How Linux Beats Windows in ID Management Ease

Amy Kucharik writes "Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices. In this tip, Paul Murphy discusses the evolution of LDAP and how using it, along with Linux, can make an administrator's job easier."

First LDIF!

dn: uid=anonymous, ou=linux, o=slashdot.org
changetype: add
slashComment: First Post!
slashModLevel: +5 Funny

Re:First LDIF!

[michael+path]

dn:uid=anonymous, ou=linux, o=slashdot.org
changetype: modify
add: objectclass
objectclass: troll

take that!

Re:First LDIF!

LDAP ERROR 65: Object Class Violation

you meant

changetype: modify
replace: slashModLevel
slashModLevel: -1 Troll

My LDAP-Fu is stronger than yours!

Hey, maybe this is how SlashMemes get started. Maybe there needs to be an LDIF-formatted post in every thread now.

Except in Soviet Russia, of course, where posts LDIF-format you!

Re:First LDIF!

[MyLongNickName]

Hey, maybe this is how SlashMemes get started. Maybe there needs to be an LDIF-formatted post in every thread now.

You fail it.

Re:First LDIF!

[wowbagger]

And what is it OID for object class troll?

In what schema is it defined?

Re:First LDIF!

dude, it worked!

Re:First LDIF!

[DG]

Heh, I know. Isn't that awesome?

I'm glad some LDAP-savvy mods had points to play with. It's the +5 funny being modded +5 funny that makes the whole joke work. Props to those that got it! :)

DG

Re:First LDIF!

[Master+of+Transhuman]

1) dn: uid=anonymous, ou=linux, o=slashdot.org
2) changetype: add
3) slashComment: First Post!
4) slashModLevel: +5 Funny
5) ???
6) Profit!!!

choir

[mfloy]

I think this article is really preaching to the choir. I bet 75% of slashdot users already thought so befor reading the article.

Re:choir

[op12]

Welcome to Slashdot, you must be new here.

Re:choir

[mendaliv]

Though we'll probably get the effect that 95% of them claim so...

Where do your true loyalties lie?

Re:choir

but that's the whole point of slashdot - make everyone using Linux and open source feel good about their decisions. 'drink the punch, drink the punch'

Re:choir

[Martin+Blank]

Exactly. I was expecting to see something like, "In a test implementation using ThisDistro, a complete mult-server LDAP solution using ThatLDAP covered 90% of the functionality of Windows user management, but at a fraction of the cost. You can use ThoseLDAPTools 2.2.8 to administer from Windows or Linux, or if you're willing to allow for a slower client, OtherLDAPUtils 1.0.4 runs in any Sun JVM."

This is an elegant version of "If you don't like Windows, try LDAP on Linux!" It may well trigger something useful here, though. One can hope.

Re:choir

[bedroll]

What choir? The choir that knows the history of LDAP? This article is just a brief intro to LDAP in *nix with nothing to backup what the title states.

Re:choir

I think this article is really preaching to the choir. I bet 75% of slashdot users already thought so befor reading the article.

Yeah...but...M$ 1z ht3 5Ux0rz

Gimme a brake -- you're just figuring this out now

[drizst+'n+drat]

duh ...

Re:*Fans cheer*

[justforaday]

Gooo Linux!

Is that the pr0n-viewing Knoppix-based distribution?

Re:First POst

not sure if you're loose, but you definately lost.

Re:Gimme a brake -- you're just figuring this out

[gstoddart]

Gimme a brake

duh ...

That would be break

Duh. =)

Re:Gimme a brake -- you're just figuring this out

Gimme a brake..
here you go

Mac OS X And LDAP

[Goo.cc]

I remember reading a long time ago (before Panther was released) that Apple was going to transition Mac OS X from NetInfo to LDAP for management purposes. Does anyone know what progress has been made in this transition, especially with the release of Tiger?

Re:Mac OS X And LDAP

[spiralscratch]

I know for a fact that OS X 10.3 (Panther) Server included OpenLDAP, not sure if it was there earlier. The whole package, with OpenLDAP, Kerberos, the GUI admin and such, is called Open Directory.

More info here.

NetInfo is now pretty much relegated to storing info for the local machine only.

Re:Mac OS X And LDAP

[larkost]

NetInfo is still used for the local accounts, and LDAP is one of the methods available for remote authentication (along with ActiveDirectory, Kerberos, etc...). This is all part of the OpenDirectory system, and there is no real sign that anything major is going to change.

MacOS X Server uses LDAP as one method to store user information, and also NetInfo (as "local users" that can still be vended out).

PS... this works very well, and is easy to admin. I don't see any reason to change things.

PPS... the documentation on how to create NetInfo directory master/client trees has disappeared, and I don't know if this is still possible.

Re:Mac OS X And LDAP

Oh, they did... but it uses some fucked up apple-specific netinfo-in-ldap schema instead of using the RFC account details, unless you take special measures (yes, it's "only" a click or two in the GUI to take those special measures. Now do it for 150 powerbook laptops (MacOSX is immensely popular with physicists because it combines the idiot-proofing of, uh, macos with power they are used to from unix and thus means they never get stuck with a windows box again.)

How's this different?

So how's user management via LDAP on Linux different from using Window's Active Directory?

