Just wondering since I just now am getting into that kind of stuff.
is there an equivelant of Active Directory in Linux or does Linux uses a totaly different approach to it?

what do you mean by Active directory?, i assume you mean the main directory you will base your work out of, that will roughly be your home directory which is /home/yourusername

you can expand that directory with more directories to make any file structure your mind can think of

There is no equivalent to Active Directory that I know of. Samba is the closest, but that is more like the NT4 domain structure than Active Directory.

If you're really desperate, you can string together Kerberos, OpenLDAP, Sendmail, CryptoAPI, and Samba and make something that resembles Active Directory ;)

ahh that, what was said above, if you want net access to it, you might look at webDAV too

so would you guys think that windows has an advantage on this one? :(

Am asking because I read in some other forums from people who really like Linux but use windows at work, raving on how good the idea is and so on.

For me with the little that I know on this topic, with linux you put users in certain groups, allow them access to certain directories/files and thats all you need. I know its not that simple but in general thats how it works no?

What Active Directory does differently? I dont get it.

For real, sorry if my question sounds stupid. I am just really wondering. :confused:

i dont think its a great idea, sounds like a major security risk, and knowing windows, how many patches have they had to put on it already, and in the future

Hi,
The closest equivalent would be LDAP (http://www.openldap.org/). the Lightweight Directory Access Protocol.

In case you're not familiar with LDAP, it is a protocol designed to allow quick, efficient searches of directory services. Built around Internet technologies, LDAP makes it possible to easily update and query directory services over standard TCP/IP connections, and includes a host of powerful features, including security, access control, data replication and support for Unicode. (Quote from Devshed.org ->
http://www.devshed.com/Server_Side/PHP/PHPwithLDAP/PHPwithLDAP1/page1.html)

Hope this helps.

- Suramya

For me with the little that I know on this topic, with linux you put users in certain groups, allow them access to certain directories/files and thats all you need. I know its not that simple but in general thats how it works no?

What Active Directory does differently? I dont get it.

Active Directory is much more than this.

Some of the things I can do with Active Directory:

Push software (such as Office, Outlook, AutoCAD, etc) to a specific group of users, and have that software automatically uninstall itself should it leave the domain.

Require certain software (service packs, antivirus)

Lock down/grant certain features to a specific set of users

Centralize management of security, such as password length and complexity, security logon warnings, file and folder access etc.

AD isn't nearly as powerful for home users, but it has it's advantages. Some of the non-business uses I can think of:

Allowing you to log in with the same profile anywhere in the house.

Streamlining software installation for LAN parties.

dkeav, I don't want to sound rude, but it's quite obvious that you have absolutely no idea what Active Directory actually is. There have been very few security vulnerabilities within Active Directory, which is amazing considering the scale of it. And since it makes heavy use of Kerberos, it's one of the most secure commercial-level directories out there. If you would like me to give you some links explaining what Active Directory is and how it works, I would be glad to.

Well, you have to look at it from a couple perspectives:

1.) Since Microsoft is in charge of every aspect of the production of the Windows OS, they can more tightly integrate Active Directory into the Windows permissions schema.

2.) Since it's tightly integrated into Windows, Active Directory serves as a framework for probably every user-related function when a machine is part of an Active Directory domain.

As far as I know, there's nothing that is a drop-in replacement in Linux for Microsoft's Active Directory. Linux is pretty fragmented compared to AD, because AD doesn't just deal with users, but it controls all of the resources in a domain, from disk quotas, printer usage, program availability, and file permissions. Much more is available as well.

In Linux, you can use NIS or LDAP to make a distributed user domain scenario. With an NIS master server and NIS-enabled clients in a domain, you can provide user authentication similar to Active Directory. Since NIS and other directory services allow for such authentication, you also have a platform to deploy uniform file permissions across multiple systems.

As for everything else, there are systems that provide the same functionality, like sendmail, etc for mail service, and cups for printing services. If you tied all of these services together, you'd have a pretty reasonable setup.

Linux/*NIX boxen can participate in Active Directory domains. They can act as Domain Controllers and provide authentication with SAMBA, and I've heard they can also use SAMBA to authenticate users into an Active Directory domain.

So, in a nutshell, there's not a single-stop solution in the *NIX world that I've found to replace Active Directory, but it is possible to perform all of the functions of AD with currently existing *NIX tools.

So, in a nutshell, there's not a single-stop solution in the *NIX world that I've found to replace Active Directory, but it is possible to perform all of the functions of AD with currently existing *NIX tools.

Almost, but not quite. I have yet to find a *NIX equivalent to Group Policy.

Originally posted by nextbillgates
Almost, but not quite. I have yet to find a *NIX equivalent to Group Policy.

That's probably because there isn't one.

Group policy is something that the *NIX world has been lacking. I mean, most commercial unices are now shipping with Access Control Lists, which aren't quite the same as Group Policy, but at least it takes a step closer to a better permisson scheme. With FreeBSD 5 and certain versions of Linux, there is an implementation of ACLs, but sadly, no group policy. :(

That's one thing that I've always complained about with UNIX. Having some sort of permissions scheme is better than nothing, but it could stand to be a little more flexible.

But, I don't think that fully addresses the Group Policy issue. It does control more than file permissions, right? I think it even branches out into Desktop Themes, permission to run certain programs, and many more objects... For that, I don't think there is a direct UNIX equivalent, but I'm not as familiar with the multitude of commercial UNIX systems.

Originally posted by Alex Cavnar, aka alc6379
That's probably because there isn't one.

