Active Directory Alternative
Hey Everybody!
I'm brand new to this community but have been using the GNU/Linux Operating System casually for several years now. It's just been more of a novelty than anything else. I am a Windows admin and have spent most of my life learning 'The Microsoft Solution'.
...then I saw the light
Now, I'm in the process of having an article published in [...] Magazine that bashes Microsoft's absurd licensing schemes. Microsoft has let me down on so many different levels. I'm now committed to learning 'The Free Software Solution'. I suppose I'll have to replace my dark art of VB scripting and .NET application development with shell scripts and Python - oh well.
Anyway, on to my question! In an attempt to be able to design a network that meets the needs of a hypothetical small business, I'm trying to find an alternative to Microsoft's Active Directory. Despite my animosity towards Microsoft, they do make some pretty powerful products - Active Directory being one such product.
Now, using the GNU/Linux Operating System in a business environment is quite different than me making the switch to Linux at my home.
- How does a Linux domain work, or is there such a thing? (ie: can I join a computer to a Linux domain like in Windows)
- Is there an alternative to Group Policy?
- Is there a single tool or set of tools to manage LDAP users and groups, DNS, DHCP, RADIUS, IPSec, etc...?
- What are some resources I can read or interact with to assist in my understanding of managing these topics on the GNU/Linux platform?
Like I said, I'm a Windows admin. I know Windows admins usually catch a lot of flac in the Linux community due to their lack of script-fu in the shell - but lets face it - Windows is a GUI managed environment. Unless your running dsquery to gain granular insight into Active Directory, the only reason to script is to automate a repetitive task. You don't need to know almost any commandline applications to manage a Windows box (well, outside of ping and nslookup).
Another thing that concerns me is NFS permissions. I don't know how these work. I know I can look up how they work and how they are evaluated on Wikipedia - but that isn't the information I'm looking for. I'm used to NTFS permissions. I know the metadata that the permissions carry and the alternate streams that exist on an NTFS volume. I'm looking for information from people in the field that know or used to know Windows systems and now manage a GNU/Linux environment. I want to know what they miss from the Windows world and what they don't miss.
I suppose overall I'm looking for selling points for GNU/Linux. I'm no longer sold on Microsoft, but I don't know where to turn now. Could it be here?
Let me know what you think,
-David
Comments
-
Linux/Unix domains can be developed similar to windows based domain services, you can join computers, users and much more data into an LDAP database or a NIS server. Checkout http://www.openldap.org/doc/admin24/intro.html for some information on the uses of OpenLDAP. NIS is located at http://www.linux-nis.org/ .
I have played with both, but do not yet have a complete understanding of the uses, Both NIS and LDAP can handle user authentication, but LDAP has many more functions including machine authentication, asset tracking, e-mail address directory, etc...
You can also use an LDAP server to authenticate windows hosts (http://www.yolinux.com/TUTORIALS/LDAP_Authentication.html) and even use a LDAP machine database to easily direct your windows hosts to shared servers such as SQL servers for shared information.
As far as I am aware there is no complete Linux based solution like the Group Policies, although the same type of configuration can be handled through the machine config files.
Active Directory is not the same and DNS, DHCP, those are separate services accessed through the same setup screen.
You can use :
Bind for a DNS server - http://www.isc.org/software/bind
DHCPD for a DHCP server - http://www.phystech.com/download/dhcpcd.html
RADIUS - http://freeradius.org/
IPSEC - http://www.ipsec-howto.org/
We should also not forget about using CUPS (http://www.cups.org/) for managing printers, the printer pooling and printer discovery services are what I like most about CUPS.
As for the Permissions, NFS and Linux permissions are really pretty easy to setup and the permissions are quite simple, a basic example document is at http://support.attachmate.com/techdocs/1178.html
I have been trained on windows administration and like some of the concepts of their products, but I find the administrative levels and available options to be insufficient compared the options and capabilities in their separate Linux counterparts. The thing that you may have notice most about running Linux or Unix based systems is the stability and also the application dependencies, both are related. The Unix philosophy explains it well "Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface.", this means that the system is made up of many core programs that do on job but do it very well and are not over complicated, the larger applications are then built on top of these many applications to combine the abilities and make a single stable application.