There's nothing concrete in the article.

Re:How's this different?

There's nothing concrete in the article.

You mean the "tip"? It's not even a full-fledged article...

Re:How's this different?

[rylin]

One is Free, the other is easy to use.

Re:How's this different?

[dsginter]

One is Free, the other is easy to use.

Funny?

This is the truth.

Re:How's this different?

[rylin]

When you're on crack, everything's funny!

Or so I've heard.

Re:How's this different?

[jacksonj04]

One is free, but needs a lot of implementation to get it to work.

One costs, but it's damn easy to use.

Personally, for mucking around improving skills I'd use the Linux/LDAP but as soon as you hit a corporate environment, Group Policy wins hands down for speed, integration and ease of use.

Re:How's this different?

Funny, I had a hell of a time setting up Subversion and Bugzilla to authenticate against active directory. Finally I convinced my people to let me try running the two on Linux and the authentication just worked.

I know you were making a different point, but I'm a very bitter man.

Re:How's this different?

> So how's user management via LDAP on Linux
> different from using Window's Active Directory?

With LDAP on Linux, you can manage via LDIF, I like I do or create some tools. With Windows Active Directory, the tools are provided and quite easy to use.

Re:How's this different?

[ocelotbob]

Okay, you're talking about OpenLDAP, which is a pain, but what about the recently open sourced Fedora Directory, based on Netscape's very nice directory service code?

Re:How's this different?

correction, one is free and not so difficult to setup (openldap), but when that hurdle is behind, man!, you can use it for *anything* and there are enough tools out there to make the task of using it a breeze.

You need to know very little to use phpldapadmin or jxplorer. It just *works*. I just trained my windows colleague to use jxplorer at work for user management, no sweat. He knows nothing of the theory of how directories work, he just uses it. The same login for windows users, email (postfix), .htaccess directories in the intranet server (management, sysadmins), centralized addresbook, ..., for over 15 different offices. So we can work on the important stuff :-) (no, reading slashdot happens at home).

Re:How's this different?

[Antique+Geekmeister]

Active Directory is damned easy to use, until you try to actually secure it or put any load on it or interoperate properly with any other services. Then it breaks, badly, and in undocumented ways. The DNS implementation alone in a 1000 machine alone will take a full time staff person to manage and secure.

But those costs have to be presented to the management, who are being shown lots of charts and demoware that frankly lie about AD.

Re:How's this different?

[Bert64]

Active directory requires a lot of other services than just LDAP to run, thus increasing your footprint for potential security holes. Plus an LDAP server on a unix machine can run as an unprivileged user, unlike the ldap implementation of active directory.

Re:How's this different?

[jacksonj04]

As opposed to the Linux LDAP implementation, which magically absorbs the heirachy structure and names through the ether then configures all the clients to work in sweet harmony whilst replacing the systems admin with a chauffeur called Les?

AD isn't perfect, I never said it was. But it's a damn sight easier to use and far more integrated than LDAP.

Use LDAP where appropriate, use AD where appropriate. AD is best suited to corporate situations, and unless the Linux community can come up with some decent standards (Yes! Standards!) for things such as network administration then it's not going to break into big corporate environments.

Re:How's this different?

[Kirth]

We'd go for "easy to use", but we do consider windows-servers as "hard to use", so unless this Active Directory can run on linux and manage unix- and windows-accounts, it has to be considered "not up to the job" or "fringe-solution".

Re:How's this different?

As opposed to AD requiring dynamic DNS and doing its DNS incredibly insecurely, so many of your core hostname based access controls are easily hijacked by anyone?

Oh, yes, that's real appropriate in a high security corporate environment.

Where's the article

[kiltedtaco]

I read the link. It sounded like a good introduction to an interesting article. Then it abruptly stopped. Where, if I may ask, is the actual article describing how one might use LDAP effectively for user management?

Now I know somebody is going to say ARE YOU TOO STUPID TO USE GOOGLE!! No, I'm not. I'm simply saying that the article could have been much better, had they simply put actual information in instead of simply writing an introduction to the history of LDAP. As it stands, the article is exceedingly pointless.

Re:Where's the article

Are You Too Stupid To Use GOOGLE!!

Re:Where's the article

Edit: Are Your To Stupid Too Use GOOGLES!!

Re:Where's the article

[Karma_fucker_sucker]

Now I know somebody is going to say ARE YOU TOO STUPID TO USE GOOGLE!! No, I'm not. I'm simply saying that the article could have been much better, had they simply put actual information in instead of simply writing an introduction to the history of LDAP.

Thank you for saying that - it needed to be said.
My answer is ususally "I don't have time to google for the information and pick through the thousands of advertisements posing as real information."

Why is that people have to cover up their own ineptitude by calling someone "stupid"?

Re:Where's the article

[HrothgarReborn]

I have to agree with you. I have implemented LDAP systems and its no peice of cake. How do you get Windows and Linux using the same system? How do you deal with groups (there are at many different ways each with different applications supporting them)? What about tying in web applications? can you have a seemless sign on or do users need to reenter their password? What about security on those web apps; are they going to use basic, digest, NTLM? Are we going to syncronize with Active Directory or maybe just expand the AD schema? What about user provisioning and protecting sensitive data in the tree. What about tree structure?

