[SASAG] OS X and Open Directory versus Windows and Active Directory

Atom Powers atom.powers at gmail.com
Fri May 11 16:20:51 PDT 2007

I can't speak directly to the OD vs AD issue; but it wasn't too long
ago that I was faced with a choice of directory services to implement.
>From the ground up.

My boss wanted OpenDirectory, because he likes Macs. We found that
OD's schema is a little odd, instead of using lots of different
attribute types it collects them into one or a few attributed and
somehow parses out the information it needs from that attribute. Very
strange behavior for a directory service, so we looked at other

Microsoft Active Directory was right out, none of us want to be
trapped by the "Microsoft Way" of doing things. Especially since the
Microsoft Way of doing a directory service is only a little bit like
LDAP everywhere else.

The Sun and Red Hat directory services are good options, but they rely
very heavily on Java for their management tools and no body in my
department knows Java well enough to understand those tools.

So we went with OpenLDAP and created our own schema objects. We run a
samba domain from it and have ldap-auth running on all our linux/bsd
systems. The schema is easy enough to modify that we have been able to
add support for managing user faculty and student accounts, four
different kinds of workstations, software licenses, and a host of
other things. The greatest drawback is that we have to develop our own
management tools.

Regarding OD vs AD; I would recommend staying away from AD unless the
vast majority of your systems are MS Windows or you need to manage
many MS Windows domains or domains in many locations. If you need to
use the directory service for non-MS applications you are better off
with OD, MS just doesn't play well with others.

But regardless of what kind of advice you get you should make sure
that whatever choice you make works for all your applications; it
isn't hard to build test cases and you certainly don't want to migrate
(or not) and then discover that some app you rely on can't read from
your directory service.

On 5/11/07, Berry Sizemore <berry.sizemore at gmail.com> wrote:
> Greetings,
> I recently accepted a position with a application development company fifty
> people large.  It's a very stimulating environment thusfar.  We have
> Sun/Solaris, OS X on Apple, virtualized Linux and Windows Server 2000/2003.
> The projects are varied, and includes web and non-web applications.  Our IT
> executive has decided to convert the company from OS X's implementation of
> Open Directory (OD) to Windows Active Directory (AD) because in his words
> "It's more mainstream."  He asked the question, "If you could build from the
> ground up, what would you choose?"  He has given us a week to provide "a
> compelling reason" not to.  It's his goal to "develop a consensus among the
> IT department".
> I do not have great depth in my AD knowledge, so am unable to provide a very
> good competitive analysis.  I'm pretty light on my OD knowledge too.  Since
> OD is working very well at this time, I instinctively do not wish to change
> it.  We also have an AD implementation that works just fine as well.  This
> is the result of a recent merger.  One main goal is to implement Sharepoint.
>  I feel integrating the two is the best way to go.  We've already discussed
> our feelings, and now it's time to show an analysis which favors OD or OD/AD
> integration, which compels my manager to not go retool everything to AD.
> I'm very interested in looking at TCO, pro/coc and benefits comparison
> analyses, or any other documentation that clarifies why I would stay with OD
> or chose to integrate AD.
> If you find the time to respond, it would be most appreciated.
> Thank you,
> Berry Sizemore
> _______________________________________________
> Members mailing list
> Members at lists.sasag.org
> http://lists.sasag.org/mailman/listinfo/members

Perfection is just a word I use occasionally with mustard.
--Atom Powers--

More information about the Members mailing list