Searching for a Directory Service Solution?

kumulan wonders: "I've got the responsibility to set up directory services as well as a messaging/groupware system for my organization of app. 100 employees spread out over three locations. We are a startup that is merging three existing smaller companies and, given the state of existing IS infrastructure at each of these locations, the decision has already been made that we are better off starting from scratch. It would be great to hear from Slashdot readers concerning which option is 'better' and why."

"For me, the choices are stark and clear:

1. MS Exchange/Active Directory
2. A cobbled-together solution based as much as possible on OSS (as no direct equivalent exists).

For (2) we have evaluated, and are strongly considering, the following:

• Samba/OpenLDAP/Kerberos
• Bynari Insight Server for messaging/groupware.
• Nitrobit Group Policy for, you guessed it, group policy management.

Of course, Samba 4 will address some of this 'cobbling', but we can't wait for that."

Other options?

[MonoNexo]

What ever happened to Novell? I used that at the college I attended - web apps, email, directory, rempote access, etc. Is this no longer a valid option, or was it just forgotten on the above list?

Novell NDS

[kalibyrn]

There's also Novell's NDS... That could be your third option perhaps...

Fedora Directory Server

[LnxAddct]

Use Fedora Directory Server or Red Hat Directory server. It is derived from the acclaimed Netscape Directory Server. It is easy to set up, scalable and *just works*. For groupware just use phpGroupware or something. If all you need is mail access, I recommend Roundcube for the web access, it uses Ajax to give a nice user experience akin to Yahoo or Gmail. Keep an eye on the Hula Project too, it looks like when a release it made it will be real nice.
Regards,
Steve

Re:Easy.

[XorNand]

Not really--I myself and am MCSE and run my own consulting company where the majority of my clients run Active Directory. I'm quite aware of the costs. MS includes a license for Outlook when you buy a CAL for Exchange, so that extra expense is negated. OpenOffice also might make a viable office suite for this person, but the question was about directory services. Terminal Services is a non-issue in the same regard.

And it's not as cheap and easy to get quality techies as you might think. Putting your existing staff through a boot camp is only the tip of the iceberg expense-wise, and it's a very inefficent solution.

Re:Easy.

[killjoe]

Just be sure to include your long term costs when you are evaluating. you should calculate the costs of integration and upgrades too. MS products don't work well with other companies products and will inevitably cost you hundreds of man hours if you are ever presented with the problem of integrating non standard MS software with software from other vendors.

As far as admins go studies have shown that unix admins on average maintain more servers per admin then windows admins. You may be able to do with one unix admin as opposed to two windows admins.

windows machines as a rule run less services per machine then unix machines do. This means more servers, which means, more servers to patch, keep up to date, backup, and admin.

Finally the perenial problem of backups and bare metal recovery. This is trivial in unix but costs thousands if not tens of thousands of dollars for windows.

There is a lot to think about. Just saying I have used windows XP before so i can maintain a active directory/exchange environment is plain old stupid.

Why, again?

[Dunkirk]

Why are those your "stark and clear" choices? I know, for example, that there are solutions from Novell, SuSE, and Sun, without even thinking about it. Are there more factors involved here than just "we need a directory?" Given a clean sheet of paper, I'd be using eDirectory, since it's completely (according to the marketing papers -- I've never used it) cross-platform.

Re:STOP....

[aaronl]

Novell with NDS does all that AD does, and a lot more. It is an incredibly well designed directory server, and it existed before AD. The big reason to go with AD is because of group policy; I don't know if NDS has an equivalent to it.

It might still be that W2k3 is the right tool, but please, have your information straight!

Novell's/Suse's SLES 9

[mgpeter]

Suse Linux Enterprise Linux 9 should have everything you need. It sets up and stores just about everything in LDAP. It is extremely easy to configure and maintain. Yast's Email Server module will setup Postfix/Cyrus/IMAP for you, hell it even installs Antivirus and Spam filters for you.

If you need to control Windows Clients simply create custom Policies for Microsoft's System Policy Editor (or use mine at my web site).

I have currently replaced 5 Windows Servers with SLES9 and have not had a single problem. IMO it is much easier to maintain/use than anything MS has released in the server department.

Re:Another Consideration

[Penguinshit]

Cost is definitely a major factor here.

While going the W2K3 route would be easy and very functional, one has to take into account the cost of the eventual [forced] upgrades. A company of 100 folks probably isn't turning a wild profit in terms of real money, and what money there is will undoubtedly get funneled into R&D or advertising or SomethingOtherThanITInfrastructure. This is where the long-term cost savings on a "cobbled" solution will pay off handsomely.