Basically if all I needed was a place to look up email addresses I can just throw up OpenLDAP on a linux box and be done. If I want identity management I need some real planning and some serious engineering. Even the comercial solutions like Novell is offing using eDirectory on Linux are complicated and resource intensive implementations in anything but the simplest environments.

The idea of "it's Linux" so there is no throw away work is foolish.

Re:Where's the article

[NatasRevol]

Frankly, all of your questions can be answered very simply.

Use Mac OS X Server. I know it can do all those things, via the GUI, because I get paid to do them. And they're pretty damn simple. And cheap to boot: $1000 for the server sw and an older G4 is about all you need.

For an example, try this.

Re:Where's the article

[alx512]

I tend to agree with you. I read the article and thought it was going to tell me how LDAP eases user management. Instead, I got to the end and it tells me "None of this stuff is really easy once you get past single server systems" .... and in linux/unix "there are lots of choices" ...

So, to me, lots of choices means, it's going to make things more complicated because now I have to go out and figure out what choice I want. The article is titled "how linux beats windows in ID management ease" but it never explains how it does that. Instead it says that in Linux, you have lots of choices. To me, that sounds harder.

Re:Where's the article

[Cylix]

A couple different places....

samba.org has had its guides updated for more modern deployment. There are several places, but one of the better guides is listed with the same people who make the samba-ldap tools.

Active Directory is a nightmware because a lot of what happens is done for you in a windows environment. Which is funny... a great deal of what goes on with normal samba is automated and you get to feel a whole lot more of that when you goto ldap. I'm sure someone has made some progress.

Anyhow, once it's done, you basically get a samba pdc + ldap auth source. It integrates nicely with linux, but becareful of setting up too many accounts on ldap (because it can of course go offline).

I've been using openldap + smba pdc for several months. It wasn't that bad and there were a few too many oddities involved, but it works nicely now.

Re:Where's the article

[HrothgarReborn]

Yes leave it to a Mac zealot to answer rhetorical questions with "Use OS X!"

There are many answers. I get paid to put them in place as well, although I have not tried OS X for this.

My point was the brief article did not do a good job of even identifying the questions.

And no single popped out of the box solution will answer all the questions either, not even Mac. Take groups for example. You can do groupofnames, uniquegroupofnames, posixgroup, or use some type of memberof attribute on the user object, just to name a few. Different web applications, operating systems, and other systems that all need to authenticate users have different interpretations of this that they understand. So in a truely complex environment it is very difficult to put all of HR in the HR group and expect them to be able to log into their machine and get to all the services HR needs to get to because many of these will use different types of groups.

It's a confusing mess.

PS I am also a Mac zealot.

Re:Where's the article

[sld126]

A Mac zealot, unabashedly. But only for those who ask.

At work, I have different web apps (web mail, webDAV), different OSen (W2K, XP, OS 9, OSX), different databases (MySQL, SQLite, Filemaker), different mail apps (postfix, timsieve, mailman) all for different groups of users (HR, Financial, etc)

OS X builds all of these, except timsieve, and allows those groups to properly access all the necessary functionality.

Do I care what type of group they're in? No, because it the larger scheme, it doesn't matter. You may have different types of groups, but if you take the big picture and set everything up to work properly in that scenario, then life isn't too hard. Does one member of HR need to be in a groupofnames and another in a posixgroup? Only if you haven't defined your larger picture well.

Re:Where's the article

[HrothgarReborn]

The problem with this is you are assuming _you_ design everything. That simply does not happen in most larger shops. We _buy_ product A from IBM and poruct B from PeopleSoft and they both have the label "LDAP Compliant!" but have different ideas of what that means. Sure If I can have total control over what is selected or write it all myself thats fine but in most businesses, especially when you are dealing with an aquisition, this just isn't the case.

Feature Request

[HMC+CS+Major]

I wish that Windows NT included some easy interface to LDAP for large corporations to manage all of their workstations ... like a directory. It could be used for logins, privileges, login scripts, mapping drives, controlling group policy, and even integrate with the mail and calendaring system. It would be one big active directory. That would be nice.

Re:Feature Request

Haha :) You know, 90% of the people reading your post will not understand that you're being sarcastic. And not only is AD already there, you can get your Linux boxes to authenticate to the same infrastructure as well since AD is a Kerberos based technology. Not to mention that Kerberos is a lot more secure than the typical LDAP based user authentication implementation.

I prefer to use Kerberos for Authentication and LDAP for authorisation. It is very secure, easy to administer and universally supported by the commercial vendors. However for some reason, it does not get a lot of press.

Re:Feature Request

[jafac]

And not only is AD already there, you can get your Linux boxes to authenticate to the same infrastructure as well since AD is a Kerberos based technology.

How?

(I know how to use google, so a few keywords will be sufficient, rather than a drawn-out explanation).

Re:Feature Request

[alistair]

I agree, but rather than add this to Windows NT, which they don't support any more, perhaps they could make it a new feature in, like, Windows 2000 and improve it for Win 2003. If they could add a secure Kerberos authentication service to it and even allow it to be used standalone for applications (giving it a nice nickname like erm, EVE) they might have a real world beater on their hands.

