Active Directory vs OpenLDAP

ubuntu active-directory small-business openldap

Solution 1:

Stick with the open-source, if I'm reading your question correctly:

  • You don't care about Exchange
  • You don't have a huge need for minute control of XP settings - I love group policy primarily to save the admin/sales staff from themselves, the developers mostly need me to stay out of their hair
  • You're more comfortable with *nix than windows

AD is great at managing windows to a fine degree, but if you don't need that, you're buying yourself a learning curve that won't likely bring a great deal of benefit.

2 caveats

  • If you've got the time/interest to push yourself more on the MS side of things, this is a good way to provide that.
  • WSUS is a good way to control workstation/server patches. If you can't just flip the "automatic" switch on all machines, this might push the balance over to SBS (if SBS does WSUS?)

Solution 2:

You're going to get a lot of nice features from Active Directory that you're not getting with OpenLDAP. Chief among them being both single-sign on (i.e. one user account that works on all client and server computers), and Group Policy.

I love open source software, but until Samba 4 matures, Active Directory provides the very best administrative experience with Windows 2000 and newer client computers.

Without using third-party software there is no standards-based LDAP authentication with Windows XP clients. Read my answer here re: Kerberos integration with Windows XP-- the experience using OpenLDAP will be very similiar (except that you will need third-party software like pGINA up front to make LDAP authentication work): How to get windows xp to authenticate against kerberos or heimdal

Whether or not to go with Windows Small Business Server depends on what you want to spend (initial cost and cost of client access licenses for SBS is more than "plain vanilla" Windows) and whether or not you will get value out of the additional "features". I prefer to think of Windows SBS as an inexpensive Windows and Exchange bundle (with an overly complicated setup and cruddy admin tools that I never use.) I tend to administer Windows SBS like a "normal" Windows and Exchange Server machine, and it works very well as such.

A Windows Server with Active Directory, Microsoft DHCP/DNS, WSUS (to provide updates to client computers), and some Group Policy objects to handle configuring user / computer environments and installing software will lighten your administrative load tremendously and make adding future computers easy. Exchange isn't that difficult to get up and running (the biggest problems being related to getting your mail to flow to it from the Internet-- so many people don't seem to understand how DNS and SMTP work together).

Assuming your install is performed by someone who knows what they're doing, and that you treat everything well after-the-fact it will run fine for you w/o a lot of administrative headache. I write off people who bemoan the unreliabilty of Windows and Exchange, because typically they are having problems because they either (a) used inferior hardware and are paying the price in the long run, or (b) are not competent to administer the software. I have Windows SBS installations going all the way back to the version 4.0 time-frame that are running fine years after the installation-- you can have one, too.

If you don't have any experience with these products, I'd recommend working with a reputable consultant to perform the install and get you started with being self-sufficient on administration. I'd recommend a good book if I knew one, but I've been fairly displeased with nearly all of them that I've read (they all seem to be lacking in real-life examples and case studies, typically).

There are plenty of consultants that can get you off the ground inexpensively (the setup you're talking about, assuming that you're going to do the "bulk" work yourself, feels like about a day and a half to two days for a basic Windows and Exchange install, to me) and can help you "learn the ropes". The majority of labor is going to go into migrating your existing user environments (migrating their existing documents and profiles into their new AD account's roaming user profile and redirected "My Docuemnts" folders, etc) if you choose to do that. (I would, just because it will make the users happier and more productive in the long-run.)

You should plan on some kind of backup device and backup management software, a server computer with redundant disks (minimum RAID-1), and some kind of power protection (UPS). I would expect, with a low-end server, licensing costs, and the power protection hardware that you could get in the door w/ Windows SBS for roughly $3500.00 - $4000.00. Personally, I'd spec you roughly 10 - 20 hours of setup labor, depending on how familiar you are with your needs and how much of the work you want to be taught to do, versus having the installer do it.

Here's a high-level list of the typical kinds of installation tasks I see in a deployment like yours:

  • Physically setup server computer, UPS, etc.
  • Install Windows, Exchange, WSUS, infrastructure services, service packs, backup management software, UPS management software, etc.
  • Discuss file sharing (permissions, shared file locations, directory hierarchy).
  • Create user accounts (roaming profile folders, "My Documents" folders, etc), security groups, distribution groups, basic GPO's.
  • Discuss migration of existing email data and formulate strategy, changes to DNS to bring email directly to Exchange.
  • Discuss migration of user environments to new AD accounts. Develop procedure for migration if training to perform migration is desired.
  • Perform pilot migration(s) of client computers and user profiles into domain.
  • Discuss day-to-day sysadmin tasks (password resets, changing user group memberships, reviewing backup success/failure notifications, monitoring WSUS and update installation), discuss common issues, troubleshooting, and resolution, conduct Q&A session.
  • Make recommendations for future activities (automating software installations, VPN connectivity, etc)

Solution 3:

OpenLDAP can be used for checking passwords but it is mostly a centralized way to manage identities. AD integrates ldap, kerberos, DNS, and DHCP. It is a much more comprehensive system than just OpenLDAP by itself.

From a management perspective, you could simply install AD on a pair of win2k3 servers and point all the unix systems at it and use the AD servers only for password checking. It is super trivial to make a unix system with pam use kerberos for password checking and local password files for authorization. It isn't quite as good as full AD integration but is also trivial to implement.

pros and cons of AD linux integration

using AD as a kerberos server to authenticate local accounts

Solution 4:

You should also have a look at Fedora directory server (which apparently is now officially "389 directory server"), based on the Netscape LDAP codebase. It's sold by RedHat under their brand, and so is actively maintained. I've heard it's nicer than OpenLDAP in some respects, although I've never used it myself. It's probably closer to AD in functionality than OpenLdap by itself, which is really only the core of a fully fledged directory system.

There is also Apache Directory Server, which is pure Java and also looks like it's actively developed.

Related

My site seems to be hijacked... but only when visited from another site... how?
How to change the polling interval of the Puppet master?
IIS 8 asp.net mvc HTTP Error 500.19
Is there any reason to keep the "Server" response header in Apache
How do I recall a specific command from command history, without executing it
Struggling to remove server from Rack
Why does the command 'apt install php' try to install Apache?
What brand(s) of hard disk has the lowest failure rates? [closed]
Writing a powershell script to copy files with certain extension from one folder to another
Check if directory exists using home character (~) in bash fails
Is there a safe way to store passwords used for ssh by a script?
POSTFIX: Limiting the rate at which a particular user can send email