new alternatives to the MS Active Directory directory service
Of course, there are already Russian-made alternatives on the market, which the K2Tech team and I are actively introducing to customers – these are ALD Pro and Alt Domain. But it won’t be difficult for you to find useful materials about these products, so today I want to tell you about new solutions on the market – RED ADM Industrial Edition and Atom.Domain.
Two camps
Microsoft Active Directory has long been the de facto standard for solving the problems of organizing corporate directory services. And although nothing lasts forever, the development of alternative solutions based on Linux did not occur at such a pace as to catch up with the leader. But today the situation has changed, the need for analogues has increased many times over, and we already see on the market a number of growing technologies that can replace AD, if not today, then tomorrow.
Globally, there are two camps of solutions on the market – some of them use Samba DC (actually a clone of AD for Linux, which appeared as a result of AD reverse engineering by a group of enthusiasts), and the second use the FreeIPA system created specifically for Linux environments. The advantage of Samba DC is compatibility with AD, although not complete. And FreeIPA boasts a more mature state, because its development was sponsored by RedHat. We have been working with Samba DC and FreeIPA for quite a long time (even before the advent of domestic solutions based on them) and during this time we have accumulated decent experience in their implementation.
Closer to today, two directory services have appeared in Russia – ALD Pro, created by the developer Astra Linux based on FreeIPA, and Alt Domain, which is developed by the company Basalt (developer of the Alt operating systems) based on Samba DC. They entered the market in 2022, so I would classify them as relatively young products. However, during this time they managed to gain a strong foothold, acquire combat implementations (thanks to us, among other things) and gain a certain popularity among customers.
“Newcomers” to the market – RED ADM and Atom.Domain – also use different basic technologies (Samba DC and FreeIPA, respectively), and this makes the product offering on the market even more diverse.
RED ADM Industrial edition
Let’s start with RED ADM. This is a directory service developed by RED SOFT. They also develop their own operating system RED OS and other products. Considering that RED OS is a descendant of CentOS, the transition to RED will be much more convenient for those who have, to one degree or another, used the corresponding Linux forks.
As for the RED ADM catalog service, it was released in its Standard edition, including basic functionality, back in 2022, and the release of a more functional Industrial edition was announced in March 2023. But a directory service is not such a simple thing, and its development took time. Therefore, the market has been waiting quite a long time for the finished release to finally appear. For example, we started studying the beta version in July of this year.
An undoubted advantage of RED SOFT is the availability of information about solutions on the official website. For example, about difference between the Standard and Industrial editions of RED ADM.
Directory service RED ADM Standard edition is supplied with the OS. The industrial edition is purchased separately. The system runs on Samba DC, group policies are implemented using Ansible. It is worth noting that RED ADM, in fact, is a directory management system, in particular Samba DC, which the RED SOFT developers have seriously improved. For example, they made it compatible with the AD 2012R2 forest level, while vanilla Samba DC only supported the 2008R2 level (note: Samba 4.19.0 was released on September 4, 2023, which added support for the 2016 forest level). There were even rumors that RED SOFT planned to include FreeIPA support in RED ADM as a managed directory service, but we did not find confirmation of this information in official sources. Samba DC domain controllers managed by RED ADM can be included in an existing AD domain, which in some cases can significantly simplify the migration process.
I note that the RED ADM management console is a nice and bright web interface. It will especially please those who complained about the dark blue UX of the ALD Pro.
Of course, RED ADM has its own nuances. Thus, the scheme for applying group policies requires improvement – that is, now the policies are applied only when the user logs in. Or this must be done manually by running the `gpupdate` utility. And functions such as delegating rights to departments or adding a new site are not implemented using the RED ADM web interface. To perform these operations, you must use Microsoft consoles (RSAT) from a Windows computer. This makes it difficult to solve the problem of abandoning Windows 100%.
So far, RED ADM has very few subsystems. Yes, on the roadmap (presentation on the “Documentation” page) Ambitious development plans have been outlined, and I really want to see them implemented. But now many of the functions necessary for administrators have not yet been implemented. There is a role model, but it applies directly to the RED ADM management console. And, as mentioned earlier, delegation of rights at the level of organizational units or setting up sites cannot be done without snap-ins on Windows. Management consoles for implementing these functions are currently under development by RED SOFT.
The developers of RED ADM also have tools for managing DNS, NTP, and file folders, but for now, to configure these services it is necessary to use standard operating system tools, which is available mostly to experienced Linux administrators. There are about 100 pre-configured group policy templates in RED ADM, and you can also add your own scripts in Ansible and bash. I note that Ansible is definitely much more popular than SaltStack, used, for example, in ALD Pro. RED ADM group policies configure RED OS operating systems; for other operating systems, group policies can be developed independently or you can involve an integrator for this task (we have such experience).
