Discussion:
[lopsa-tech] Directory Server for Apple and Unix Environment
(too old to reply)
Jason Healy
2015-03-23 11:39:12 UTC
Permalink
Hello all,

I’m looking to tap the collective wisdom for product selection advice and also recommendations for professional services for our environment. We’re looking to replace our current authentication system. We’re a K-12 that’s all-Apple (about 500 client machines). On the server side, we’re a mix of OS X, Linux, and BSDs.

We currently run Apple’s OpenDirectory (OD). We use it as the central auth for wireless (RADIUS), Apple-based logins (AFP, FileMaker), web services (Apache LDAP auth), and server and bound-client logins. Let’s assume for the moment (lest this thread get out of control) that:

- We want to move away from Apple for auth
- We do NOT want to move to Windows AD

I’ve re-read the recent discussion from October 2014 about “AD for Linux”, and it sounds like there are some good options out there. I’ve got a short list of:

- Samba 4
- FreeIPA
- Apache DS

I’m looking for:

1) Any other projects I should take a look at for central auth.

2) Recommendations for companies that will consult and help us design, build, deploy, and document a functioning central auth system using one of these technologies.

We love figuring stuff out for ourselves, but I’m behind on some projects and this seems like something that we could get some help on rather than mucking about on our own. I know of a couple open-source consulting firms by reputation, but would love to hear of others. We’re near Hartford CT / Springfield MA if we’re talking about local shops.

Thanks in advance for any advice,

Jason
_______________________________________________
Tech mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Brad Bendily
2015-03-23 12:16:46 UTC
Permalink
Resending this cause i forgot to use the correct outgoing addr.

Not sure if the cost but maybe look at NetIQ/Novell's eDirectory.
Their directory is solid and easily extensible. It's also standards
compliant ldap.
Post by Jason Healy
Hello all,
I’m looking to tap the collective wisdom for product selection advice and also recommendations for professional services for our environment. We’re looking to replace our current authentication system. We’re a K-12 that’s all-Apple (about 500 client machines). On the server side, we’re a mix of OS X, Linux, and BSDs.
- We want to move away from Apple for auth
- We do NOT want to move to Windows AD
- Samba 4
- FreeIPA
- Apache DS
1) Any other projects I should take a look at for central auth.
2) Recommendations for companies that will consult and help us design, build, deploy, and document a functioning central auth system using one of these technologies.
We love figuring stuff out for ourselves, but I’m behind on some projects and this seems like something that we could get some help on rather than mucking about on our own. I know of a couple open-source consulting firms by reputation, but would love to hear of others. We’re near Hartford CT / Springfield MA if we’re talking about local shops.
Thanks in advance for any advice,
Jason
_______________________________________________
Tech mailing list
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Iain Morris
2015-03-23 13:19:12 UTC
Permalink
I have found the Mac AD client to actually work better with AD than their
Apple's own OD client ever did with their own OD servers. Hard to believe,
but the simple solution here is really AD. Massive install base, huge user
community, and very well documented. I'd take the ms technotes over wading
the samba listers any day if it's my job. But I'd like to see freeIPA grow
more. I'd love to not support 2008r2 and 2012 anymore, but AD has worked
well for me for the most clients the most times.

Iain
Post by Brad Bendily
Resending this cause i forgot to use the correct outgoing addr.
Not sure if the cost but maybe look at NetIQ/Novell's eDirectory.
Their directory is solid and easily extensible. It's also standards
compliant ldap.
Post by Jason Healy
Hello all,
I’m looking to tap the collective wisdom for product selection advice
and also recommendations for professional services for our environment.
We’re looking to replace our current authentication system. We’re a K-12
that’s all-Apple (about 500 client machines). On the server side, we’re a
mix of OS X, Linux, and BSDs.
Post by Jason Healy
We currently run Apple’s OpenDirectory (OD). We use it as the central
auth for wireless (RADIUS), Apple-based logins (AFP, FileMaker), web
services (Apache LDAP auth), and server and bound-client logins. Let’s
Post by Jason Healy
- We want to move away from Apple for auth
- We do NOT want to move to Windows AD
I’ve re-read the recent discussion from October 2014 about “AD for
Linux”, and it sounds like there are some good options out there. I’ve got
Post by Jason Healy
- Samba 4
- FreeIPA
- Apache DS
1) Any other projects I should take a look at for central auth.
2) Recommendations for companies that will consult and help us design,
build, deploy, and document a functioning central auth system using one of
these technologies.
Post by Jason Healy
We love figuring stuff out for ourselves, but I’m behind on some
projects and this seems like something that we could get some help on
rather than mucking about on our own. I know of a couple open-source
consulting firms by reputation, but would love to hear of others. We’re
near Hartford CT / Springfield MA if we’re talking about local shops.
Post by Jason Healy
Thanks in advance for any advice,
Jason
_______________________________________________
Tech mailing list
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
--
-- -
Iain Morris
***@gmail.com
Edward Ned Harvey (lopser)
2015-03-23 12:05:46 UTC
Permalink
On Behalf Of Jason Healy
Apple (about 500 client machines). On the server side, we're a mix of OS X,
Linux, and BSDs.
We currently run Apple's OpenDirectory (OD). We use it as the central auth
for wireless (RADIUS), Apple-based logins (AFP, FileMaker), web services
(Apache LDAP auth), and server and bound-client logins. Let's assume for
- We want to move away from Apple for auth
- We do NOT want to move to Windows AD
Unfortunately, I think you're setting your expectations too high, and stepping into a world of hurt. My personal recommendation would be to avoid straying terribly far from the beaten path, and try to get AD, which is the most popular industry standard solution for many good reasons.

