Active Directory Alternative

ruready511

Hey Everybody!

I'm brand new to this community but have been using the GNU/Linux Operating System casually for several years now. It's just been more of a novelty than anything else. I am a Windows admin and have spent most of my life learning 'The Microsoft Solution'.

...then I saw the light

Now, I'm in the process of having an article published in [...] Magazine that bashes Microsoft's absurd licensing schemes. Microsoft has let me down on so many different levels. I'm now committed to learning 'The Free Software Solution'. I suppose I'll have to replace my dark art of VB scripting and .NET application development with shell scripts and Python - oh well.

Anyway, on to my question! In an attempt to be able to design a network that meets the needs of a hypothetical small business, I'm trying to find an alternative to Microsoft's Active Directory. Despite my animosity towards Microsoft, they do make some pretty powerful products - Active Directory being one such product.

Now, using the GNU/Linux Operating System in a business environment is quite different than me making the switch to Linux at my home.

• How does a Linux domain work, or is there such a thing? (ie: can I join a computer to a Linux domain like in Windows)
  
• Is there an alternative to Group Policy?
  
• Is there a single tool or set of tools to manage LDAP users and groups, DNS, DHCP, RADIUS, IPSec, etc...?
  
• What are some resources I can read or interact with to assist in my understanding of managing these topics on the GNU/Linux platform?
  

Like I said, I'm a Windows admin. I know Windows admins usually catch a lot of flac in the Linux community due to their lack of script-fu in the shell - but lets face it - Windows is a GUI managed environment. Unless your running dsquery to gain granular insight into Active Directory, the only reason to script is to automate a repetitive task. You don't need to know almost any commandline applications to manage a Windows box (well, outside of ping and nslookup).

Another thing that concerns me is NFS permissions. I don't know how these work. I know I can look up how they work and how they are evaluated on Wikipedia - but that isn't the information I'm looking for. I'm used to NTFS permissions. I know the metadata that the permissions carry and the alternate streams that exist on an NTFS volume. I'm looking for information from people in the field that know or used to know Windows systems and now manage a GNU/Linux environment. I want to know what they miss from the Windows world and what they don't miss.

I suppose overall I'm looking for selling points for GNU/Linux. I'm no longer sold on Microsoft, but I don't know where to turn now. Could it be here?

Let me know what you think,

-David

mfillpot

Linux/Unix domains can be developed similar to windows based domain services, you can join computers, users and much more data into an LDAP database or a NIS server. Checkout http://www.openldap.org/doc/admin24/intro.html for some information on the uses of OpenLDAP. NIS is located at http://www.linux-nis.org/ .

I have played with both, but do not yet have a complete understanding of the uses, Both NIS and LDAP can handle user authentication, but LDAP has many more functions including machine authentication, asset tracking, e-mail address directory, etc...

You can also use an LDAP server to authenticate windows hosts (http://www.yolinux.com/TUTORIALS/LDAP_Authentication.html) and even use a LDAP machine database to easily direct your windows hosts to shared servers such as SQL servers for shared information.

As far as I am aware there is no complete Linux based solution like the Group Policies, although the same type of configuration can be handled through the machine config files.

Active Directory is not the same and DNS, DHCP, those are separate services accessed through the same setup screen.
You can use :
Bind for a DNS server - http://www.isc.org/software/bind
DHCPD for a DHCP server - http://www.phystech.com/download/dhcpcd.html
RADIUS - http://freeradius.org/
IPSEC - http://www.ipsec-howto.org/

We should also not forget about using CUPS (http://www.cups.org/) for managing printers, the printer pooling and printer discovery services are what I like most about CUPS.

As for the Permissions, NFS and Linux permissions are really pretty easy to setup and the permissions are quite simple, a basic example document is at http://support.attachmate.com/techdocs/1178.html

I have been trained on windows administration and like some of the concepts of their products, but I find the administrative levels and available options to be insufficient compared the options and capabilities in their separate Linux counterparts. The thing that you may have notice most about running Linux or Unix based systems is the stability and also the application dependencies, both are related. The Unix philosophy explains it well "Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface.", this means that the system is made up of many core programs that do on job but do it very well and are not over complicated, the larger applications are then built on top of these many applications to combine the abilities and make a single stable application.

The other thing that I absolutely love is the fact that the registry does not exist in Linux/Unix based systems, instead each service and application generally has a text based configuration file which is easy to read and comment, so that you can comment out old configuration and note why the changes were made, this allows you to keep all configuration changes easily indexed and reversible in a single location rather than depending on notebooks of changes.

