Linux, NetWare, Solaris, etc. It is more robust than AD, particularily across wan links (viz. replication). And of course it is LDAP v3 compliant so nearly any LDAP client can use it for authentication and authorization.

2. Open Enterprise Server, Linux and NetWare. For hosting your file and print services. You get the best file system out there - NSS - on either platform. Real ACL's and vastly more refined trustee assignment and inherited rights filtering capabilities than any other filesystem.

3. Groupware/Messaging: I am less experienced in the alternative offerings in this catagory, but I believe that Novell has a decent product in GroupWise 7, which runs on Windows or Linux or NetWare.

Again I don't know what your selection criteria are, but you may have skipped Novell due to lack of awareness...

Cheers.

I know! I know! (1, Funny)

Anonymous Coward | more than 9 years ago | (#13600498)

Pick out one of the most osbscure, underdevelopd linux distro (I suggest shadbix.) You want it to be underdeveloped because you are going to port it some old routers. Next go to source forge and look at all the directory services packages, messaging packages, etc packages. Pick ones with a version numbers less that .0.0.0.2. Once you get it all working, leave the confines of your basement and HIRE SOMEONE WHO KNOWS WHAT THEY ARE DOING. If out of your hundred plus employees, you don't have an admin capable of this. Get rid of one or two and get someone who does.

Re:I know! I know! (2, Insightful)

mabhatter654 (561290) | more than 9 years ago | (#13600733)

The whole point is that he wants to learn to be the expert! If everybody on slashdot knows so much why is this such a difficult question? This is where the rubber-meets-the-road folks... if you want to use Linux and OSS professionally these are the questions that need answered by the community.

XAD (5, Informative)

lukehatpadl (818089) | more than 9 years ago | (#13600499)

Try XAD [padl.com] from PADL.

To Windows clients, it acts as an Active Directory domain controller, so it supports Kerberos authentication, group policies, etc. It also includes RFC 2307 support for seamless integration of Linux/UNIX clients.

Duplicate? (0, Troll)

slashname3 (739398) | more than 9 years ago | (#13600501)

Is this a duplicate post? Or was someone else doing their job by asking /.? Seems like a poor way to get a job done.

Wonder if his boss will read his question on /.? Could be a resume generating event......

Re:Duplicate? (1)

Anonymous Crowhead (577505) | more than 9 years ago | (#13600561)

No Ask Slashdot gets lots of "how do i do my job posts" for example from yesterday:
How do I implent EDIS?
http://ask.slashdot.org/article.pl?sid=05/09/16/16 16221&threshold=-1&tid=215&tid=4 [slashdot.org]

A summary of the answers:
That's silly.
Don't.
Why?
Leave it to the pros.
Quit your job. Seriously.
Overkill for your situation.
Are you kidding me?
It's hard because it's hard.

Sounds like you answered your own question... (1)

nick13245 (681899) | more than 9 years ago | (#13600511)

1. MS Exchange/Active Directory

2. A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).
The choices are actually:

1. MS Exchange/Active Directory - quick, easy, and cheap.
2. Shell out alot of money for something else.
3. Have a headache "trying" to set with something similar with OSS.

Re:Sounds like you answered your own question... (1, Informative)

Anonymous Coward | more than 9 years ago | (#13600653)

As has been mentioned throughout this topic, look into Novell. Their directory has better pricing, more flexibility, and is more "mature" than AD. Open Enterprise Server can be run on a good amount of hardware, and software. Whether you want to go Netware, Linux(SuSE Enterprise), or Windows you can run OES on them. Groupwise runs on netware and linux. There is the win32 groupwise client in addition to the cross platform java based(I'm fairly sure it is) client which runs on *nix.

The biggest issues with Novell, from what I've seen actually using it, are the lack of a good directory management tool and that the groupwise client is lacking in the usability department. The latter is changing, mostly due to the recently released groupwise 7 which adds many features seen in outlook and the webaccess version of outlook to the related groupwise counterparts. Dragging and dropping in the web access, name completion in the webaccess, and a customizable view in the win 32 rich client. The backend adds things like global sigs and some other behind the scenes stuff.

The other bad part, which also effects other novell products, is the management tools. Console one is pretty clunky. As of right now, using netware 5.1, I use the old nwadmin tool and console 1. If I were at Netware 6.5 or any "OES" build I would have to add imanager into the group. Imanager is nice because it's web based and I could technically admin the directory from anywhere as long as I had a web browser. But for frequent admin duties, I could see it being cumbersome.

eDirectory is LDAP compliant, while active directory is just LDAP compatible(and not even guaranteed). I see Novell offering a more flexible framework.