Here are a few things I know:

Mac clients do well with OD. But maintaining Apple servers is a stink fest I wouldn't wish upon anyone. Mac clients require some special tricks to work well with AD, but it can be done (unless your users don't get admin privilege on their laptops - in which case, AD works well straight out of the box.) In my experience, everything else - basically LDAP, as I wouldn't seriously consider NIS - work well as long as you never leave the network and have the ability to provide bulletproof reliable networks and directory servers, but work poorly with *all* of your clients (macs, linux laptops, etc) if you have people roaming in and out of your network.

That being said, there are commercial solutions to this problem. First and foremost would of course be AD, but after that... I can name the following products/companies that deserve attention:

Please note, I am not endorsing any of these in particular. I've had minimal exposure to Centrify and LikeWise; they required some work and fiddling to craft a solution, but *could* be used to craft a solution, and that's the point. I have not worked with any of them extensively in production, and I've never used FreeIPA or Vintela at all - I've only heard of them.

* FreeIPA http://www.freeipa.org
* Centrify http://centrify.com
* LikeWise (renamed PowerBroker Identity Services http://www.beyondtrust.com
* Quest Vintela http://www.quest.com/authentication-services

_______________________________________________
Tech mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Jonathan Billings
2015-03-23 14:28:07 UTC
Permalink
Post by Jason Healy
I’m looking to tap the collective wisdom for product selection
advice and also recommendations for professional services for our
environment. We’re looking to replace our current authentication
system. We’re a K-12 that’s all-Apple (about 500 client machines).
On the server side, we’re a mix of OS X, Linux, and BSDs.
I'm amused everyone seems to be telling you to set up an AD
infrastructure when you have absolutely no windows clients or
servers.

FreeIPA is a pretty good all-in-one solution. It'll support your
macs, BSD and Linux systems natively. Just Kerberos and LDAP. It has
a comprehensive web interface too. Check out the Demo page:

https://www.freeipa.org/page/Demo
--
Jonathan Billings <***@negate.org>
Gilbert Wilson
2015-03-23 16:35:50 UTC
Permalink
Post by Jonathan Billings
Post by Jason Healy
I’m looking to tap the collective wisdom for product selection
advice and also recommendations for professional services for our
environment. We’re looking to replace our current authentication
system. We’re a K-12 that’s all-Apple (about 500 client machines).
On the server side, we’re a mix of OS X, Linux, and BSDs.
I'm amused everyone seems to be telling you to set up an AD
infrastructure when you have absolutely no windows clients or
servers.
That’s because AD is a first tier directory server for OS X systems. Arguably, at this point, Apple provides better support for AD than OD. With the release of each version of OS X Apple releases a best practices white paper for integrating with AD. The Yosemite update can be found here:

http://training.apple.com/pdf/wp_integrating_active_directory_yosemite.pdf

Googling should find the previous editions.

However, imho, you should avoid binding end-user Macintosh systems to a directory server and focus on the integration of organizational services (like file servers and web applications). If you do bind OS X systems to a directory server make sure to test-test-and-retest every single OS upgrade before deploying. Apple has a habit of carelessly breaking login authentication against directory servers and requiring undocumented workarounds or fixes. You should budget for enterprise support tickets in such cases since talking to a senior advisor at Apple is probably the only way you’ll find a fix in a timely manner.

But of course, ymmv based on different needs and willingness to fiddle. Good luck!