As you experiment with various services, log files and packaging schemes you will learn to love the simple configuration file, file, log and package maintenance with text files and the CLI utilities to handle the files.

Lets not forget about the benefit of open source applications, if the app does not do what you want you are free to modify it to fit your specific needs, so you are not restricted to the actions that a single vendor is trying to push upon you.

mfillpot

I almost forgot, if you use Linux based system you are also getting experience with Unix utilities and methods. You might want to read about the UNIX Philosophy to understand the basic rules and how people explain it http://en.wikipedia.org/wiki/Unix_philosophy

woboyle

As mfillpot said, you can use either LDAP (OpenLDAP) or NIS for directory/domain services. NIS was an invention of Sun Microsystems (now owned by Oracle) and was widely used on Unix systems for many years. LDAP is more recent, and even Microsoft's Active Directory system is based on it. OpenLDAP is the open source version that Linux uses. This is what I would recommend to current network admins who want to manage large Linux/Unix networks, and/or have them work with Windows networks as well. That last part isn't so "seamless" as we would like, mostly due to Microsoft's predilection for custom "extensions" of open standards, such as is LDAP, kerberos, etc...

So, if you have a legacy Unix network, then use NIS. If you have a Linux and/or Linux/Windows network, use OpenLDAP.

marc

Not everything is OpenLDAP:

http://www.redhat.com/directory_server/

I use the CentOS version and I'm quite confortable with it

woboyle

Well, the RHEL/CentOS directory server is built upon OpenLDAP (I think), but with a lot more user/admin-friendly features. Not a bad choice if one is running RHEL-based distributions (RHEL, CentOS, Scientific Linux). Thanks marc for bringing it up.

elwarreno

if your a Windows admin i would suggest taking a look at Resara Server. its an open source Active Directory/File server built on Samba4, and really easy to use. http://www.resara.org

mfillpot

elwarreno, thanks for sharing the info about resara, it looks like a good solution for new administrators.

ruready511

Dang, you guys are awesome.

@mfillpot - Thanks for the crucial breakdown. I'm actually kinda stoked to understand the Unix philosophy. However, while I like the basic concept that you outlined - it just seems like, in practice, it leads to very confusing systems.

@elwarreno - Thanks for the link to Resara, it looks like a pretty cool product. I really want to get my hands on it now.


Guys, this is like a whole new world for me. As much as I don't like Microsoft as a company right now, I am still pretty well married to their products (I LOVE my management console). But! I have a whole bunch of links open in my browser now that I have to go research I can't wait to build a little lab with all of this in it!

Actually, I mentioned my management console - which gets me thinking... Does an equivalent exist in the Linux world for Microsoft's (forgive me) AMAZING Management Console product lineup?? (ie: Microsoft System Center Operations Manager, or any other plugin to the MMC framework)

I feel like, from the basic Unix philosophy that mfillpot gave, GNU/Linux and Unix systems are too disseparate with no governing entity to make something like an MMC equivalent possible.

If you guys have been managing *nix for a really long time, you may not know what I'm talking about. Let me give a quick example. Right now, I have a dead simple management console that I made called the "Ultimate Management Console". It's just a bunch of plugins that integrate into a uniform interface that I have open like any other application on my desktop. From this one console (this is a GUI, not a command line console like you may be thinking), I can remote into 24 of my servers, manage AD Domains and Trusts, AD Sites and Services, AD Users and Computers, manage all of my Group Policies, configure my Certification Authority and Online Responders, manage all of my Distributed File System shares (this is just a fancy name for a directory symlink - which I think exists on *nix as well), configure all of my DNS and DHCP servers and scopes, manage all print functions from all my print servers, configure the quotas and reports for all my file servers, and manage the entire local downstream clone of Microsoft's Windows Update service.

The thing that is so impressive about this kind of integration, is that almost any problem that exists on my network or servers can be responded to in a matter of seconds with just a few clicks. For example, lets say that our line of business application gets an update and now cannot send drawings to our large format plotter because it requires a new version of the print driver. No problem, in about 10 clicks and less than 30 seconds I can have the new driver available to both print servers at both of our locations and the clients can pull them immediately. That's what makes it nice.