The decision is best made right now.

Re:Another Consideration

[Penguinshit]

Troll?

I dare that coward asshat who modded me troll to come out from under his/her rock and prove the honesty of that mod.

I guess that person never heard of the "Software Assurance" program from Microsoft that forces upgrades every two years (with the alternative being a highly-inflated upgrade price whenever one is eventually required to upgrade). Everything else I said comes directly from my decades of personal experience in administering Microsoft and Unix/Linux (as well as Mac) networks.

I've got karma to burn. But leave your bullshit agendas out of the moderation (that goes both ways).

Novell?

[sjs132]

What, Just rule them out? They've been doing Active directory and groupware LONG before Microsoft decided to emulate (steal) the ideal...

Novell 6.5 is the latest, and I can lock out users based on windows policies, etc.. just like MS active dir... assign various sub admins to rule over their own dept, etc... AND Groupwise (IMHO) is a great email/calender app... (Groupwise 7 is supposed to be better, but I haven't gotten to play with it yet...)

AND they are starting to move everything over to Linux via SUSE Linux, so you have the OSS...
Best of both worlds if you ask me...

Sure, Novell AND Microsoft cost $$$, you could build your own Linux server and hack it together, but if your a REAL company and you expect to play REAL Ball, you will PAY to have the propriatory software to compete with everyone else... At least with Novell, you can still play OSS and support linux, etc... even if you have to buy their version...

OSS Does not equal FREE... Thats the problem... too many freeloaders want EVERYTHING for FREE... If that was the case then your company would just give its product away also... oops, now your company is dead... Guess that model won't work.

I must admit, I do ADMIN a Novell network, and I do like SUSE Linux... Much better than anything MS has to offer...

Again, just my .02 worth... (climbing into Flame resistant suite)

What's missing from Apple

[DorkFest]

We implemented Apple Open Directory, serving ~400 users, using four Xserves and and two Xserve RAID's. We're using Apple's mail services, file, web, web log, and VPN service.

So far, things have gone better than I expected. We are authenticating Mac, Windows and Linux PC's, all of which can access the same home directory. The Open Directory master server also acts as the Windows PDC and serves up roaming profiles for Win XP clients.

What I've been hounding my Apple rep about is the lack of a real group callaboration suite. The pieces are there; iCal, Address Book, Jabber, Cyrus/Postfix. They need to be brought together in an Exchange/GroupWise sort of fashion. We are still using Steltor Corporate Time (now Oracle Collaboration Suite) for calendaring, task lists, and shared contact lists. I'm watching the Hula project closely. Rumor has it Apple is shopping around for a comprehensive group collaboration system. Hula might be it! Zee dork

Anything but Novell

[sameat]

I'm afraid I can't help answer the initial question, but I have to caution you strongly regarding all of the suggestions for Novell products.

I live the Novell dream everyday, and "cobbled together" would be a generous description of their products and services. This is a company with a time honored tradition of rendering promising technologies useless. They handed most of the market to MS on a silver platter.

Before you consider Novell too seriously, look through the forums at forums.novell.com, be sure ask about your support options , and try to get a feel for the staffing and training required for a network of your size and scope.

Stick with your inital instincts, just remeber that very few Novell products are actually Open Source.

Re:STOP....

[divisivemind]

Though I've never laid eyes on an OSS directory alternative to W2K3, I'd be surprised if it could be any either to use out of the 'box'. Another thing, if you plan to do some LDAP work, in say perl, modules exist that can add/remove/delete/etc from your AD that are rather painless to use. Automated account addition.... On a side note, for those in higher education, there is a good chance you have a campus-wide MSAD. Where I used to work, we kicked all students out of our domain and instead one way trusted their campus MSAD accounts. Imagine not having to deal with user accounts again =) This still allows you to moderate access to your domain machines (assuming you have the proper OUs set up) and retain administratiive (both local and domain) control over your machines. We chose to leave faculty/staff on the old domain for the ease of not changing the entrenched. This was actually a pretty seemless transition. Students still have access to their home directories on the local domain (ala perl automation) and FTP/Terminal Server access. FWIW have fun.

Novell is all-in-one

[digidave]

Their directory far surpasses AD. You can also look into Netscape Directory.

For groupware, check out Zimbra (http://www.zimbra.com/ [zimbra.com]). The Flash demo is great.

Re:STOP....