Re:Feature Request

[DrEldarion]

Well, "NT" may just be a catchall term since 2000 and XP are NT-derived.

Re:Feature Request

[drsmithy]

How?

If you just want simple authentication (ie: "is this username and password valid") then use winbind. Use this if you just have a samba server you want to auth back to your AD.

For something more complex (like specifying unix UIDs, login shells, home directories, etc) you need to look at Microsoft Services for Unix (to extend the AD schema) and optionally pam_ldap/nss_ldap. I say "optionally" because SFU comes with a NIS server that can authenticate unix users - but you might not want to use NIS. Use this if you want your basic unix authentication to be centralised around AD.

We are in the process of implementing the latter. Since our environment is somewhat more complex than average (multiple Domains) we're having some teething problems, but with just a single domain it's trivial.

Re:Feature Request

Kerberos - The Definitive Guide by Jason Garmon. O'Reilly books might be a good start.

Microsoft has several whitepapers describing how to implement this also.

Not only can Linux/Unix systems use an AD server for authentication, you can also stand up a Kerberos server and allow cross-realm trusts between the Unix Kerberos server and AD. This is sometimes easier to accomplish since it doesnt require having the Unix people on the AD server or the Windows people on the Unix server. However your Unix kerb account will let you login to Windows boxes and your Windows account will let you log in to Unix boxes.

There are many different ways to implement this, but it can is is done at many places.

Also, Vintela makes a commercially supported product to do this also, which fully supports AD on Unix, even all the AD extensions. And it is supported by Microsoft.

Re:Feature Request

[mchawi]

Depends on what you're using. On SuSE Enterprise Server you just go into YAST, click the kerberos module and put in your settings (and lots of directions are found using Google for this, although the only settings it requires are domain, realm and kdc server).

I'm not as familiar with other distros though - so I'm not sure if it is as straightforward.

Re:Feature Request

[schon]

For something more complex (like specifying unix UIDs, login shells, home directories, etc) you need to look at Microsoft Services for Unix (to extend the AD schema)

Which (in my experience) just tanks your AD server.

I've tried it twice, and both times turned my AD server into a doorstop - the AD service locks hard, and there's no way to bring it back.. which makes the entire machine useless (as you can't log in without AD running) - a reinstall was required to fix it.

And apparently I'm not the only one this has happened to.

Re:Feature Request

[afidel]

Is the SFU server really just NIS, or is it a NIS+ server. Because if it's simply NIS, that is BAD, craptacular sercurity and no mutual authentication make this sysadmin a sad boy.

Re:Feature Request

[afidel]

Yes, and as the Windows 2000 Server splashscreen keeps reminding me it's built on NT (new technology) technology!

Re:Feature Request

[BlogPope]

Because of EMC we're locked into RHEL 3.0. Bastards changed something in their Kerberos setup and the jist is it wont really work with RHEL 3.0.

Supposedly its fixed in v.4, but we can't move on it yet. We have downloaded a fix someone posted to the redhat bugzilla system, and it seemed to work, but there's also dire warnings of it breaking other things.

Re:Feature Request

And if it's an NIS+ server, then it has great security! So great that NO ONE can log in, frequently as you discover problem after problem after problem with the unwieldy piece of shit that is NIS+

Re:Feature Request

...now if you could only take care of the whole "licensing and managing domain controllers" part, you'd be set!

Re:Feature Request

[Vancorps]

That is what Directory Services Repair mode is for, a reinstall was not required.

I've never had an issue getting Unix/Linux/OS X to talk to AD. Of course with OS X I have to turn off session signing because for some reason Apple crippled Samba.

I really think AD is easy to use for 90% of people and installs out there. Naturally it won't work for everybody because some people have truly unique needs.

Re:Feature Request

[schon]

That is what Directory Services Repair mode is for

Which only works if your AD is still working. If you can't log in as administrator, you can't log in to fix it. A reinstall was the only way to fix it.

I really think AD is easy to use for 90% of people and installs out there.

But not for people using Linux or UNIX.

Naturally it won't work for everybody because some people have truly unique needs.

If by "truly unique" you mean "following the instructions on a bog-standard install" then yeah, you're right.

Re:Feature Request

[drsmithy]

Which (in my experience) just tanks your AD server.

I've yet to see this happen on any of our (9) DCs.

Re:Feature Request

[Asphixiat]

Winbind rocks :)

I also have figured out how to write pam modules for most of my services around the office.

It is cool - I have one PDC (Windows), and every server, smtp authentication, apache logins, IMAP and anything else that uses pam, can use winbind to see it the username and password are correct, by first checking the windows PDC.

Central authentication, cheap, quick and easy - oh and my boss can just use the windows server to change passwords, add or remove accounts with her old familiar GUI.

Winbind is part of samba, and PAM is standard on all Linux machines. You may have to add the Samba server (the winbind server) to the active directory, which is pretty easy - esp if you use samba 3 that has almost the same syntax as the MS comand line tools (like net add blah)

I seriously recommend this approach over OpenLDAP

Re:Feature Request

[drsmithy]

It is cool - I have one PDC (Windows) [...]

