Integrating Microsoft's AD into Apple's OD? 53
grag asks: "My workplace has started a migration to a unified authentication system using Microsoft's Active Directory, and Apple's Open Directory. We need to know if it is possible to place a Microsoft Active Directory server underneath a master Open Directory server in the hierarchy. The Microsoft server provides services only to our Accounting Department, and it seems to us that it should integrate to the Mac Server since all of our other departments use the Mac Server. Our network consists of fifty Macs connected to an Xserve running Mac OS X Server 10.3.6 Unlimited Client License. In addition, we have on a separate subnet five Windows boxes connected to a Microsoft Windows 2003 Server with a five-client license. Should I pursue this question or give up and place the Microsoft Server at the top of the hierarchy?"
Re:Translation (Score:4, Funny)
I am far too wimpy to take the karma hit for this flame
Thanks!
Coward
Re:Translation (Score:5, Insightful)
1) drop Open Directory
2) drop AD, or
3) I welcome our new LDAP overlords
But unfortunately, the parent is lame for posting anonymously so flamebait he obviously is. Had he posted under an account, I would have not jumped to conclusions (damn I need to get my 'Jump to conlusions' mat back from the repair shop) that he was trolling. /end-rambling
Re:Translation (Score:2)
4) In Soviet Russia, Directory Opens you!
Re:Translation (Score:1)
Do your require AD for the Windows boxes (Score:3, Informative)
I ask since some software packages depend on and demand you use AD, but if you have none of that then things like e.g. Samba could be possible alternatives, and might be easier to integrate.
I would hope that you wouldn't have to put the MS stuff at the top, since that would be a bad network design, but it wouldn't surprise me if you end up having to do this.
Re:Do your require AD for the Windows boxes (Score:4, Insightful)
So, if you're not using an application on the PCs that demands AD, then not using AD seems to be the answer.
However, I fear that you do really need AD, since otherwise your question is a bit pointless!
Re:Do your require AD for the Windows boxes (Score:3, Informative)
It would be cool if someone built an authentication/policy interface to OD for Windows though, or made some sort of AD-compatible transport and attribute mode for OpenLDAP.
Am I missing something? (Score:4, Informative)
Re:Am I missing something? (Score:3, Insightful)
Now seriously, parent +5? Propose a non-ms solution get modded up.
Re:Am I missing something? (Score:1)
Now you have a point about database/application backends but don't assume that I'm trying to spread Anti-MS FUD when I'm only thinking logically. BTW, you can still use Open Directory to manage a Windows server... oops, I logically proposed a non-MS solution again... my bad.
Fifty-Five nodes? (Score:3, Informative)
Sorry for that. Use AD - it is more flexible and will have more applications leverage the directory, as you grow.
Populate the AD with the Apple Schema additions, and migrate your Mac info to AD - ditch OD. For fifty users, the headaches and over head of directory synchronization are not worth the trouble. Not even the education value is worth the complaints that you will endure on the way, if something goes awry.
When you are huge, you can synch directories with MIIS. This is the cheapest Identity Management solution to play nice with all your parties - but still too much for your scale.
Re:Fifty-Five nodes? (Score:3, Insightful)
Re:Fifty-Five nodes? (Score:4, Informative)
Adding Vintella [vintela.com] or Centrify [centrify.com] to the mix allows to to manage not just sign-on authentication, but fine-grained network and client policy with the native AD controls. This is something OD doesn't come close to.
AD is the second best directory in the world - after NDS. NDS doesn't come close to the level of third-party application and tool support, any longer.
Re:Fifty-Five nodes? (Score:5, Informative)
Re:Fifty-Five nodes? (Score:1)
Active Directory and Open Directory can work quite well together. My servers are set up in the exact opposite way of how you are proposing. My users accounts reside in AD and I use OD to provide the specific MCX data to the desktops that are not supported by the default AD schema.