The other thing that I absolutely love is the fact that the registry does not exist in Linux/Unix based systems, instead each service and application generally has a text based configuration file which is easy to read and comment, so that you can comment out old configuration and note why the changes were made, this allows you to keep all configuration changes easily indexed and reversible in a single location rather than depending on notebooks of changes.
As you experiment with various services, log files and packaging schemes you will learn to love the simple configuration file, file, log and package maintenance with text files and the CLI utilities to handle the files.
Lets not forget about the benefit of open source applications, if the app does not do what you want you are free to modify it to fit your specific needs, so you are not restricted to the actions that a single vendor is trying to push upon you.0 -
I almost forgot, if you use Linux based system you are also getting experience with Unix utilities and methods. You might want to read about the UNIX Philosophy to understand the basic rules and how people explain it http://en.wikipedia.org/wiki/Unix_philosophy0
-
As mfillpot said, you can use either LDAP (OpenLDAP) or NIS for directory/domain services. NIS was an invention of Sun Microsystems (now owned by Oracle) and was widely used on Unix systems for many years. LDAP is more recent, and even Microsoft's Active Directory system is based on it. OpenLDAP is the open source version that Linux uses. This is what I would recommend to current network admins who want to manage large Linux/Unix networks, and/or have them work with Windows networks as well. That last part isn't so "seamless" as we would like, mostly due to Microsoft's predilection for custom "extensions" of open standards, such as is LDAP, kerberos, etc...
So, if you have a legacy Unix network, then use NIS. If you have a Linux and/or Linux/Windows network, use OpenLDAP.0 -
Not everything is OpenLDAP:
http://www.redhat.com/directory_server/
I use the CentOS version and I'm quite confortable with it0 -
Well, the RHEL/CentOS directory server is built upon OpenLDAP (I think), but with a lot more user/admin-friendly features. Not a bad choice if one is running RHEL-based distributions (RHEL, CentOS, Scientific Linux). Thanks marc for bringing it up.0
-
if your a Windows admin i would suggest taking a look at Resara Server. its an open source Active Directory/File server built on Samba4, and really easy to use. http://www.resara.org0
-
elwarreno, thanks for sharing the info about resara, it looks like a good solution for new administrators.0
-
Dang, you guys are awesome.
@mfillpot - Thanks for the crucial breakdown. I'm actually kinda stoked to understand the Unix philosophy. However, while I like the basic concept that you outlined - it just seems like, in practice, it leads to very confusing systems.
@elwarreno - Thanks for the link to Resara, it looks like a pretty cool product. I really want to get my hands on it now.
Guys, this is like a whole new world for me. As much as I don't like Microsoft as a company right now, I am still pretty well married to their products (I LOVE my management console). But! I have a whole bunch of links open in my browser now that I have to go research I can't wait to build a little lab with all of this in it!
Actually, I mentioned my management console - which gets me thinking... Does an equivalent exist in the Linux world for Microsoft's (forgive me) AMAZING Management Console product lineup?? (ie: Microsoft System Center Operations Manager, or any other plugin to the MMC framework)
I feel like, from the basic Unix philosophy that mfillpot gave, GNU/Linux and Unix systems are too disseparate with no governing entity to make something like an MMC equivalent possible.
If you guys have been managing *nix for a really long time, you may not know what I'm talking about. Let me give a quick example. Right now, I have a dead simple management console that I made called the "Ultimate Management Console". It's just a bunch of plugins that integrate into a uniform interface that I have open like any other application on my desktop. From this one console (this is a GUI, not a command line console like you may be thinking), I can remote into 24 of my servers, manage AD Domains and Trusts, AD Sites and Services, AD Users and Computers, manage all of my Group Policies, configure my Certification Authority and Online Responders, manage all of my Distributed File System shares (this is just a fancy name for a directory symlink - which I think exists on *nix as well), configure all of my DNS and DHCP servers and scopes, manage all print functions from all my print servers, configure the quotas and reports for all my file servers, and manage the entire local downstream clone of Microsoft's Windows Update service.
The thing that is so impressive about this kind of integration, is that almost any problem that exists on my network or servers can be responded to in a matter of seconds with just a few clicks. For example, lets say that our line of business application gets an update and now cannot send drawings to our large format plotter because it requires a new version of the print driver. No problem, in about 10 clicks and less than 30 seconds I can have the new driver available to both print servers at both of our locations and the clients can pull them immediately. That's what makes it nice.