I /strongly/ advise setting up another DC. Even if you just grab the Windows 2003 eval from the Microsoft website and throw it on some old P2 desktop and reinstall it every 6 months when the eval period expires. I've never actually had to do it, but from what I've heard actually restoring AD from a backup can be a painful experience - best to just keep your "backup" live and online with multiple DCs :).

Nice, but...

[mogrify]

I don't really get much from this article. Just that LDAP is out there, and that there are online manuals to help you get started. I figured that much out already. I'm not seeing much of a comparison between LDAP and AD/etc here. Anyone got some in-depth experience to share?

Re:Nice, but...

[j00bar]

Yeah. Shitty article. But... We use OpenLDAP for a single signon in house... it was really ridiculously easy... The best part is that you can simply paste additional schemata onto the same leaves... We started using it as the staff directory for our email clients... then we made it also work as the user database for a Jabber server... we then added a VPN server that uses Radius to authenticate off of it using the radiusprofile schema... then we turned it into a Samba3 domain controller using nsswitch by adding the sambaSamAccount and posixAccount schemata... The flexibility has been incredible... How is that better than AD? I don't know -- I've never used AD. AD from what I understand is accessible through LDAP. *shrug* -j00 -jag

Re:Nice, but...

[mogrify]

heh, that was better than T entire FA. thanks :)

Re:Nice, but...

[zerocool^]

From personal expierence with NIS+ and LDAP, as well as implementing windows 2003 servers:

If you are running any kind of internet service at all, be it FTP, web, mail, dns, proxy, bgp, whatever, then for the love of god, use linux. It's more secure and makes more sense, not to mention being easier to administer.

HOWEVER, if you're in a situation where you are centrally controlling a large number (10+) of windows desktops with as many or more users, then Microsoft's Active Directory is by far the best thing out there. It's the only thing I will reccomend a Microsoft server product for, and I will never reccomend a linux-based solution for centrailzed computer and user management, as long as the desktops are running windows.

In my opinion, it's one of the only things that Microsoft has really gotten right. And the only reasons to use LDAP in a windows client environment are because 1.) you're a zealot who, rather than using the best tool, would rather use linux, 2.) you're on a restrictive budget (trust me, you're going to spend more than $[windows server 2003] worth of labor setting up an ldap solution), or 3.) you're just a plain 'ol glutton for punishment.

~Will

My new GNU/Linux Distribution

I am pretty sure I am not the only Linux veteran irritated by the increase in its user-friendliness, and mourning the loss of the good olde Linux, accessible only to those who enjoy kernel debugging. This is why I have decided to launch a new GNU/Linux distribution which requires extensive knowledge of Linux and of the computer system's internals.

The distribution shall be available in the combination of a floppy and a CD-ROM image. Why not only a CD-ROM image? I thought it would be a little too easy, and know you think that too; the CD-ROM is only accessible if you can read it, and this is why I provide a floppy: it contains an assembler and a linker, all you need to write a CD-ROM file system driver (and a partition driver to install the files). Here, I'll give you a head start: ISO 9660 specification. Don't expect every task to be so simple, I won't be giving the answers each time.

The distribution is somewhat minimalistic, but can do pretty much everything one demands from a modern computer.

Obviously, all tasks are accomplished through the command line interface (no GUI is provided).

A Web browser isn't included (as if you expected one to be anyway), just telnet to port 80 of the Web sites to surf the Internet.

As for an email client, telnet to port 25 and learn how to use your email server.

For FTP capabilities, you may telnet to port 21 and use the standard commands.

As I have demonstrated, this is a very versatile and capable GNU/Linux distribution, meanwhile staying available only to real men who back up to FTP and not to tape (to ensure this, legacy support for tape drives is excluded).

Since potential users may have varying levels of experience, I am hence providing different versions of the distribution:

• a version without a TCP/IP stack, because I knew some among you would complain it would be too easy otherwise, so you can write it yourself from the floppy;
• a boxed set for you novices out there, including the floppy, the CD-ROM, a modified version of telnet supporting Connection: Keep-Alive, and ssh for tinfoil hat-wearers -- and because I'm generous, I've added to the package a printed manual featuring the ISO 9660, HTTP 1.1, HTTPS and FTP specifications.

Your suggestions are welcome, and I hope you enjoy using my GNU/Linux distribution.

Re:My new GNU/Linux Distribution

[einstienbc]

Ok. So: Where do I download. Or can you post a torrent?

Re:My new GNU/Linux Distribution

I shall later give you my I.P. address which you should be able to connect to through port 79 with finger, and the raw bites for the floppy and CD-ROM images shall be in my .plan file.

Re:My new GNU/Linux Distribution

[Goo.cc]

I have no suggestions, but I do want to thank you for not being one of those jackasses who want to turn a beautiful Unix system into a Windows clone.

Re:My new GNU/Linux Distribution

[WarmNoodles]

I previously got his ip, its is. 127.63.24.12 Have a nice day.

Re:My new GNU/Linux Distribution

Crap, I'm tired. I did a DNS lookup on a loopback address to check if it wasn't a shock site ...

Re:My new GNU/Linux Distribution

[Wylfing]

Just in case you missed the sarcasm, because you may have never tried to set up LDAP before, this is a reflection of what LDAP is like. It is not a product, it's a set of (impossibly arcane) tools with which you can create a product, over the course of several human lifetimes, that might have the same features as Active Directory. And it's got "Isla de Muerte" documentation -- nobody can understand it unless they already know how it works.

