> From: tech-boun...@lists.lopsa.org [mailto:tech-boun...@lists.lopsa.org]
> On Behalf Of Jason Healy
> 
> Apple (about 500 client machines).  On the server side, we're a mix of OS X,
> Linux, and BSDs.
> 
> We currently run Apple's OpenDirectory (OD).  We use it as the central auth
> for wireless (RADIUS), Apple-based logins (AFP, FileMaker), web services
> (Apache LDAP auth), and server and bound-client logins.  Let's assume for
> the moment (lest this thread get out of control) that:
> 
>  - We want to move away from Apple for auth
>  - We do NOT want to move to Windows AD

Unfortunately, I think you're setting your expectations too high, and stepping 
into a world of hurt.  My personal recommendation would be to avoid straying 
terribly far from the beaten path, and try to get AD, which is the most popular 
industry standard solution for many good reasons.  

Here are a few things I know:

Mac clients do well with OD.  But maintaining Apple servers is a stink fest I 
wouldn't wish upon anyone.  Mac clients require some special tricks to work 
well with AD, but it can be done (unless your users don't get admin privilege 
on their laptops - in which case, AD works well straight out of the box.)  In 
my experience, everything else - basically LDAP, as I wouldn't seriously 
consider NIS - work well as long as you never leave the network and have the 
ability to provide bulletproof reliable networks and directory servers, but 
work poorly with *all* of your clients (macs, linux laptops, etc) if you have 
people roaming in and out of your network.

That being said, there are commercial solutions to this problem.  First and 
foremost would of course be AD, but after that...  I can name the following 
products/companies that deserve attention:

Please note, I am not endorsing any of these in particular.  I've had minimal 
exposure to Centrify and LikeWise; they required some work and fiddling to 
craft a solution, but *could* be used to craft a solution, and that's the 
point.  I have not worked with any of them extensively in production, and I've 
never used FreeIPA or Vintela at all - I've only heard of them.

* FreeIPA http://www.freeipa.org
* Centrify http://centrify.com 
* LikeWise (renamed PowerBroker Identity Services http://www.beyondtrust.com 
* Quest Vintela http://www.quest.com/authentication-services 

_______________________________________________
Tech mailing list
Tech@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to