I've seen some stuff called gadmin-... in the repositories before, but when I tried to check out the homepage it appears down. I don't know if this is/was an alternative or possible alternative to MMC, but it looks like it isn't maintained anymore (unless Google's cache is lagging...)
Anyway, let me know what you think,
-David0 -
Actually the Unix philosophy works well when trying to find replacements for management tools for various applications, because the many base components are stable, backward compatible and include scriptable or API libraries it is easier for others to develop management tools to consolidate the administration. One good example you might want to look at is webmin (http://webmin.com/), which is a web-based management tool that has loadable modules for pretty much every management task. You can find many other tools that do similar tasks, but in my experiences webmin has the most comprehensive module library.0
-
Have a loot at http://spacewalk.redhat.com/0
-
Marc Deop wrote:Not everything is OpenLDAP:
http://www.redhat.com/directory_server/
I use the CentOS version and I'm quite confortable with it
Friend i need install a domain Controller whit centos with samba 4 and integrating a existing ldap server, can you help Me, because i try some installations with red Hat, centos and ubuntu, but that's not ok.
Please help Me0 -
Important:
Resara project is dead
the website still exist, but all download links return the 404 error (not found)0 -
mcgiwer wrote:Important:
Resara is dead
the website still exist, but all download links return the 404 error (not found)
Resara downloads are here: http://sourceforge.net/projects/resaraserver/files/
Not updated, but available.0 -
Install OpenLDAP. That is an AD compatible directory manager. Here is a link to their web site: http://www.openldap.org/
0 -
Alderin wrote:Resara downloads are here: http://sourceforge.net/projects/resaraserver/files/
Even if it's on sourceforge, on the website the links haven't been correctedAlderin wrote:Not updated, but available.
That why I had corrected my post and it's now that Resara project is dead0 -
ruready511 wrote:Dang, you guys are awesome.
@mfillpot - Thanks for the crucial breakdown. I'm actually kinda stoked to understand the Unix philosophy. However, while I like the basic concept that you outlined - it just seems like, in practice, it leads to very confusing systems.
@elwarreno - Thanks for the link to Resara, it looks like a pretty cool product. I really want to get my hands on it now.
Guys, this is like a whole new world for me. As much as I don't like Microsoft as a company right now, I am still pretty well married to their products (I LOVE my management console). But! I have a whole bunch of links open in my browser now that I have to go research I can't wait to build a little lab with all of this in it!
Actually, I mentioned my management console - which gets me thinking... Does an equivalent exist in the Linux world for Microsoft's (forgive me) AMAZING Management Console product lineup?? (ie: Microsoft System Center Operations Manager, or any other plugin to the MMC framework)
I feel like, from the basic Unix philosophy that mfillpot gave, GNU/Linux and Unix systems are too disseparate with no governing entity to make something like an MMC equivalent possible.
If you guys have been managing *nix for a really long time, you may not know what I'm talking about. Let me give a quick example. Right now, I have a dead simple management console that I made called the "Ultimate Management Console". It's just a bunch of plugins that integrate into a uniform interface that I have open like any other application on my desktop. From this one console (this is a GUI, not a command line console like you may be thinking), I can remote into 24 of my servers, manage AD Domains and Trusts, AD Sites and Services, AD Users and Computers, manage all of my Group Policies, configure my Certification Authority and Online Responders, manage all of my Distributed File System shares (this is just a fancy name for a directory symlink - which I think exists on *nix as well), configure all of my DNS and DHCP servers and scopes, manage all print functions from all my print servers, configure the quotas and reports for all my file servers, and manage the entire local downstream clone of Microsoft's Windows Update service.
The thing that is so impressive about this kind of integration, is that almost any problem that exists on my network or servers can be responded to in a matter of seconds with just a few clicks. For example, lets say that our line of business application gets an update and now cannot send drawings to our large format plotter because it requires a new version of the print driver. No problem, in about 10 clicks and less than 30 seconds I can have the new driver available to both print servers at both of our locations and the clients can pull them immediately. That's what makes it nice.
I've seen some stuff called gadmin-... in the repositories before, but when I tried to check out the homepage it appears down. I don't know if this is/was an alternative or possible alternative to MMC, but it looks like it isn't maintained anymore (unless Google's cache is lagging...)