Re:My new GNU/Linux Distribution

[mchawi]

If I had any mod points left - you would have gotten all of them. First post in a long time that made me laugh out loud.

Re:My new GNU/Linux Distribution

[jinzumkei]

"This is why I have decided to launch a new GNU/Linux distribution which requires extensive knowledge of Linux and of the computer system's internals." OMG?! How'd you get to be such a cool guy?

Re:My new GNU/Linux Distribution

[WarmNoodles]

rofl, sorry dude hehehehhe lol

Re:My new GNU/Linux Distribution

[Linker3000]

It'll be printed as a 30-part article in Byte for you to type in.

Re:My new GNU/Linux Distribution

[GrievousMistake]

Nooo! You ruined it! They were supposed to find that by following the chain of open proxies.
Now we'll have all the newbies swarming the BBS in no time. Like it wasn't getting hard enough to grab a free line already.

Re:My new GNU/Linux Distribution

[base3]

Wouldn't you have been surprised to find out that it was!

Re:My new GNU/Linux Distribution

[WarmNoodles]

I hope this guy gets a firewall some time soon.
\\127.63.24.12\C$ is wide open lots of file.

Id be suprised if some one dosen't hack this sad linux distro before the end of the day.
sad.

Re:My new GNU/Linux Distribution

[TheDauthi]

I'm trying it now, and I love it. Well, after I wrote a telnet client to post this.

Re:My new GNU/Linux Distribution

[Pollardito]

i like the idea, but it seems like including a telnet client with it is just a bunch of handholding

Re:My new GNU/Linux Distribution

[syates21]

It is not a product, it's a set of (impossibly arcane) tools with which you can create a product

Actually, no. LDAP is (strangely enough) a "Lightweight" Directory Access Protocol. It's convenient that it also happens to use the letters LDAP for that, don't you think?

Lots and lots of different directory-like products can speak LDAP (AD, OpenLDAP, Exchange, Novell Directory, Sun Directory, etc), but LDAP itself is not a tool or product.

You don't hear anyone saying "man I installed this sweet HTTP that lets me manage all my hypertext documents". For some reason this seems to happen a lot with LDAP (don't mean to pick on the parent post specifically). I'm not sure why, but maybe dumb product names like "OpenLDAP" have something to do with it.

news? Stuff that matters?

[grasshoppa]

This is neither news nor is it anything that matters. The core of the problem isn't ID management, it never was. It's application support for linux, which is pretty much non-existant in most fields.

Where does it explain "how" it beat Windows?

What a lousy article to post. There is one comment in the article saying that Windows admins hate user identity management, then it goes about with a little blurb about the history of NIS, etc, and then it has a couple of links to LDAP stuff. WTF? What kind of article is this? Are they going to start posting FAQs now? What a useless article!

Re:Where does it explain "how" it beat Windows?

[CaymanIslandCarpedie]

Yeah, but it had "Linux Beats Windows" in the title. The submission could have been blank with that title and Taco still would have posted it ;-)

It's a joke right

Come on, this can't be seriouse.

Open Source Identity Management

[bheer]

... was an embarassment because OpenLDAP is a pile of junk compared to the quality of flagship OSS products like the LAMP stack.

Thankfully, Redhat's new Directory Server (based off iPlanet's) should be much easier to use and deploy.

Re:Open Source Identity Management

[timeOday]

Didn't Novell recently open-source a directory product, and can it be used for authentication and authorization?

Re:Open Source Identity Management

[bheer]

I'm familiar with their eDirectory product, which is not free but very, very cheap (and good), but that's not open-source ... have they open-sourced anything else?

Re:Open Source Identity Management

[timeOday]

OK, I was thinking of the Netscape Directory Server, once commercial but now released as the RedHat Directory Server.

Very fluffy article

[fahrvergnugen]

That's a very nice little starting point, but the article has no depth. A little meat, even a mention of connecting Windows 2k/XP desktops to an OpenLDAP system via SAMBA for authentication, rather than relying on an Active Directory, for example, would be welcome.

And for the record: Active Directory design isn't, IMHO, harder than the design of any other well-administered LDAP-based authentication system. Further, I'll say that Microsoft has done a fantastic job of making the administration tools transparent and easy-to-use, and the integration of Exchange mail servers & NIS authentication via Services For Unix into the same tool is icing on the cake. Sure, the per-server licensing fees aren't cheap, but you do get what you pay for in this instance.

Poor article

[HyperChicken]

The article just says "Windows ID management is bad. LDAP is better. Why is Windows' ID management bad? I'm not telling. Why is LDAP better? I'm not telling." It does nothing explain the position the title purposes.

This isn't to say I disagree but calling this article "news" is like calling the OpenLDAP FAQ news.

Nonsense, but not for the reason you'd think

[mrRay720]

ID management's biggest problem will never be solved by Linux. Nor will it be solved by Windows.

As long as we have people putting passwords on post-its attached to their screens, as long as we have people clueless enough to fall for even the most simple of social engineering, there's no real thing as a proper ID on a computer system.
In my (amazingly wonderful) opinion, no system deserves the name ID management unless it has a genuinely good chance of doing so. Physical tokens or biometrics (aka built-in physical tokens) are a minimum.

