Linux.com

Active Directory Alternative

Link to this post 19 Jan 12

Hey Everybody!

I'm brand new to this community but have been using the GNU/Linux Operating System casually for several years now. It's just been more of a novelty than anything else. I am a Windows admin and have spent most of my life learning 'The Microsoft Solution'.

...then I saw the light :)

Now, I'm in the process of having an article published in [...] Magazine that bashes Microsoft's absurd licensing schemes. Microsoft has let me down on so many different levels. I'm now committed to learning 'The Free Software Solution'. I suppose I'll have to replace my dark art of VB scripting and .NET application development with shell scripts and Python - oh well.

Anyway, on to my question! In an attempt to be able to design a network that meets the needs of a hypothetical small business, I'm trying to find an alternative to Microsoft's Active Directory. Despite my animosity towards Microsoft, they do make some pretty powerful products - Active Directory being one such product.

Now, using the GNU/Linux Operating System in a business environment is quite different than me making the switch to Linux at my home.

  • How does a Linux domain work, or is there such a thing? (ie: can I join a computer to a Linux domain like in Windows)

  • Is there an alternative to Group Policy?

  • Is there a single tool or set of tools to manage LDAP users and groups, DNS, DHCP, RADIUS, IPSec, etc...?

  • What are some resources I can read or interact with to assist in my understanding of managing these topics on the GNU/Linux platform?

Like I said, I'm a Windows admin. I know Windows admins usually catch a lot of flac in the Linux community due to their lack of script-fu in the shell - but lets face it - Windows is a GUI managed environment. Unless your running dsquery to gain granular insight into Active Directory, the only reason to script is to automate a repetitive task. You don't need to know almost any commandline applications to manage a Windows box (well, outside of ping and nslookup).

Another thing that concerns me is NFS permissions. I don't know how these work. I know I can look up how they work and how they are evaluated on Wikipedia - but that isn't the information I'm looking for. I'm used to NTFS permissions. I know the metadata that the permissions carry and the alternate streams that exist on an NTFS volume. I'm looking for information from people in the field that know or used to know Windows systems and now manage a GNU/Linux environment. I want to know what they miss from the Windows world and what they don't miss.

I suppose overall I'm looking for selling points for GNU/Linux. I'm no longer sold on Microsoft, but I don't know where to turn now. Could it be here?

Let me know what you think,
-David

Link to this post 20 Jan 12

Linux/Unix domains can be developed similar to windows based domain services, you can join computers, users and much more data into an LDAP database or a NIS server. Checkout http://www.openldap.org/doc/admin24/intro.html for some information on the uses of OpenLDAP. NIS is located at http://www.linux-nis.org/ .

I have played with both, but do not yet have a complete understanding of the uses, Both NIS and LDAP can handle user authentication, but LDAP has many more functions including machine authentication, asset tracking, e-mail address directory, etc...

You can also use an LDAP server to authenticate windows hosts (http://www.yolinux.com/TUTORIALS/LDAP_Authentication.html) and even use a LDAP machine database to easily direct your windows hosts to shared servers such as SQL servers for shared information.

As far as I am aware there is no complete Linux based solution like the Group Policies, although the same type of configuration can be handled through the machine config files.

Active Directory is not the same and DNS, DHCP, those are separate services accessed through the same setup screen.
You can use :
Bind for a DNS server - http://www.isc.org/software/bind
DHCPD for a DHCP server - http://www.phystech.com/download/dhcpcd.html
RADIUS - http://freeradius.org/
IPSEC - http://www.ipsec-howto.org/

We should also not forget about using CUPS (http://www.cups.org/) for managing printers, the printer pooling and printer discovery services are what I like most about CUPS.

As for the Permissions, NFS and Linux permissions are really pretty easy to setup and the permissions are quite simple, a basic example document is at http://support.attachmate.com/techdocs/1178.html

I have been trained on windows administration and like some of the concepts of their products, but I find the administrative levels and available options to be insufficient compared the options and capabilities in their separate Linux counterparts. The thing that you may have notice most about running Linux or Unix based systems is the stability and also the application dependencies, both are related. The Unix philosophy explains it well "Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface.", this means that the system is made up of many core programs that do on job but do it very well and are not over complicated, the larger applications are then built on top of these many applications to combine the abilities and make a single stable application.

The other thing that I absolutely love is the fact that the registry does not exist in Linux/Unix based systems, instead each service and application generally has a text based configuration file which is easy to read and comment, so that you can comment out old configuration and note why the changes were made, this allows you to keep all configuration changes easily indexed and reversible in a single location rather than depending on notebooks of changes.

As you experiment with various services, log files and packaging schemes you will learn to love the simple configuration file, file, log and package maintenance with text files and the CLI utilities to handle the files.

Lets not forget about the benefit of open source applications, if the app does not do what you want you are free to modify it to fit your specific needs, so you are not restricted to the actions that a single vendor is trying to push upon you.

Link to this post 20 Jan 12

I almost forgot, if you use Linux based system you are also getting experience with Unix utilities and methods. You might want to read about the UNIX Philosophy to understand the basic rules and how people explain it http://en.wikipedia.org/wiki/Unix_philosophy

Link to this post 22 Jan 12

As mfillpot said, you can use either LDAP (OpenLDAP) or NIS for directory/domain services. NIS was an invention of Sun Microsystems (now owned by Oracle) and was widely used on Unix systems for many years. LDAP is more recent, and even Microsoft's Active Directory system is based on it. OpenLDAP is the open source version that Linux uses. This is what I would recommend to current network admins who want to manage large Linux/Unix networks, and/or have them work with Windows networks as well. That last part isn't so "seamless" as we would like, mostly due to Microsoft's predilection for custom "extensions" of open standards, such as is LDAP, kerberos, etc...

So, if you have a legacy Unix network, then use NIS. If you have a Linux and/or Linux/Windows network, use OpenLDAP.

Link to this post 22 Jan 12

Not everything is OpenLDAP:

http://www.redhat.com/directory_server/

I use the CentOS version and I'm quite confortable with it :)

Link to this post 22 Jan 12

Well, the RHEL/CentOS directory server is built upon OpenLDAP (I think), but with a lot more user/admin-friendly features. Not a bad choice if one is running RHEL-based distributions (RHEL, CentOS, Scientific Linux). Thanks marc for bringing it up.

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board