[Linux Software] Licensing issue for AD Authentication

[bensewell]

Hi,

Running Alfresco with AD authentication. Our machines have device CALS as we have more users than machines. Whenever a user logs into the system from outside as they are logging on using a device that is not covered by our CALS then i've been inofmred by our licensing people the they will need a device CAL. We can't really justifiy converting our licenses into user CALS. Just thought i'd put the question out there for opinions.

Simply puy users login to a website (Alfresco) and login which is authenticated against AD and from there on all there deadlings are with Alfresco and its own internal MySQL database. For this each user who accesses this not using out equipment it needs a license.

Now my other option would be to put something like Open LDAP infront of AD as a kind of chaining mechanism so when a user logs in the request goes to Open LDAP to cache the request and the response so after the first login the users will use the Open LDAP data rather than AD data and the licensing issue would be between our Centos Linux server and AD talking to each other meaning one license required? Got a really good project but the cost of licensing could put the dampeners on things.

[powdarrmonkey]

You either need appropriate CALs or a Windows Server External Connector license. Putting an extra LDAP server in between the two systems gives you the same problems.

[CyberNerd]

The external connector license is the easiest way - but I disagree that syncronising an LDAP server would need CALS. it would be like MS requiring cals for a samba share that is syncronised off a windows share - in both cases it shouldn't need extra CALS.

[dhicks]

Now my other option would be to put something like Open LDAP infront of AD as a kind of chaining mechanism so when a user logs in the request goes to Open LDAP to cache the request and the response so after the first login the users will use the Open LDAP data rather than AD data and the licensing issue would be between our Centos Linux server and AD talking to each other meaning one license required?

I'm with powdarrmonkey on this one - I'd understood that in this kind of scenario you'd need an external connector license. I think that was somewhere under £3,000 as was pretty much a one-off charge that covered the whole school, so probably not too bad really. For the method you describe above, what happens if the user changes their password via AD - shurely the "cached" password kept by OpenLDAP needs to be kept up-to-date?

[bensewell]

I had the official reply from MS about this so thought i'd share with you.

If a linux server talks to AD for authentication then it requires a device cal.

For users who are covered by a device cal in the organisation but access the webserver from a non-organisation device they need a Remote Desktop Services license.

Users who access the system internally are covered by their device licenses.

So a bit clearer but licensing still a bit of a bombsite and looking expenive unless i can get group caching for the Alfresco users.

[KK20]

Incidentally, could you somehow get ISA to perform the authentication/export/lookup? ISA (and and option for SQL) has per processor model therefore would negate the need for CAL monitoring.

Most schools qualify and get the "free grant" in that respect anyway (http://www.microsoft.com/uk/educatio...r-schools.aspx)