I've seen some stuff called gadmin-... in the repositories before, but when I tried to check out the homepage it appears down. I don't know if this is/was an alternative or possible alternative to MMC, but it looks like it isn't maintained anymore (unless Google's cache is lagging...)

Anyway, let me know what you think,
-David

mfillpot

Actually the Unix philosophy works well when trying to find replacements for management tools for various applications, because the many base components are stable, backward compatible and include scriptable or API libraries it is easier for others to develop management tools to consolidate the administration. One good example you might want to look at is webmin (http://webmin.com/), which is a web-based management tool that has loadable modules for pretty much every management task. You can find many other tools that do similar tasks, but in my experiences webmin has the most comprehensive module library.

marc

Have a loot at http://spacewalk.redhat.com/

max8a

Marc Deop wrote:

Not everything is OpenLDAP:

http://www.redhat.com/directory_server/

I use the CentOS version and I'm quite confortable with it

Friend i need install a domain Controller whit centos with samba 4 and integrating a existing ldap server, can you help Me, because i try some installations with red Hat, centos and ubuntu, but that's not ok.

Please help Me

mcgiwer

Important:

Resara project is dead

the website still exist, but all download links return the 404 error (not found)

Alderin

mcgiwer wrote:

Important:

Resara is dead

the website still exist, but all download links return the 404 error (not found)

Resara downloads are here: http://sourceforge.net/projects/resaraserver/files/

Not updated, but available.

woboyle

Install OpenLDAP. That is an AD compatible directory manager. Here is a link to their web site: http://www.openldap.org/

mcgiwer

Alderin wrote:

Resara downloads are here: http://sourceforge.net/projects/resaraserver/files/

Even if it's on sourceforge, on the website the links haven't been corrected

Alderin wrote:

Not updated, but available.

That why I had corrected my post and it's now that Resara project is dead

rookielearning

ruready511 wrote:

Dang, you guys are awesome.

@mfillpot - Thanks for the crucial breakdown. I'm actually kinda stoked to understand the Unix philosophy. However, while I like the basic concept that you outlined - it just seems like, in practice, it leads to very confusing systems.

@elwarreno - Thanks for the link to Resara, it looks like a pretty cool product. I really want to get my hands on it now.


Guys, this is like a whole new world for me. As much as I don't like Microsoft as a company right now, I am still pretty well married to their products (I LOVE my management console). But! I have a whole bunch of links open in my browser now that I have to go research I can't wait to build a little lab with all of this in it!

Actually, I mentioned my management console - which gets me thinking... Does an equivalent exist in the Linux world for Microsoft's (forgive me) AMAZING Management Console product lineup?? (ie: Microsoft System Center Operations Manager, or any other plugin to the MMC framework)

I feel like, from the basic Unix philosophy that mfillpot gave, GNU/Linux and Unix systems are too disseparate with no governing entity to make something like an MMC equivalent possible.

If you guys have been managing *nix for a really long time, you may not know what I'm talking about. Let me give a quick example. Right now, I have a dead simple management console that I made called the "Ultimate Management Console". It's just a bunch of plugins that integrate into a uniform interface that I have open like any other application on my desktop. From this one console (this is a GUI, not a command line console like you may be thinking), I can remote into 24 of my servers, manage AD Domains and Trusts, AD Sites and Services, AD Users and Computers, manage all of my Group Policies, configure my Certification Authority and Online Responders, manage all of my Distributed File System shares (this is just a fancy name for a directory symlink - which I think exists on *nix as well), configure all of my DNS and DHCP servers and scopes, manage all print functions from all my print servers, configure the quotas and reports for all my file servers, and manage the entire local downstream clone of Microsoft's Windows Update service.

The thing that is so impressive about this kind of integration, is that almost any problem that exists on my network or servers can be responded to in a matter of seconds with just a few clicks. For example, lets say that our line of business application gets an update and now cannot send drawings to our large format plotter because it requires a new version of the print driver. No problem, in about 10 clicks and less than 30 seconds I can have the new driver available to both print servers at both of our locations and the clients can pull them immediately. That's what makes it nice.

I've seen some stuff called gadmin-... in the repositories before, but when I tried to check out the homepage it appears down. I don't know if this is/was an alternative or possible alternative to MMC, but it looks like it isn't maintained anymore (unless Google's cache is lagging...)

Anyway, let me know what you think,
-David

You may please try either Samba 4 Active Directory Domain Controller or Zentyal as a distro, which is a small business server as that of Microsoft product.