Well, unless you're after the account ID, but I think admins are normally more concerned about the ID of the person using the account.

We need to stop barricading the windows when people are walking merrily through the doors.

Re:Nonsense, but not for the reason you'd think

[A+beautiful+mind]

Simple rule of thumb:

In order authentication to be considered secure, at least TWO of the three ways of authentication need to be used.

The three ways are of course information, property and biometrics.

Re:Nonsense, but not for the reason you'd think

[Leiterfluid]

It's simpler than that. Biometrics is just another extension of EAP (extensible authentication protocol), the same as Smart Cards, or RSA SecurID key fobs. The concept of multifactor authentication is simple. Combine something that only you have and something that only you know.

Re:Nonsense, but not for the reason you'd think

[halber_mensch]

In my (amazingly wonderful) opinion, no system deserves the name ID management unless it has a genuinely good chance of doing so. Physical tokens or biometrics (aka built-in physical tokens) are a minimum.

I concur. I think fingerprint ID is the wave of the future, and all crackers should agree with me here because breaking system security is much easier and way more fun when you can chop off a dude's finger rather than dig through his garbage for post-it's!

Re:Nonsense, but not for the reason you'd think

[A+beautiful+mind]

Well yeah, we can say that biometrics is a subset of property, but in practice it can be different. First of all, it makes a huge difference in the matter of security level, and usually the area of application is not the same as with non-biological property.

You might steal someone's secureID but it's not that likely to cut off someone's finger for getting access to John Doe's shitty office computer. Also, it's not really likely that someone can fake an iris authentication even if getting into a military complex, but those kind of biometrical checks are most likely not used at silly places like grandma's office.

Re:Nonsense, but not for the reason you'd think

[nonlnear]

You might steal someone's secureID but it's not that likely to cut off someone's finger for getting access to John Doe's shitty office computer.

You're right. Sure, someone might cut your finger off to steal your Mercedes S-class, but definitely not for multimillion dollar corporate espionage!

Re:Nonsense, but not for the reason you'd think

[OrangeGoo]

The three sources of authentication were put to me like this, in order of increasing reliability:

1) Something you know - least reliable because someone else can guess what you know, or if you leave it written on a note they can simply read it

2) Something you have - less reliable because it can be stolen, but more reliable because an attacker probably can't fabricate a duplicate

3) Something you are - most reliable because it can't be easily duplicated and it is very unlikely to be stolen

Sure, it was brought up that someone could cut off your finger - that's why "Something You Are" is not a perfect authentication scheme. Anyway, I agree with your point. My ID card is combined with a PIN to get me into the building, my thumb gets me into my computer. In essence, it requires all three pieces to access my computer at work. :P

Re:Nonsense, but not for the reason you'd think

[hammeredpeon]

I used to think that writing a password on a sticky note was the dumbest idea. But then a week ago I almost did it. Where I work, they just updated their password policy, and it has some pretty strange requirements that make things almost impossible to remember:

• 10-15 characters (not bad)
• at least 1 lowercase letter, at least one uppercase letter (ok)
• at least 1 digit (no biggie)
• can't start or end with a digit (just like a variable, still not rough)
• no substring can be a dictionary word, where words like "ayu" and "ber" are dictionary words (wtf!?)

so, of the first five passwords i tried, none of them passed the test because of its absurd dictionary rule. i eventually just came up with a way to count that makes my password fairly easy to guess given the constraints, but also fairly easy to remember. come on, is not allowing the password "ayud4m3p0rf4v0R!" really going to compromise my security?

i'm starting to think biometrics will be nicer because i doubt they're going to make me change my fingerprint.

Re:Nonsense, but not for the reason you'd think

[A+beautiful+mind]

Most modern and medium up to high quality fingerprint identification devices check for the "aliveness" of the thumb. It is possible to be done electrically, and even by detecting the veins in the thumb. Not sure if that would stop a stupid robber from cutting off someone's finger, but it would most likely stop from getting access to the resource protected by the fingerprint authentication device.

Re:Nonsense, but not for the reason you'd think

[nzkbuk]

i'm starting to think biometrics will be nicer because i doubt they're going to make me change my fingerprint.

I wouldn't be so sure you've got 10 fingers, from a quick look at my fingers there are 5 distinct finger prints (looks like each fingers print is a mirror image of the same finger on the other hand (that may only be on my hands and not typical though))

So I can quite easily see how you'd have to change which finger you use on a regular basis, just like you have to change types passwords now

Re:Nonsense, but not for the reason you'd think

[dodobh]

What are your failure scenarios?

Re:Nonsense, but not for the reason you'd think

ayud4m3p0rf4v0R? That's the same combination I have on my luggage!

Re:news? Stuff that matters?

[C0vardeAn0nim0]

GNU/Linux is pretty well served in terms of LDAP tools and applications. thanks for asking.

now, someone please mod parent "-1 troll"

Even better solution...

[LandownEyes]

"Just saying screw it and watching television all day may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices." Plus you probably won't have to go back to work tomorrow!!

not true

Last time it was reported, slashdot readers were mostly Windows users. Why slashdot doesn't publish a zeitgeist is totally beyond me. An article on OS/browser statistics here would generate thousands and thousands of pageviews (that's dollarinos, Taco) and comments (more dollarinos) but they don't seem interested.