It is worth noting that Samba DC and, accordingly, RED ADM do not support AD schema extensions made, for example, for Exchange, Skype, SCCM. To operate these systems, you will need to have at least one domain controller on Windows until you finally abandon these solutions from Microsoft. Multi-domain forests are also not supported – for now you will have to be content with a forest from a single domain.
In general, the vendor is pleased that it is actively adding modules that implement functionality that is not available in the Open Source area, but is in demand by users. Moreover, we at K2Tech already have experience piloting the RED ADM Industrial edition with customers. And just during one of these pilots, we identified several shortcomings in the software, which RED SOFT very quickly corrected. Therefore, it seems that major implementations of RED ADM will not be long in coming.
Atom.Domain
The second “newcomer” on the market is Atom.Domain, a product of Greenatom Simple Solutions. In essence, the solution is a set of software, both proprietary and Open Source, combined into a single infrastructure solution. Greenatom Simple Solutions’ own developments include a graphical interface for managing the directory service, called Dynamic Directory. Open Source-based components include FreeIPA (catalog), Puppet (group policy engine), Foreman (centralized management tool, there are plans to replace it with our own solution), NextCloud (a file hosting service with a web interface), as well as infrastructure services of the operating system ( DNS, DHCP).
At the same time, the main advantage of Atom.Domain is heterogeneity. The directory service supports various operating systems, including open source ones. Russian Astra Linux, RED OS, Viola, ROSA Linux have been officially announced to support group policies. Other solutions on the market are aimed at implementing group policies only for their own operating systems. However, in practice, it happens that one organization can use several different operating systems (on servers this is certainly true). After all, we have previously seen various distributions based on Red Hat, Suse, CentOS, Debian, even Mint, etc. from Customers. within the same infrastructure. So, Atom.Domain “out of the box” contains group policies for several domestic OSes, while other Russian directory services for “foreign” OSes will support domain authentication, but not group policies.
In general, Atom.Domain offers a convenient desktop management interface, similar to Microsoft snap-ins. I will also note that, like Alt.Domain, Atom’s management interface (Dynamic Directory) includes search functions, group policy settings, and even system organizational units, which are very similar to system containers in AD. And this is undoubtedly convenient and simplifies the adaptation of administrators to the new directory service.
Since Atom.Domain is implemented in FreeIPA, migration to it from Active Directory is performed by creating a new domain and transferring objects from the AD directory to it. To migrate workstations from Windows to domestic operating systems, Greenatom Simple Solutions has developed a separate product – Atom.PORT. However, be aware that two-way trusts in this directory service are available with limitations. FreeIPA does not have a global catalog, and full interaction with Atom.Domain from MS AD is not possible.
The system is already tested with implementations and passed the test of really picky security specialists and demanding IT specialists in such large organizations as Rosatom, Russian Railways and NNU MEPhI. Atom.Domain already has a large number of group policies that solve many administrative tasks. Vendor declares about 1.5 thousand already implemented policy parameters.
But you need to remember that Atom.Domain is a solution that was developed by an integrator. It is assembled from many components, and the Atom.Domain documentation describes how to integrate them.
In comparison, ALD Pro, which also runs on FreeIPA, offers much more in the automation department. Astra independently develops functionality and is refining FreeIPA itself, while Greenatom Simple Solutions officially reports, which will wait for the next releases of FreeIPA and only then will introduce innovations to its product. This has its advantages, but there are also disadvantages – after all, it’s no secret that open source software has gaps that have not been corrected for several years.
Conclusion
To summarize, for each situation we can recommend a different alternative to Microsoft Active Directory. The choice of solution will depend on the operating systems used, security requirements, timing of migration from AD, and the ability to use Microsoft products in parallel for some time.
Nevertheless, the appearance on the market of Atom.Domain and RED ADM made a good contribution to the expansion of currently available solutions for organizing directory services. Today, piloting and implementation projects for all these solutions are underway; we are actively interacting with vendors and customers to make domestic catalog services more functional.
All of the vendors mentioned in this article continue to develop their directory services, including creating solutions that simply weren’t available in Open Source before. And this makes it increasingly possible to replace MS AD with domestic analogues. If you are interested, I will cover the new updates and comparison of all 4 directory services in the next article.
And if you are interested in receiving more detailed information about directory services, you can send a request to me at DMurunov@k2.tech.
