Advice sought: User accounts directory and mail
Our company currently has a few individually managed offices throughout Australia.
We are now planning to implement a single national user accounts directory and single email domain.
Our head office has an OD serving 200 clients, while our other offices don't use any form of directory services at all.
The question is: what kind of Directory and Authentication services should we implement? What are other people doing?
The Desirable Qualities we're looking for is:
- Stability, directory shouldn't get corrupted every second week.
- Ability to manage preferences of Mac OS X and Windows clients
- Open and easy to integrate with other systems incl:
- RADIUS - in order to use 802.1x
- PHP for our Intranet site
- FileMaker database
- Low TCO
- Future proof: continued development, stillsuitable in foreseeable future, scalable.
I have a done a little bit of research and currently we have 3 possible candidates:
- OD
- AD
- FreeRADIUS with OpenLDAP
Active Directory
Suitability
- General agreement is that AD is very stable
- By far the best system for managing Windows clients
- AD can be extended to manage Mac OS X clients aswell
- RADIUS integration possible[1]
- Can integrate with PHP using free and opensource adLDAP[2]
- Can integrate with FileMaker
- Relatively future-proof: Been around since 2000and all indication that there will be Windows and Mac OS X support inforeseeable future. It is very scalableeasily supporting millions of users. Only possible downside is the proprietary nature and reliance on asingle vendor – they can jack CAL prices up anytime and we have no negotiatingpower. They can also make undesirablechanges to AD, which may not have 3rd party workarounds.
Cost
$899/ OEM server + $170/ 5-user CAL
2 x Server + 300 CAL = $11998
Future CALs: $55/ea.[3]
Microsoft licensing is onerous. The time taken to manage licensing andmaintain compliance should be added to the TCO - many, many hours / year.
Open Directory
Suitability
OD easily gets corrupted – not as stable as AD
Windows group policy management limited
Mac OS X preference management through OD works well
RADIUS: Mac OS X server includes an underlying FreeRADIUSinstallation for its Airport connections and this might be configurable to workwith 802.1x[4]
PHP has some LDAP functions that could work with OpenDirectory[5]
FileMaker can use Open Directory.
Future support less certain than with alternatives. Scalability questionable.
Cost
$80 / server license x 2 = $160
FreeRADIUS and OpenLDAP
Suitability
RADIUS was developed in 1991, freeRADIUS specifically in1999. It’s widely used (at least 100million users in 2006[6])and considered very stable.
In itself, freeRADIUS is an authentication, authorisation& account system only and cannot manage preferences or store directoryinformation, however, it can integrate with LDAP[7]
Integration with LDAP should allow us to manage Mac OS Xclient preferences, unsure about Windows group policies.
The PHP LDAP libraries will allow intranet integration.
Seems like no FileMaker authentication – FileMaker only authenticateswith OD and AD[8]
Cost
Free
[1]http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
[2]http://adldap.sourceforge.net/
[3]http://umart.com.au/newindex2.phtml?bid=5 - click on Software
[4]http://hints.macworld.com/article.php?story=20071130134610850
[5]http://php.net/manual/en/book.ldap.php
[6]http://freeradius.org/press/survey.html
[7]http://wiki.freeradius.org/LDAP
[8]Page 6 of http://help.filemaker.com/ci/fattach/get/24602/
In summary, I don't feel Open Directory is scalable and stable enough (it often gets corrupted resulting in us not being able to delete accounts, etc.).
Active Directory may be the way to go, but my preference is always for open standards rather than proprietary plus I'd like to avoid Microsoft licensing and costs.
FreeRADIUS and OpenLDAP look great, but I haven't heard of many people managing Macs this way. Also, FileMaker can't authenticate to it, although this is desirable, it's not completely vitally essential.
Any thoughts, comments, ideas highly appreciated!
Thanks
Xserve, Mac OS X (10.6.7)