On Sat, 2010-10-02 at 21:40 -0400, Tom H wrote: > On Sat, Oct 2, 2010 at 9:02 PM, Iain Morris <iain.t.morris at gmail.com> wrote: > > No one seems to like AD. I actually find it to be fairly manageable compared > > to stock LDAP/Kerberos. The management tools blow OpenLDAP out of the > > water. I laugh at myself saying it, but if you want simple management of a > > big installation, AD is pretty dang tested these days and it's not hard to > > integrate other systems in that environment if you have admin control of the > > schema. > > As long as we are recommending non-CentOS, non-Linux systems, I'd like > to mention OS X Server as a good GUI, works-straight-out-of-the-box > implementation of OpenLDAP... ---- This discussion completely ignores the fact that user authentication is just one of the many things LDAP does. If all you are going to do with LDAP is simple user & group management then you have a lack of imagination. It is a great disservice to suggest that AD tools 'blow OpenLDAP tools out of the water' or Apple's GUI implementation of their fork of OpenLDAP from several years ago are actually reasonable solutions. For that matter, you should have also mentioned Fedora-DS, RedHat-DS, FreeIPA which all use the previous Netscape Directory Server code that Red Hat has worked to open source because those all share a functional GUI. There are also a number of very functional GUI's such as GoSA and LDAPAdmin if you require such crutches or for that matter, a properly configured LDAP & Samba configuration allows you to use Microsoft User and Group Management tools anyway. The reality is that LDAP was designed to be completely flexible for many possible needs and Microsoft's AD, Apple's OpenDirectory, Fedora-DS (and derivatives) all use a predetermined setup that constrains the usage of LDAP rather than enhance it. Shared address books? Mail routing? Mail aliases? DNS? Personally, I use Webmin's LDAP Users & Groups to manage LDAP users and groups which rather cleverly allows me to create all the custom attributes and objectclasses that I routinely use with LDAP that I could never get out of the other GUI's, give me infinitely more flexibility and power. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.