Here's a word of advice, *do not* modify your AD schema. Sure, its LDAP and we all know you should be able to modify your directories to meet your environmental needs, but that's n
Uh, the details are in the link (Score:5, Informative)
"The Open Directory architecture makes it easy to integrate Mac OS X client and server systems to into your existing network infrastructure. It's compatible with other standards-based LDAP servers, and can even plug into environments that use proprietary services such as Microsoft's Active Directory"
So it looks pretty straight forward. If Apple says it can be done, chances are: (1) they've done it, (2) they've got documentation telling you how to do it, (3) it is possible.
I'd start by checking the white papers on that Apple page. Then browse through the Apple knowledge base. They use groups.google.com to see what other people are saying about it.
Vice Versa [Re:Uh, the details are in the link] (Score:2, Insightful)
Re:Uh, the details are in the link (Score:5, Informative)
So it looks pretty straight forward. If Apple says it can be done, chances are: (1) they've done it, (2) they've got documentation telling you how to do it, (3) it is possible.
I agree with (1) and (3), but (2) is nowhere close. Apple has done it, and it is possible, but the documentation is somewhat lacking. There are several gotchas to worry about (especially if you're doing stuff like roaming profiles on the windows boxes). If you read the Apple documentation, it makes it look like 30 minutes of work. In reality, a full integration like what the poster is looking for is several days of time...
Also, it should be noted that integrating windows with OD can only be done as an NT4-style domain; the OD server can't masquerade as an AD server. I think the submitter understands this, which is why they're trying to integrate a whole AD server into the Mac setup. Running the Mac for everything just won't work if you need true AD (which I assume they do).
Most of the OD/AD integration I've heard of has the OD taking orders from AD. This is mainly due to the fact that AD is proprietary crap that hasn't been reverse-engineered yet, so the easiest way to go is to slave off of it, rather than try to get MS to play nice with your open, standards-compliant system. Of course, this is exactly what MS wants (embrace and extend!), but until the Samba team gets enough donations to hack the AD protocols, that's probably the only option.
Re:Uh, the details are in the link (Score:2)
Don't read only lame M$ bashing (Score:5, Funny)
BOFH style
from the 4th floor
on the car of your boss.
Re:Don't read only lame M$ bashing (Score:1, Flamebait)
Yet so cathartic. Thanks.
twice. (Score:1)
Obvious answer (Score:5, Funny)
Phone up Bill Gates and say "Yeah, Bill? You know all that talk about interoperability? Where is it?"
Check Apple's Docs (Score:5, Informative)
One section says this: "Users whose information can be managed most easily on a server should be defined in the shared LDAP directory of a Mac OS X Server that is an Open Directory master. Some of these users may instead be defined in directory domains on other servers, such as an Active Directory domain on a Windows server."
Re:Check Apple's Docs (Score:2, Funny)
other sources (Score:5, Insightful)
Should I pursue this question or give up and place the Microsoft Server at the top of the hierarchy?
While interesting, I would suggest that you look at Apple centric boards for resolution of this kind of question. How many Slashdotters know or care? Here's some examples:
- AFP 548 [afp548.com]
- OS X Enterprise [macosxlabs.org]
- Apple's Server mailing list, [apple.com]this question is right up that alley.
- X server boards on Apple's website [apple.com]
- Apple's PDF on Open Directory Administration. [apple.com]
I'm sure there's more, but those are the quick few that you could at least get better resources from if they don't directly answer your question. I won't kid you--I don't think it'll be easy. But it would be helpful to start with people that might actually know the answer, than to start with people that probably don't.You might also consider a Server Support agreement [apple.com] from Apple; they can help with this kind of integration. Sure, it costs; but then you didn't think that we'd do your job for you either, right? And I believe that you could get this kind of support for the cheapest plan: $5995, and even have a few more calls left over for the rest of the year.
Re:other sources (Score:3, Informative)
Beyond the Directory integration, you need to build a Kerberos domain for absolutely seamless authentication and 100% verifiable identity. The best thing is, once you have it up and running you have single sign on as well.