The real big issue, is whether you see Novell as a viable solution down the road. I do, assuming they don't go get themselves sold to Sun who will probably screw their whole product line to hell. Beyond that, I have and will continue to like their offerings.

Re:Sounds like you answered your own question... (-1)

Anonymous Coward | more than 9 years ago | (#13600718)

Congratulations! You fail at life.

More specifically for AD/Exchange you're talking upwards of $3000 easy. So there goes cheap. Admins are a dime a dozen you'd think, but most let users run rampant, don't properly configure their networks and just let things go to hell, so there goes easy. And quick, well, good things come to those who wait.

There are MANY good alternative solutions, starting with the Novell product line that are more robust and intuitive, as well as less expensive. If you don't want to use that you can use any of the products now available based on the Netscape Directory Service(There are several, starting with Red Hat's Offering). Or if you are familiar with the other open source offerings there are a plethora of those as well. Just b/c you're a one trick MS pony doesn't mean the rest of us are.

mod Down (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13600520)

Try Solaris (2, Informative)

tonyr60 (32153) | more than 9 years ago | (#13600536)

Download Solaris for free. It includes LDAP plus Samba etc. Includes fairly easy admin tools (for example webmin) The LDAP is first class and integrated fully with the OS and Samba. You can do it all and nothing is "cobbled together".

Re:Try Solaris (1)

DiogoFerreira (844415) | more than 9 years ago | (#13600797)

Yes, Solaris has prooved trustworthy on the last few months. (ironic look)

Netscape Directory Server (1)

andydread (758754) | more than 9 years ago | (#13600538)

We used the original Netscape Directory server for user authentication of 1700 users worldwide for many years on 2 sun netra 333mhz boxes. The Netscape code back then was bulletproof. If that code is now free then all hell has broken loose and its only a matter of time before OSS has a truly free, truly robust all purpose directory server.

cobbled-together? (5, Informative)

AstroDrabb (534369) | more than 9 years ago | (#13600539)

2. A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).
Well, it sounds like you are an MS-Only type guy with limited experience outside of the proprietary MS-World. There are some excellent solutions that run under Linux. Have you looked at Novell GroupWise [novell.com] ?
Novell GroupWise is a complete collaboration software solution that provides information workers with e-mail, calendaring, instant messaging, task management, and contact and document management functions. The leading alternative to Microsoft Exchange, GroupWise has long been praised by customers and industry watchers for its security and reliability
GroupWise is cross platform, unlike MS Exchange/AD. GroupWise has plenty of free tools to help you along the way like:
  • GroupWise Migration Utility 2.0.1 for Microsoft Exchange
  • GroupWise PDA Connect 1.0 SP1 Multi Lingual
  • GroupWise Import Utility 2.0 for Microsoft Outlook
  • GroupWise Gateway 2.0 for Async Connections
  • GroupWise Gateway 3.0 for Lotus Notes
Just check out Novell [novell.com] to see some of their products (no, I do not work for Novell, I just like some of their products).

Also, there are some really great LDAP/IMAP type solutions you can put together under Linux for zero cost. Obviously this option requires someone more capable than your typical point-n-click "MS-Admin". It would take one employee with the ability to read a book or some docs. Though, I know your typical point-n-click "MS-Admin" wants to be able to just put in a CD and let AUTO-RUN do all the "hard" work for them.

If I personally owned a small company with ~100 employees, I would rather have one talented admin that could handle *nix/Win than 2-3 point-n-click MS "admins". If you added up the salaries, that one guy would cost you less than the 2-3 less capable point-n-click MS "admins". TIJMO (This is just my opinion).

Fedora Directory Server? (4, Informative)

graphicartist82 (462767) | more than 9 years ago | (#13600548)

I've just started to take a look at Fedora Directory Server [redhat.com] . It is very easy to set up and with the GUI manager, it seems about as easy to manage as Microsoft AD.

Why, again? (2, Interesting)

Dunkirk (238653) | more than 9 years ago | (#13600551)

Why are those your "stark and clear" choices? I know, for example, that there are solutions from Novell, SuSE, and Sun, without even thinking about it. Are there more factors involved here than just "we need a directory?" Given a clean sheet of paper, I'd be using eDirectory, since it's completely (according to the marketing papers -- I've never used it) cross-platform.

Why are you asking this? (0, Flamebait)

BHearsum (325814) | more than 9 years ago | (#13600565)

You are obviously inclined to use Microsoft, so use it. You will only bitch if you use Unix.