Gil
Tom Perrine
2015-03-23 18:59:14 UTC
Permalink
How about Identity as a Service, or cloud based auth? Some of them
seem to offer pretty good onboarding/offboarding which I wish we had
when I was at an EDU.

No idea on costs, as we've not looked in that direction ourselves.

Representative services might be Okta, Duo Security?, Ping Identity, etc.
Post by Gilbert Wilson
Post by Jonathan Billings
Post by Jason Healy
I’m looking to tap the collective wisdom for product selection
advice and also recommendations for professional services for our
environment. We’re looking to replace our current authentication
system. We’re a K-12 that’s all-Apple (about 500 client machines).
On the server side, we’re a mix of OS X, Linux, and BSDs.
I'm amused everyone seems to be telling you to set up an AD
infrastructure when you have absolutely no windows clients or
servers.
http://training.apple.com/pdf/wp_integrating_active_directory_yosemite.pdf
Googling should find the previous editions.
However, imho, you should avoid binding end-user Macintosh systems to a directory server and focus on the integration of organizational services (like file servers and web applications). If you do bind OS X systems to a directory server make sure to test-test-and-retest every single OS upgrade before deploying. Apple has a habit of carelessly breaking login authentication against directory servers and requiring undocumented workarounds or fixes. You should budget for enterprise support tickets in such cases since talking to a senior advisor at Apple is probably the only way you’ll find a fix in a timely manner.
But of course, ymmv based on different needs and willingness to fiddle. Good luck!
Gil
_______________________________________________
Tech mailing list
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Jason Healy
2015-03-23 21:49:56 UTC
Permalink
Post by Gilbert Wilson
Post by Jonathan Billings
I'm amused everyone seems to be telling you to set up an AD
infrastructure when you have absolutely no windows clients or
servers.
That’s because AD is a first tier directory server for OS X systems. Arguably, at this point, Apple provides better support for AD than OD.
I am well aware of AD’s place, and we may well consider it on the merits of it being so popular. However, we literally have no basis for supporting Windows. We have no Windows servers, and only 3 Windows clients (point of sale and building management). Every time I do have to interact with Windows, I’m reminded of why I never want to.

It’s just a huge learning curve because the mental model is so different from unix. I don’t know where to look (no /var/log!), what tools to use (grep? less? perl?), which patches to run, do I need antivirus on a server? Obviously, these are all issues that we can be trained up on, but it’s an awful lot for a single service.

Since AD (the protocol/concept) is so well-supported, we may put Samba at the top of the list. We too tried it out right after 4 was released, but found the documentation lacking. It’s been a couple years, so we can give it another chance…

On that note, any consultants to recommend, or has everyone gone it alone on their installs?

Jason

--
Jason Healy | ***@logn.net | http://www.logn.net/




_______________________________________________
Tech mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Jonathan Billings
2015-03-23 22:45:30 UTC
Permalink
Since AD (the protocol/concept) is so well-supported, we may put Samba at the top of the list. We too tried it out right after 4 was released, but found the documentation lacking. It’s been a couple years, so we can give it another chance…
The Active Directory "protocol" that you'd be using is just Kerberos, LDAP, and DNS (with some SMB thrown in sometimes). Everything else is windows-specific policy/configuration.

--
Jonathan Billings <***@negate.org>


_______________________________________________
Tech mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Adam Tauno Williams
2015-03-23 23:00:43 UTC
Permalink
Post by Jason Healy
I am well aware of AD’s place, and we may well consider it on the
merits of it being so popular. However, we literally have no basis
for supporting Windows.
All by AD DCs are LINUX boxes, there are no Window's DCs.
Post by Jason Healy
It’s just a huge learning curve because the mental model is so
different from unix.
I don't see how. LDAP, Kerberos, and DNS - the most fundamental parts
of Active Directory - are all of UNIX heritage. Active Directory will
happily host and help manage RFC2307 identity information. I mean -
FINALLY - a solution that uses DNS for auto-configuration, it is about
*#&@*&@$ time, why could UNIX/LINUX never get its act together and do
that?
Post by Jason Healy
Since AD (the protocol/concept) is so well-supported, we may put Samba
at the top of the list. We too tried it out right after 4 was
released, but found the documentation lacking. It’s been a couple
years, so we can give it another chance…
STICK TO THE WIKI! It really is drop-n-go. Do not go surfing around
the web, there is too much crap, and Samba4 is not Samba3, so the search
space is polluted. Google is not your friend.

