> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org] > On Behalf Of Jason Healy > > Apple (about 500 client machines). On the server side, we're a mix of OS X, > Linux, and BSDs. > > We currently run Apple's OpenDirectory (OD). We use it as the central auth > for wireless (RADIUS), Apple-based logins (AFP, FileMaker), web services > (Apache LDAP auth), and server and bound-client logins. Let's assume for > the moment (lest this thread get out of control) that: > > - We want to move away from Apple for auth > - We do NOT want to move to Windows AD
Unfortunately, I think you're setting your expectations too high, and stepping into a world of hurt. My personal recommendation would be to avoid straying terribly far from the beaten path, and try to get AD, which is the most popular industry standard solution for many good reasons. Here are a few things I know: Mac clients do well with OD. But maintaining Apple servers is a stink fest I wouldn't wish upon anyone. Mac clients require some special tricks to work well with AD, but it can be done (unless your users don't get admin privilege on their laptops - in which case, AD works well straight out of the box.) In my experience, everything else - basically LDAP, as I wouldn't seriously consider NIS - work well as long as you never leave the network and have the ability to provide bulletproof reliable networks and directory servers, but work poorly with *all* of your clients (macs, linux laptops, etc) if you have people roaming in and out of your network. That being said, there are commercial solutions to this problem. First and foremost would of course be AD, but after that... I can name the following products/companies that deserve attention: Please note, I am not endorsing any of these in particular. I've had minimal exposure to Centrify and LikeWise; they required some work and fiddling to craft a solution, but *could* be used to craft a solution, and that's the point. I have not worked with any of them extensively in production, and I've never used FreeIPA or Vintela at all - I've only heard of them. * FreeIPA http://www.freeipa.org * Centrify http://centrify.com * LikeWise (renamed PowerBroker Identity Services http://www.beyondtrust.com * Quest Vintela http://www.quest.com/authentication-services _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/