Alternatives to Open Directory and Active Directory

gskibum
Contributor III

I have always used Open Directory when Active Directory isn't available.

However for the first time I had an Open Directory go bad as a result of a major OS upgrade. I was going from Yosemite to El Capitan. A little command line work successfully restored the OD from a Time Machine backup. For years I've heard of Open Directory being fragile, but honestly this is the first time I've been stung by a broken OD. Things that easily break are things I want to avoid

I generally have sites dominated by Mac OS clients, with a few Windows clients here and there. Also Mac servers, and services & devices that support LDAP. The JSS for one. Some things will bind to Open Directory LDAP, some don't. Authenticating network printers would be nice.

I've been quite successful with pGina for authenticating Windows systems, but it is a rather clunky solution and leaves out things like printers A hosted directory service seems appealing, at least from what little I know about it. OneLogin seems rather expensive to me however. Virtual machines are on the table.

Anyway, I've heard mention of other directory services. OneLogin is one that stuck in my mind but at around $8.00 per month per user, that seems quite expensive. Are there others? What are your experiences with Open Directory and Active Directory alternatives?

2 ACCEPTED SOLUTIONS

jonnydford
Contributor II

We use Okta as in addition to AD.

It depends entirely what you want to do and what you're willing to be different as to what you can settle for.

Okta's directory (or really most IdP providers) is very good for what it is, but you can't bind your Macs to an IdP. In reality binding doesn't do anything other than a single username and password for people to remember, but if you can train your staff to have 1 computer password and 1 everything else password you could easily go this route.

Coming with 9.93 there will be SAML2 JSS authentication so Okta or the like will take care of that for you.

Most enterprise apps these days will offer an option for SAML2 or OAuth and to be honest those that don't you should probably stay clear of it they haven't got any plans for it.

OD - yes, very fragile and pretty much steer clear of if possible.

What you might also take a look at is Office 365 and the many varieties of authentication available through it. Azure AD Domain Services + their IdP like Azure AD Access Panel.

Personally, if I could choose what we did at our company I would make all apps we use SAML2 and on Okta, and not bind any of our Macs to AD.

You could also consider using AD and KerbMinder or the like to manage user Kerberos SSO.

View solution in original post

psliequ
Contributor III

Have a look at Jumpcloud. It's not exactly cheap but can provide everything you need without the need to set up any hardware infrastructure at all.

View solution in original post

3 REPLIES 3

jonnydford
Contributor II

We use Okta as in addition to AD.

It depends entirely what you want to do and what you're willing to be different as to what you can settle for.

Okta's directory (or really most IdP providers) is very good for what it is, but you can't bind your Macs to an IdP. In reality binding doesn't do anything other than a single username and password for people to remember, but if you can train your staff to have 1 computer password and 1 everything else password you could easily go this route.

Coming with 9.93 there will be SAML2 JSS authentication so Okta or the like will take care of that for you.

Most enterprise apps these days will offer an option for SAML2 or OAuth and to be honest those that don't you should probably stay clear of it they haven't got any plans for it.

OD - yes, very fragile and pretty much steer clear of if possible.

What you might also take a look at is Office 365 and the many varieties of authentication available through it. Azure AD Domain Services + their IdP like Azure AD Access Panel.

Personally, if I could choose what we did at our company I would make all apps we use SAML2 and on Okta, and not bind any of our Macs to AD.

You could also consider using AD and KerbMinder or the like to manage user Kerberos SSO.

psliequ
Contributor III

Have a look at Jumpcloud. It's not exactly cheap but can provide everything you need without the need to set up any hardware infrastructure at all.

wangl2
Contributor

Hi Guys,
We have been running windows infrastructure with iMacs binding into AD. I always wanted to provide the ability for a cached login when the DC is not available straight away, just to reduce the log in time. However I heard this can only be achieved by putting an Open Directory in. Also I have a problem that user has to log into the proxy prompts when first login before they can access the internet. It seems like the AD Binded iMacs are not able to pass on the login credential to the Safari. Can you guys recommend some solution to get around this problem?
Thanks!