Yes, early 4.0 had some real thorns.
Post by Jason Healy
On that note, any consultants to recommend, or has everyone gone it
alone on their installs?
I've just done it. I actually spend very little time looking at it - it
just rolls.
--
Adam Tauno Williams <mailto:***@whitemice.org> GPG D95ED383
OpenGroupware Developer <http://www.opengroupware.us/>

_______________________________________________
Tech mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http:/
Edward Ned Harvey (lopser)
2015-03-23 19:31:31 UTC
Permalink
On Behalf Of Jonathan Billings
I'm amused everyone seems to be telling you to set up an AD
infrastructure when you have absolutely no windows clients or
servers.
That's because AD is so popular and well known as to be (usually) the best solution for directory services (and potentially dns/dhcp), even without any windows clients.

Sure, AD can use group policy to do all sorts of fancy things with windows clients that can't be done with non-windows clients, but ignoring the feature set that's not useful to non-windows clients... If you just think about directory services (and potentially dns/dhcp) then client support for AD is still a highly attractive solution, as far as end user experience is concerned, and supporting end users on their laptops.
_______________________________________________
Tech mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Morgan Blackthorne
2015-04-06 21:38:31 UTC
Permalink
Post by Jonathan Billings
Post by Jason Healy
I’m looking to tap the collective wisdom for product selection
advice and also recommendations for professional services for our
environment. We’re looking to replace our current authentication
system. We’re a K-12 that’s all-Apple (about 500 client machines).
On the server side, we’re a mix of OS X, Linux, and BSDs.
I'm amused everyone seems to be telling you to set up an AD
infrastructure when you have absolutely no windows clients or
servers.
FreeIPA is a pretty good all-in-one solution. It'll support your
macs, BSD and Linux systems natively. Just Kerberos and LDAP. It has
https://www.freeipa.org/page/Demo
--
Sometimes the best tool for the job is one that you have to go out and buy.
And after having used AD at Rosetta Stone, I'd say AD is the one reason
that I would even spin up a Windows Server. They just _get_ how to solve
this problem better than others do.

That said, my servers are all on Linode, and true AD was off the table. I
settled on using Zentyal to get around it, as I also didn't want to shift
from Ubuntu back to a RedHat derivative. (I support the goals of CentOS,
but I dont really like how out of date they tend to be, and how often
CentOS has lagged behind in pushing out upstream updates.)

--
~*~ StormeRider ~*~

"Every world needs its heroes [...] They inspire us to be better than we
are. And they protect from the darkness that's just around the corner."

(from Smallville Season 6x1: "Zod")

On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS
Adam Tauno Williams
2015-03-23 15:58:08 UTC
Permalink
Post by Jason Healy
- We want to move away from Apple for auth
- We do NOT want to move to Windows AD
I’ve re-read the recent discussion from October 2014 about “AD for
Linux”, and it sounds like there are some good options out there.
- Samba 4
+1 Samba4: Works great, easy to setup, lots of tools. And
documentation for Active Directory generally applies 99.44% so a low
obscurity factor.
--
Adam Tauno Williams <mailto:***@whitemice.org> GPG D95ED383
OpenGroupware Developer <http://www.opengroupware.us/>
Edward Ned Harvey (lopser)
2015-03-23 19:34:43 UTC
Permalink
On Behalf Of Adam Tauno Williams
+1 Samba4: Works great, easy to setup, lots of tools. And
documentation for Active Directory generally applies 99.44% so a low
obscurity factor.
I have not personally had that great an experience with samba4, but my experience was a long time ago when it was new.

I say: +1 for samba4. Given that the OP said "No AD" and AD would be the recommended answer otherwise - I say samba4 is the first thing to try. And if it proves as confusing and difficult to manage as I recall, then back to AD.
_______________________________________________
Tech mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Brian J. Atkisson
2015-03-24 00:24:59 UTC
Permalink
+1 for FreeIPA or Red Hat IdM (if you wanted the supported version).

If you don't want the full blown IPA product with Kerberos and PKI,
you can use the 389 Directory Server. I've found it to have the best
multi-master support of any of the options out there.

Disclaimer: I do work with with the 389 DS developers on occasion and
run a large 389/RHDS cluster.