Bynari / Samba - Win-win scenario (2, Informative)

Kris2k (676294) | more than 9 years ago | (#13600579)

I do some implementation projects for an IBM reseller who does implementations on the iSeries platform, and they push (and I implement as the consultant, go figure) a lot Samba + Bynari to the point that I was actually convinced myself and bought myself a few lics for Bynari.

The nice part about Bynari is that they have great support, and they are continueously improving their product, and they use open technologies (OpenLDAP/Cyrus/Postfix) so its easily hackable. The Outlook IMAP connector rocks, and so far, I think is the only viable product out there if you're on a trim budget.

I haven't tried it yet, but having Bynari and Samba share the same LDAP schema seems to be my next personal project. Maybe even lobby the concept to them ;)

Mixed technologies (1)

lucm (889690) | more than 9 years ago | (#13600600)

If you have a solid VPN link between your sites you could go with Microsoft Small Business Server. In this edition you get Exchange and Windows server licensing at once, and the GPOs are ok. Also with SBS you can setup Exchange to download POP3 emails from your ISP, so you can use Exchange locally without having to worry about the web front-end.

If you do not have a reliable VPN then you have to come up with a mixed environment. In this scenario not only will you have to master each component, you will also need to learn how they can interact. Quite a learning curve if you don't have hands-on experience.

Finally if you have the big bucks you can always go with Sun software; they have stuff to cover all your possible needs. The Directory Server, included in the JES, is quite impressive.

Why are those your only two choices? (0)

Anonymous Coward | more than 9 years ago | (#13600603)

What's wrong with Novell or Sun/iPlanet/Netscape?

The only problem I could see with either of those solutions (the Sun LDAP server is superior to everything else out there) is that it may be overkill for 100 users.

Novell (2, Informative)

RabidMonkey (30447) | more than 9 years ago | (#13600640)

Theres always EDirectory ... it runs on sles9 now (as of version 7). All the joy of NDS, but it runs under Linux (and windows, and netware if you want).

I'm going to a Zenworks 7 thingy on Wednesday .. if you want more information about running edirectory under linux, email me and i'll pass along what I find out.

it's not just about OSS and Windows .. there are other products there. NDS is far superior to AD, so consider it as well.

How do you get email addresses into a directory? (1)

harlows_monkeys (106428) | more than 9 years ago | (#13600643)

I've looked briefly into this, at a much smaller scale--I just wanted something where I can have a centralized email server that receives my home and work email, and allows me to access that mail from home and work, securely, using regular email clients (no webmail).

What puzzled me was how to get information into the directory. Say I receive an email from bob@sub.genius, and he is not in my directory. All the common email clients seem able to consult a directory, such as an LDAP server, but none seemed to have the ability to add to the directory. It appears that you have to use some other program to add, so in this example, I'd have to run some other program, paste in "bob@sub.genius", and tell that program to update the directory.

I have only looked at open source stuff for this. Is this something an MS solution would make easier?

Or did I just miss how to do this with open source email clients and directories?

Scalix + OpenLDAP (1)

ink (4325) | more than 9 years ago | (#13600648)

We use Scalix [scalix.com] which authenticates against OpenLDAP. They are a commercial solution, but their software is very opensource friendly and their support is very good (including pulic forums). We also have Tomcat, Apache, PAM, PPP/CHAP (for Remote Access with L2TP/PPTP), OpenSWAN (ipsec), Samba and custom applications authenticating against LDAP. Our centralized directory system is all home-brew, but this also gives us a lot of flexibility (we have 5 different password hashes for various systems!). It's not the easiest route in the short term, but it pays off in the long term. We have bindings for pretty much any language (including shell script via ldapsearch, etc) which offers tremendous flexibility. OpenLDAP is synchronized with a hot-backup, so we have redundancy built-in.

Directory service/groupware (1)

drwelts (760599) | more than 9 years ago | (#13600675)

Simple- Firstclass Server. Centrinity.com. Cross platform, robust, full of features. Inexpensive. Expandible to voice services

Do you have Windows desktops ? (4, Insightful)

drsmithy (35869) | more than 9 years ago | (#13600677)

If you do, AD is your only realistic choice. Group Policy alone justifies using it.

Added to that, it's not especially difficult getting Unix machines to talk to AD for authentication and other information (it's just LDAP, after all).

It's a hell of a lot easier to integrate and manage a handful of unix machines in a Windows environment than it is to integrate and manage a hundred Windows desktops in a unix environment. IME, that's typically the scenario (unix servers for mail, fileserving, DB, etc and Windows desktops).