Anyway, let me know what you think,
-David
You may please try either Samba 4 Active Directory Domain Controller or Zentyal as a distro, which is a small business server as that of Microsoft product.
0
Categories
- All Categories
- 219 LFX Mentorship
- 219 LFX Mentorship: Linux Kernel
- 793 Linux Foundation IT Professional Programs
- 354 Cloud Engineer IT Professional Program
- 179 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 147 Cloud Native Developer IT Professional Program
- 138 Express Training Courses
- 138 Express Courses - Discussion Forum
- 6.2K Training Courses
- 47 LFC110 Class Forum - Discontinued
- 71 LFC131 Class Forum
- 42 LFD102 Class Forum
- 227 LFD103 Class Forum
- 19 LFD110 Class Forum
- 38 LFD121 Class Forum
- 18 LFD133 Class Forum
- 7 LFD134 Class Forum
- 18 LFD137 Class Forum
- 71 LFD201 Class Forum
- 5 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 2 LFD233 Class Forum
- 4 LFD237 Class Forum
- 24 LFD254 Class Forum
- 697 LFD259 Class Forum
- 111 LFD272 Class Forum
- 4 LFD272-JP クラス フォーラム
- 12 LFD273 Class Forum
- 151 LFS101 Class Forum
- 1 LFS111 Class Forum
- 3 LFS112 Class Forum
- 2 LFS116 Class Forum
- 4 LFS118 Class Forum
- LFS120 Class Forum
- 7 LFS142 Class Forum
- 5 LFS144 Class Forum
- 4 LFS145 Class Forum
- 3 LFS146 Class Forum
- 3 LFS147 Class Forum
- 1 LFS148 Class Forum
- 15 LFS151 Class Forum
- 2 LFS157 Class Forum
- 30 LFS158 Class Forum
- 7 LFS162 Class Forum
- 2 LFS166 Class Forum
- 4 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 3 LFS178 Class Forum
- 3 LFS180 Class Forum
- 2 LFS182 Class Forum
- 5 LFS183 Class Forum
- 32 LFS200 Class Forum
- 737 LFS201 Class Forum - Discontinued
- 3 LFS201-JP クラス フォーラム
- 18 LFS203 Class Forum
- 134 LFS207 Class Forum
- 2 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 302 LFS211 Class Forum
- 56 LFS216 Class Forum
- 52 LFS241 Class Forum
- 48 LFS242 Class Forum
- 38 LFS243 Class Forum
- 15 LFS244 Class Forum
- 2 LFS245 Class Forum
- LFS246 Class Forum
- 49 LFS250 Class Forum
- 2 LFS250-JP クラス フォーラム
- 1 LFS251 Class Forum
- 153 LFS253 Class Forum
- 1 LFS254 Class Forum
- 1 LFS255 Class Forum
- 9 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 119 LFS260 Class Forum
- 159 LFS261 Class Forum
- 42 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 24 LFS267 Class Forum
- 24 LFS268 Class Forum
- 30 LFS269 Class Forum
- LFS270 Class Forum
- 202 LFS272 Class Forum
- 2 LFS272-JP クラス フォーラム
- 1 LFS274 Class Forum
- 4 LFS281 Class Forum
- 9 LFW111 Class Forum
- 259 LFW211 Class Forum
- 181 LFW212 Class Forum
- 13 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 796 Hardware
- 199 Drivers
- 68 I/O Devices
- 37 Monitors
- 103 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 85 Storage
- 758 Linux Distributions
- 82 Debian
- 67 Fedora
- 17 Linux Mint
- 13 Mageia
- 23 openSUSE
- 148 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 353 Ubuntu
- 468 Linux System Administration
- 39 Cloud Computing
- 71 Command Line/Scripting
- Github systems admin projects
- 93 Linux Security
- 78 Network Management
- 102 System Management
- 47 Web Management
- 63 Mobile Computing
- 18 Android
- 33 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 371 Off Topic
- 114 Introductions
- 174 Small Talk
- 22 Study Material
- 805 Programming and Development
- 303 Kernel Development
- 484 Software Development
- 1.8K Software
- 263 Applications
- 183 Command Line
- 3 Compiling/Installing
- 987 Games
- 317 Installation
- 97 All In Program
- 97 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)