02.01
I’m not a fan of Active Directory for small businesses. It’s feature set is overkill for most companies, it requires a windows server for each office (technically you can use a VPN to overcome that, but VPN’s have their own set of problems), and it can get expensive to maintain quickly.
Also, as someone who firmly believes in SaaS and cloud computing, it just makes logical sense that we push authentication to the cloud as well.
99% of my clients just need a central point of windows logon authentication for their company that isn’t location dependent.
So, I started my quest for such a solution.
Surprisingly, there isn’t much information out there about this topic, especially for the client side. The server side was fairly obvious – it was going to have to be some flavor of LDAP. However, the software to handle the Windows logon authentication was severely lacking. I kept finding references to a now defunct “pGINA” which replaces the standard Windows GINA (Graphical Identification and Authentication), but I wasn’t about to go with a solution that was no longer supported.
Finally I found a company called Comtarsia that specializes in just this sort of thing. They provide a full configurable logon function for Windows (XP through 7) that authenticates against pretty much any LDAP server you can think of. It also allows you to fall back to the local Windows logon and can use cached credentials if you can’t reach the server, so you’ll never get stuck in a situation where you can’t login.
Armed with Comtarsia, now I just needed a quick, easy, and inexpensive way to get my LDAP server up. I found a company called eApps that does Linux VPS hosting for $11/month, and that included one-click installs of OpenLDAP server and phpLDAPAdmin (to edit the directory). I signed up and went to work.
Things were definitely quirky at first. phpLDAPAdmin wasn’t behaving, I even had to edit some code to be able to add users properly (in retrospect it would have been easier to use a windows LDAP tool as you will see below). Even finding and setting the admin userid/password wasn’t trivial. In any case, it was a bumpy road, but after a couple hours I had OpenLDAP running and one test user in the directory.
I installed Comtarsia Logon Client 2006 (the version for XP) and the setup for it was much more simple. The exercise of dealing with OpenLDAP server reduced the learning curve for Comtarsia, because I already knew the LDAP naming conventions. One really nice thing about Comtarsia – it has an advanced mode where you can actually tweak the settings for the client from the Windows login prompt (port number, prefixes and postfixes for the directory names, etc), which is great when you are getting your feet wet with LDAP.
However, I had a problem – it was only letting me authenticate to the user’s CN (common name, which is basically the full name of the user), not the userid. Thus, I was having to enter “Ben Buie” as the userid instead of bcbuie. I was stuck on this issue for hours and almost gave in, after all, it wasn’t a deal-breaker, just cumbersome and annoying.
Finally I downloaded a small LDAP browser/editor called JXplorer – this was something I wish I had earlier in the process. Dealing with this tool was much easier than dealing with phpLDAPAdmin. While playing with this program I noticed it had the ability to change the “naming value” of the LDAP record. I set the uid field as the naming value, and voila, I could now login with the userid instead of the full name.
At the end of the day I had a Windows machine logging on with authentication against an OpenLDAP server hosted on the Internet. Authentication was lightning fast (of course I had one record in the directory) and the experience was unobstrusive to the end user. I was a happy camper.
What’s next?
- I need to set this up in a test environment with several PC’s and see if it allows for “domain-like” capabilities (such as domain admin login to any computer).
- I didn’t get pricing on Comtarsia Logon Client yet (I was using the free trial, and no pricing is available on the website that I could see). Pricing has to be fairly inexpensive or it is a deal-breaker.
- I need to test on more platforms as well as do some stability and reliability testing.
In any case, it is a little early to claim this as the perfect alternative to AD, but if nothing else it is a good start.
I’m very interested to read your post. I’ve been trying to find a similar solution but my environment requires authentication against Google Apps (premium) rather than a generic LDAP. I’m going to look into Comtarsia but I’d be very interested if you have thoughts on my issue. Cheers
I believe Google Apps Premium can authenticate against LDAP as well (or sync with LDAP), although I haven’t had a chance to investigate this in detail yet.
Did you ever get a quote for license?
No, I did not. I had to put this experiment on hold for now.