Novell's/Suse's SLES 9 (2, Interesting)

mgpeter (132079) | more than 9 years ago | (#13600700)

Suse Linux Enterprise Linux 9 should have everything you need. It sets up and stores just about everything in LDAP. It is extremely easy to configure and maintain. Yast's Email Server module will setup Postfix/Cyrus/IMAP for you, hell it even installs Antivirus and Spam filters for you.

If you need to control Windows Clients simply create custom Policies for Microsoft's System Policy Editor (or use mine at my web site).

I have currently replaced 5 Windows Servers with SLES9 and have not had a single problem. IMO it is much easier to maintain/use than anything MS has released in the server department.

Active Directory and Exchange (4, Insightful)

mrscott (548097) | more than 9 years ago | (#13600711)

Before I write, I should say that I'm in no way opposed to open source and use it where appropriate.

If you want something very well supported, not horribly difficult to administer in a simple environment and tried and true, just go with Active Directory and Exchange, especially if your company's focus is on something other than providing unique technology solutions. (i.e. you sell baskets)

While the open source solution might cost less up front, there is nothing in open sourece land at present that can touch the Exchange/Outlook combination. Sure, there are products such as OpenExchange, but, let's assume that you want the option to easily add other services later on, such as true handheld synchronization (i.e. www.good.com)

I know it can be sacrilege on Slashdot to not promote an open source solution every time, but sometimes, the business side of the house is more important than a cool technology solution.

Centrify or Vintela (0)

Anonymous Coward | more than 9 years ago | (#13600713)

You can use ActiveDirectory and then a solution by Centrify [centrify.com] or Vintela [vintela.com] .

eDirectory (1)

CounterZer0 (199086) | more than 9 years ago | (#13600720)

Those all suck, get eDirectory, which rules.
And it runs on linux.  And it's cheap!

Check out Kerio (1)

jcims (316827) | more than 9 years ago | (#13600722)

We've been struggling with the same question for some time.

We just started using Kerio Mailserver for mail, integrated with Active Directory for authentication, and it's been working out great!

Lots of other options (1)

njcajun (588891) | more than 9 years ago | (#13600781)

You might want to check out Fedora (or Red Hat) Directory Server, which I've had some success with. It's not absolute perfection, but it saved me from dealing with OpenLDAP, which is a bit harder to deal with, especially if you're used to easy-to-use GUIs and the like. Novell's eDirectory is also a great solution, and it runs under Linux as well. Truthfully, I'm not using their stuff, but I eval'd some of it, and their groupwise stuff with eDirectory might be just what you need. There have been lots of other good suggestions here, so I'll just throw a "me too" in there for things like Bynari and OpenXchange.

"Cobbled together" (1)

Dolda2000 (759023) | more than 9 years ago | (#13600817)

I don't see why a solution based on OpenLDAP, MIT/Heimdal Kerberos and (if you really need it) Samba would be "cobbled together". Would you mind expanding on that?

As I see it, each of these programs perfectly implements the standard it was designed for, and the directory service you get by combining them is just that: a directory service. It seems to be fulfilling the intended purpose perfectly.

Is the "cobbled-togetherness" a result of them not being shrink-wrapped together into a product with a single name, as all the "professional" directory services are? I'm not intending to troll, but I just can't see any other way they are "cobbled together".

Just go with Exchange / AD (1)

ajv (4061) | more than 9 years ago | (#13600824)

There are some things OSS is good at, and there are some things that Microsoft is good at. Exchange is one of them.

Ask your business what its objectives for the new system are. Keep these in mind when you select products and design a solution.

Now back to solution mode. You can have a minimal three site AD and Exchange system set up in less than a day from bare metal servers. As long as you have adequate bandwidth (about 64 kbit/s will do for minimal acceptable performance for 100 users), it just works. Just add users.

Win2003 AD is fairly robust if you make mistakes with topology design, but honestly, with such a simple setup, just go political structure in OUs in a single domain, single forest AD, with three sites. Exchange will work it out.

Once you have it working, AD and Exchange are very deep products, and it will pay to learn about the zillions of features. But by default, you can set and forget.

No matter which platform or choice, keep up to date with patches and secure lockdowns.

Andrew

Time to boost Apple? (1)

puregen1us (648116) | more than 9 years ago | (#13600845)

I realise Apple is getting a lot of press at the moment, and there is a certain amount of feeling that Slashdot is a publicity machine, but they tend to receive little support at the server end.

Tiger server actually performs very well, and admin is a synch. Given that you are starting from scratch you could easily get a some xserves...

Group messaging: Jabber server, built in.
There is Active directory and Samba support build in.

In fact, just about everything is built in.

If you don't like that solution, just look at the xserves. They're beautiful.

Just a couple of extra cents thrown into Slashdot's fountain.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?