[AmigaBen]

It's eDirectory these days, rather than NDS. And as for group policies and so much more, see ZENWorks.

Re:Another Consideration

[SparklingClearWit]

You may be suprised at what you get. Linux and Open Source can save a ton of money and hassle long term, especially when implemented from scratch, but you have to know what you're doing. If you don't know or aren't sure, get help. A company of 100 employees can easily justify having two admins, especially when combined with the savings Linux and OSS are capable of.

Y'know, I keep seeing this argument on Slashdot, and it's always with the caveat "almost as good" or "the savings that Linux provides".

I've yet to see somebody come up with a real cost savings - a TCO study - for a small business using a "cobbled together" Linux/OSS solution compared to a Windows-centric solution.

Firstly: The admins. Linux admins aren't plentiful. They might appear so here, but just because you've installed Gentoo, you're not a real admin. Your users and business owners will dictate to YOU how things will be. You can have influence, and you may steer things, but being a zealot doesn't pay the bills.

Let's say they hire you, and you implement OpenLDAP, perhaps Linux for Terminal Services on the desktops (you smart guy, you), and a snazzy Windows-like distro for the execs and upper dudes in your 100-seat organization. You've got the desktops all set up great, etc., and new machines go on the network with no problem.

Now, the company is acquiring another firm - and they use (Oh Noes!) Windows! (oops, sorry - M$ Windoze - did I do it right?) They've got a KillerApp(TM) that your suits decide they Must Have and Use Daily as it will Multiply Productivity!

So you test. Oops, no OSS equivalent. Damn. Ooops, doesn't work in Crossover Office. Or Wine. Damn again. The company has no plans for an OSS release. Damn again. So ... you can install a couple Windows machines to satisfy the execs, right? Ooops, then they push it company-wide. Oh, sorry boss - you've gotta pony up for 100 seats of Windows XP Professional so we can run this app.

Second scenario: After this horrible mess, you decide to leave for purer, greener OSS pastures. what does the company do? Did you document all your work? Does *anybody* know what you've done? After all, you can't just 'pick up' Linux - it's not easy, like dumb old Windows! So how does the company hire to replace your knowledge? Oh, they can't? You're indespensible now?

These thoughts are what percolate through the minds of business owners. They're not uninformed about Linux. They've heard all the zealotry and pitfalls, and the risk to their business is NOT worth it. The cost of upkeep, finding workarounds to compatibility with their partners, vendors and customers, and the inability to just 'buy a program' is the hamstring for mainstream business adoption.

AD is no silver bullet

[Alioth]

Additionally - Active Directory et al. isn't as easy as people would lead you to believe ("It's Windows! It has a GUI! Therefore it's easy!")

We just had Active Directory rolled out here. Our performance problems were so bad we had to hire Microsoft consultants to try and figure it out - and these people from the company that makes the product took over a month to actually come up with a solution that ran only half as quickly as our old Novell system. Admittedly, it's a much bigger system than 100 users (and I'm glad I have absolutely nothing to do with it, it's a nightmare) but Microsoft Active Directory and Windows aren't some sort of ease of use silver bullet. In fact after seeing what trauma they went through, it's not actually any easier than a "cobbled together" OpenLDAP/Samba installation and a great deal more expensive.

I agree with the LDAP part...

[The Last Gunslinger]

- the problem with IBM's directory is that it sits on top of DB2. This abrogates one of the coolest parts about directories - that you don't need a DBA. And a mistuned IBM directory is an ugly, ugly thing.

But I take issue with this mythology...I work with IBM's Tivoli security solutions, most of which use the LDAP Directory Server under the hood (and, illustrating the beauty of *standards*, also tend to support the use of Novell, Sun, & MSAD). The underlying DB2 engine doesn't require independent tuning, maintenance, or administration in the vast majority of deployments. It isn't until you get into user populations of several hundred thousand that you start tweaking the DB2 parms...and the solution actually includes a detailed LDAP tuning guide that explains how and when you should tweak the DB2 and OS-level parms.

The notion of needing a DBA just to deploy the IBM LDAP is just silly...any tech capable of RTFM can handle a moderate implementation on his own.

Here's the kicker: Which would you prefer for performance and scalability? A directory that uses flat or proprietary file structures for data storage, or one that uses a scalable and reliable relational database engine? Seems like a big "duh!" to me.

And, as you mentioned...it's free. Go download it from IBM [ibm.com] and try it out. If it doesn't work for you, or if you decide you can't do it without a DBA, well...you aren't out any expense. Export it all to an LDIF and bring in the next vendor.