Cheers,
Brian
Post by Jason Healy
Hello all,
I’m looking to tap the collective wisdom for product selection
advice and also recommendations for professional services for our
environment. We’re looking to replace our current authentication
system. We’re a K-12 that’s all-Apple (about 500 client machines).
On the server side, we’re a mix of OS X, Linux, and BSDs.
We currently run Apple’s OpenDirectory (OD). We use it as the
central auth for wireless (RADIUS), Apple-based logins (AFP,
FileMaker), web services (Apache LDAP auth), and server and
bound-client logins. Let’s assume for the moment (lest this thread
- We want to move away from Apple for auth - We do NOT want to move
to Windows AD
I’ve re-read the recent discussion from October 2014 about “AD for
Linux”, and it sounds like there are some good options out there.
- Samba 4 - FreeIPA - Apache DS
1) Any other projects I should take a look at for central auth.
2) Recommendations for companies that will consult and help us
design, build, deploy, and document a functioning central auth
system using one of these technologies.
We love figuring stuff out for ourselves, but I’m behind on some
projects and this seems like something that we could get some help
on rather than mucking about on our own. I know of a couple
open-source consulting firms by reputation, but would love to hear
of others. We’re near Hartford CT / Springfield MA if we’re
talking about local shops.
Thanks in advance for any advice,
Jason _______________________________________________ Tech mailing
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list
provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
***@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
waz0wski
2015-04-06 21:05:04 UTC
Permalink
Another +1 for FreeIPA.

It will be very helpful if you're familiar with ssl, ldap, kerberos, osx authentication and account management in the case of needing to troubleshoot.

I've migrated a small office (~100 OSX clients) from OpenDirectory to FreeIPA without too many headaches -- accounts with expired passwords (users ignore the notifications...) and fine-tuning the account lockout and expiration policies were only trouble.

Here's my notes <http://distortion.io/~waz0wski/2014/11/osx-ipa-auth/> -- not much client work since our workstation user accounts were configured as "mobile" accounts with only local data (no sync) and had matching first.last account names between directories. Just a quick reconfig of auth on the workstation, reset user dir permissions, and logout/login
Post by Brian J. Atkisson
+1 for FreeIPA or Red Hat IdM (if you wanted the supported version).
If you don't want the full blown IPA product with Kerberos and PKI,
you can use the 389 Directory Server. I've found it to have the best
multi-master support of any of the options out there.
Disclaimer: I do work with with the 389 DS developers on occasion and
run a large 389/RHDS cluster.
Cheers,
Brian
Post by Jason Healy
Hello all,
I’m looking to tap the collective wisdom for product selection
advice and also recommendations for professional services for our
environment. We’re looking to replace our current authentication
system. We’re a K-12 that’s all-Apple (about 500 client machines).
On the server side, we’re a mix of OS X, Linux, and BSDs.
We currently run Apple’s OpenDirectory (OD). We use it as the
central auth for wireless (RADIUS), Apple-based logins (AFP,
FileMaker), web services (Apache LDAP auth), and server and
bound-client logins. Let’s assume for the moment (lest this thread
- We want to move away from Apple for auth - We do NOT want to move
to Windows AD
I’ve re-read the recent discussion from October 2014 about “AD for
Linux”, and it sounds like there are some good options out there.
- Samba 4 - FreeIPA - Apache DS
1) Any other projects I should take a look at for central auth.
2) Recommendations for companies that will consult and help us
design, build, deploy, and document a functioning central auth
system using one of these technologies.
We love figuring stuff out for ourselves, but I’m behind on some
projects and this seems like something that we could get some help
on rather than mucking about on our own. I know of a couple
open-source consulting firms by reputation, but would love to hear
of others. We’re near Hartford CT / Springfield MA if we’re
talking about local shops.
Thanks in advance for any advice,
Jason _______________________________________________ Tech mailing
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list
provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Tech mailing list
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Brad Bendily
2015-03-23 12:13:06 UTC
Permalink
Not sure if the cost but maybe look at NetIQ/Novell's eDirectory. Their directory is solid and easily extensible. It's also standards compliant ldap.
Post by Jason Healy
Hello all,
I’m looking to tap the collective wisdom for product selection advice and also recommendations for professional services for our environment. We’re looking to replace our current authentication system. We’re a K-12 that’s all-Apple (about 500 client machines). On the server side, we’re a mix of OS X, Linux, and BSDs.
- We want to move away from Apple for auth
- We do NOT want to move to Windows AD
- Samba 4
- FreeIPA
- Apache DS
1) Any other projects I should take a look at for central auth.
2) Recommendations for companies that will consult and help us design, build, deploy, and document a functioning central auth system using one of these technologies.
We love figuring stuff out for ourselves, but I’m behind on some projects and this seems like something that we could get some help on rather than mucking about on our own. I know of a couple open-source consulting firms by reputation, but would love to hear of others. We’re near Hartford CT / Springfield MA if we’re talking about local shops.
Thanks in advance for any advice,
Jason
_______________________________________________
Tech mailing list
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
http://lopsa.org/
Continue reading on narkive:
Loading...