Group policy is something that the *NIX world has been lacking. I mean, most commercial unices are now shipping with Access Control Lists, which aren't quite the same as Group Policy, but at least it takes a step closer to a better permisson scheme. With FreeBSD 5 and certain versions of Linux, there is an implementation of ACLs, but sadly, no group policy. :(

That's one thing that I've always complained about with UNIX. Having some sort of permissions scheme is better than nothing, but it could stand to be a little more flexible.

But, I don't think that fully addresses the Group Policy issue. It does control more than file permissions, right? I think it even branches out into Desktop Themes, permission to run certain programs, and many more objects... For that, I don't think there is a direct UNIX equivalent, but I'm not as familiar with the multitude of commercial UNIX systems.



So you mean in other words, that when it comes into group policy Unix/Linux needs more refinement?

Originally posted by bazoukas
So you mean in other words, that when it comes into group policy Unix/Linux needs more refinement?

Bingo.

At least, that's with the information I've been fed.

Standard UNIX systems don't have ACLs, and there's not anything like role based access control that I'm aware of.

Group file permissions work fine as they are, but they could use some refinement. I mean, if you look at other OSes file permission schemes, they all allow you to define different permissions for different groups and even specify different permissions for more than one specific user. With the exception of ACL-enabled unices, that is one thing UNIX systems are lacking.

So yeah, you hit the nail on the head with your statement.

Novell is porting their eDirectory to Novell Linux:
Novell (http://www.novell.com/linux/nterprise_linux_services_2.html)
It seems they are starting to support linux a lot more since their customers are starting to support it.

Reading the replies, I get an idea what it is, but I can state that it must not be really needed. I work at a Unix only shop, 4K employees at this campus (and 130K worldwide, all Unix except managers who only seem capable of using Windows...go figure :D ) , and we seem to get along alright without it. I am unsure of the push software to different domains...isn't that the same as allowing an NFS mount while keeping the actual install local, it can't run unless it is on the allowed domain? I am really curious about this because I have heard of AD before and how no one can function without it...I am wondering why.

Magically, we have a central password system, one password across the world, even when I log in overseas, for all different access programs (i.e. the same for payroll, email, workstation login, 401K services, and on and on)

I can also acess anyone's home directory, ANYONE's, worldwide by
cd ~/<username>

I have ldap on mozilla and simply start typing names and every employee that matches in a reducing list as I type is listed.

Anytime that I register or change my password, it states that the password can take up to an hour to be available for all services worldwide...I doubt that there is a person pushing it aroung manually anytime one of us changes it.

All of the above has been this way for my 12 year career...did MS simply bundle all of the individual things together into a system and call it Active Directory

Bazoukas...thanks for the thread. :)

hlrguy

P.S. I read
http://www.microsoft.com/windows2000/server/evaluation/features/dirlist.asp
and it talks about all about active directory without actually saying anything useful.

Originally posted by hard candy
Novell is porting their eDirectory to Novell Linux:
Novell (http://www.novell.com/linux/nterprise_linux_services_2.html)
It seems they are starting to support linux a lot more since their customers are starting to support it.

I think with version 6 of Netware, Novell added Linux support. You could add them into the Netware tree and allow the Linux machine to authenticate itself via a Novell server. I think this is because Novell started to implement LDAP into its directory services scheme.

But to hlrguy: Your shop is a prime example of how you don't need Active Directory. Like I've been saying, you can use NFS mounts for home directories, LDAP/NIS for domain logons, and many other UNIX tools can be used to give you the approximate functionality of an Active Directory domain. There are somethings like Group Policy that Active Directory is more flexible with, though. Pushing through software upgrades via NFS still isn't as powerful as the way Active Directory does it, though.

Random thought:

Windows: bundle everything into one huge tool - when it breaks replace the whole thing
Unix: small individual tools that do one job and do it well

Sounds like it applies here.

Here is a link with some info on Active Directory:

http://www.windowsadvantage.com/trenches/03-13-00_admodels.asp

Hope this helps.

- Suramya

Originally posted by gretchen
Random thought:

Windows: bundle everything into one huge tool - when it breaks replace the whole thing
Unix: small individual tools that do one job and do it well

Sounds like it applies here.

That's pretty much the case.

alc6379 - you say that Linux can act as a domain controller? How? And can it take on operations master roles?

hlrguy, most of Active Directories benefits over your UNIX implementation are behind the scenes. If you had to manage such a domain, the difference between Active Directory and what you describe is night and day.

Kaligraphic -- http://us1.samba.org/samba/samba.html

I'm not sure how well it works as a domain controller, but it does work, at least at some basic level. I'd expect it works fairly well, but I've never tried it, so I don't know for sure. Maybe Alex has some better idea(s). Good luck. :)

Originally posted by nextbillgates
hlrguy, most of Active Directories benefits over your UNIX implementation are behind the scenes. If you had to manage such a domain, the difference between Active Directory and what you describe is night and day.

You might be right, but with the size of my company, I am sure one/all of the IT unix guru's have it to an exact science the way the company needs it.

hlrguy

Just an FYI, heres a great article detailing how to configure a Linux system to authenticate against Active Directory:
http://www.securityfocus.com/infocus/1563

Although I am a *nix noob... I am sort of familiar with x.500 databases; or directory services like Active Directory and NDS/eDirectory. I would suggest checking out the ldap open source movement, or for a "shrink wrapped" product, check out Novell's eDirectory, formerly NDS. It runs on just about any hardware and software platform, including Linux, heck you can even replace AD and run eDirectory on Windows:-)

CoffeeBean and others are right Novell's eDirectory is a great "Directory Service" integration product.

From what I've heard, either the next release or one of the subsequent releases of Novell's Netware product will be wrapped around the Linux Kernel. I had a friend that went to Novell's Brainshare a couple months back and they announced it there. I for one sure hope it's true. :-)