On Sat, 2010-10-02 at 21:52 -0700, Iain Morris wrote:
On Sat, Oct 2, 2010 at 7:29 PM, Craig White craigwhite@azapple.com wrote:
---- This discussion completely ignores the fact that user authentication is just one of the many things LDAP does. If all you are going to do with LDAP is simple user & group management then you have a lack of imagination.
Not to stray much further off the subject, nor defend AD much further on the CentOS list, but AD does a lot more than user/group auth. In fact it does everything in your list (DNS, mail access lists, etc), and quite a bit more out of the box.
Apple's Open Directory is a nice start, but pretty far behind in the race. In fact if I had a 1000 Mac installation, I'd rather build an AD domain and extend the schema to include the Apple attributes and use WG Manager for the Macs. I honestly believe Apple has put more engineering time into their AD plugin than their OD native interface.
Believe me I'm no Microsoft enthusiast, but AD is a capable and mature product for the job. Obviously for maximum flexibility stock MIT Kerberos and OpenLDAP win, but I think I'd be wasting a lot of time using them bare-bones when administrating a large multi-site organization. Open-source is free, but it's definitely not free once you start spending your evenings combing mailing lists and debugging fringe issues that keep your business from meeting its goals.
---- AD yes, LDAP no
You have to go to different tools for everything...
Mail (routing/aliases) - Exchange DNS - Their DNS tool
I have no problem using OpenLDAP to setup/configure not only users but also automounts for Linux/Macintosh users, central user/group authentication and even share the home directories across the board (Linux/Macintosh/Windows users so regardless of which system they use, they have access to their same files). You aren't going to get that done with Active Directory tools.
Active Directory provides a fairly decent configuration tool set for the unimaginative administrator who wants to do everything the Microsoft way but try extending AD's LDAP. If I had a large multi-site organization, the last tool I would use is AD.
Craig