Apple, Sun, and Microsoft sell "Integration tools" that do this halfway, but the
Re:other sources (Score:1)
AFP548.com (Score:5, Informative)
Don't ask Slashdot... (Score:5, Informative)
Most likely it can be done but it is a pretty complex request so it *will* come down to money--either paying someone to come in and do it, or paying to train someone in-house to take care of it. Unlike something relatively simple and common, like setting up Apache, when you get this far into things there aren't a lot of tutorials on the web. Despite what Apple and MS imply, there is no flashing "Click me to integrate everything" button. Complicated shit like this is... complicated. You'll probably have to pay, one way or another. Start here: http://train.apple.com/
Actually, even better... (Score:1, Insightful)
Re:Don't ask Slashdot... (Score:3, Informative)
Despite what Apple and MS imply, there is no flashing "Click me to integrate everything" button
Funny that you should say that, because apparently in Tiger Server there is [apple.com]:
Home Server Setup -- Anyone Can Do It
Perfect for small offices and home offices, the new Gateway Setup Utility in Tiger Server makes it easy for anyone to set up her own Internet Gateway, Firewall and VPN. Simply connect a network cable from your server to your DSL or cable modem and another cable from your network to your server. Whe
Re:Don't ask Slashdot... (Score:1)
Do ask Slashdot... (Score:2)
because, there is more than one way to skin a cat. Plain and simple, the companies have their best interest at heart. That means more sales. They may have a solution that works just so, so or even does not work; Yet, they sell you the solution.
By asking here, everybody learns (or at least gets to be modded as funny or troll/flamebait for being asses).
Apple's IT Pro page (Score:5, Informative)
Sort of Apple's equivalent of Microsoft's TechNet page.
I'm not sure if it will help you with your particular issue, but it's bookmark-worthy for any Macintosh network systems administrator.
Re:Apple's IT Pro page (Score:5, Informative)
Re:Apple's IT Pro page (Score:1)
There is a sidebar pointing to another whitepaper:
http://www.afp548.com/filemgmt/viewcat.php?cid=8 [afp548.com]
But it too seems to deal with AD as root "A detailed overview of how to integrate OS X clients into an Active Directory environment while still retaining the ability to manage the clients with the OS X Server tools."
cross-realm (Score:2, Informative)
http://www.4am-media.com/sso [4am-media.com]
Also find quite a bit of good data here:
http://www.macdevcenter.com/pub/a/mac/2003/12/09/a ctive_directory.html [macdevcenter.com]
A good idea is to take Apple's Directory Services class http://train.apple.com./ [train.apple.com] The author of the above articles taught ours (and wrote part of the class.
OpenDirectory has known show-stopper bugs (Score:5, Interesting)
The irony is that OpenDirectory is awesome! We should be actively porting the architecture to linux. The problems I've described above are not inherent design flaws, but rather specific Apple implementation bugs on OS X. I know on Linux this stuff would work wonderfully. OpenLDAP forms a key component of this architecture but it's only the authorization component. OpenDirectory provides a unified SASL/Kerberos password store that does authentication in a unified way (and syncs passwords for samba, md5, etc)
Given this discouraging situation, I'd stick to Active Directory if I were you for now.
Re:OpenDirectory has known show-stopper bugs (Score:2)
Re:OpenDirectory has known show-stopper bugs (Score:3, Informative)
So far, sadly, Apple indeed uses open source components and release much of their source, but they are not open in most senses of the word. There are no
Single Sign on Using AD (Score:2, Informative)
http://www.redmondmag.com/columns/article.asp?Edi
This may help someone out there.
Cheers,
Wustoff!
Take the Directory Services course (Score:5, Informative)
http://train.apple.com/static/users/it.html [apple.com]
Re:Take the Directory Services course (Score:2)
I agree, the course is well worth doing and it's the only way of getting good documentation from Apple in this area. There is a section on cross-realm Kerberos authentication which is what you are looking at here.
We run a large AD (~70,000 users and ~20,000 computers) and many of the university's departments have configured X.3 clients to authenticate against the AD.
I've documented how to authenticate a X.3 client against and AD [unimelb.edu.au] as well as how to use an AD for authentication and an OD server to manage [unimelb.edu.au]
start where i did (Score:2)
and AFP548.com [afp548.com] - run by the guy i took OS X server classes from.