Go figure.

Re:news? Stuff that matters?

[Nytewynd]

I agree. What good is being able to manage users if they don't have any tools to do their jobs? A large majority of people in my area need Excel to function, and open office is nowhere near as good in that department.

When linux catches up in terms of commercial software, maybe it can be used in work enviornments. Then we can easily manage our IDs.

OpenLDAP

[glamslam]

OpenLDAP is a snap! Its so easy to use, even a 10-year unix veteran can get it integrated with some systems assuming everything is setup properly and has been designed for integrating in this manner!

Thanks SearchEnterpriseLinux.com!

Re:OpenLDAP

[cocotoni]

Yes, even a five year old with 10 years of expirience in *NIX management with emphasis on authentication methods can set it up with relative ease.

Re:OpenLDAP

[to_kallon]

assuming everything is setup properly and has been designed for integrating in this manner

but even if it's not setup correctly, it's so easy to install you can fix the problem in a jiffy!

thanks sun!

Novell NSure

[michael+path]

Sure, Linux is one way.

However, I'm very impressed by Novell NSure.

Do not overlook this product if you're looking for a solid LDAP based Identity Management solution.

Re:Gimme a brake -- you're just figuring this out

Well,
Maybe he wanted to stop? :)
You made me laugh though.

Bad Summary

[tunabomber]

Pretty thin article- if you were expecting a detailed argument for why OpenLDAP is better/easier to manage than ActiveDirectory, you'll have to look somewhere else.

He basically just summarized the history of NIS and OpenLDAP, then gave us a link to some documentation for setting up OpenLDAP. Have fun editing slapd.conf, kids!

I was expecting that he'd at least mention Redhat Directory Server, which is the most interesting recent development as far as easy-to-manage Linux identity servers go.

Ha.

[kryptx]

I think it's funny that the summary leads the reader to believe that such a switch could be of trivial difficulty.

If your network is so complex and you have so many domains and related devices that you're "fed up" with Windows to the extent that you're ready to ditch it completely, a switch to Linux, while it would certainly eliminate certain issues, would itself hardly be a walk in the park.

That is true

[mrRay720]

I don't even know what Linux is, I just come here for the pretty colours.

Re:That is true

[worf_mo]

If you find these colors pretty, you will be enraptured by the IT color scheme.

eDirectory

[malraid]

There's nothing better in ID management the eDirectory, either running on Linux, NetWare, or yes.... even Windows. MS always promises that the *next* Active Directory version will have the features that eDirectory had 15 years ago. True container based security and delegation, partitioning, replication, all with the greatest of use. Yes, it's more expensive that OpenLDAP, but WAY better.

Who cares about you!?!?

[ShyGuy91284]

I'll admit I didn't thuroughly ready the article, but really though. You are payed to manage a given system. This /. article says make it easer for an admin, which would make it harder for all other employees/clients to use it (because the rest of the world isn't used to Linux)? Doesn't seem quite right... Even if it is that much easier, It doesn't seem like a legit reason to switch....

Article summary

[duffbeer703]

Key points in the article:

-Backups in windows are really hard, but nobody ever wants to do them anyway.

-Project Athena at MIT invented Kerberos

-Sun NIS was originally called "Yellow Pages" in the 80's

-LDAP tools included with linux let you manage users, but you can change them if you want

Re:Article summary

[Narishma]

But wait, isn't the article supposed to be more detailed than the summary ?

Bah -- LDAP is weak authentication

[forsetti]

LDAP, is a directory service, or database, that also has the ability to verify ID/Pass pairs, which is the most basic form of authentication.

For stronger authentication, using tickets for further authorization, use Kerberos. With LDAP, you must punch in your password repeatedly. Yes, it is the same password, but it must still be entered multiple times. In a properly Kerberized environment, you enter the PW once, and that's it. And, if desired, you can do some neat P

And, to head off some arguments -- Kerberos is pretty easy to setup. It is, at least, no harder than OpenLDAP to set up.

Try Kerberos -- you'll like it.

Re:Bah -- LDAP is weak authentication

I don't know about Kerberos(but I will at your suggestion) but as in authentication you are quite right that id and pass it is. However, LDAP is more than authentication and its strength is much more about authorization in that context and in the case of Sunone LDAP the filtered roles can come in handy...or completly screw you if you change departments and the communications from HR to the techies really sucks. But basically LDAP can centralize the account management without turning on and off everything and that is a step in the right direction. Where I am now, I find myself wondering which id and password is going to which backend.

Re:Bah -- LDAP is weak authentication

[forsetti]

Ok -- a few replies came in about LDAP's strengths. LDAP is *very good* for AuthZ (authorization) -- handling roles, managing access, etc. The combo of Kerberos for AuthN (authentication) and LDAP for AuthZ is excellent.

For a loose collection of notes from the random ramblings of my mind, check out http://web.uconn.edu/dotmatt/SSO/

Re:EASIER?!?

He's talking about managin IDs on networked systems. Not standalone.

I worked at a facility when they implemented Active Directory, and re-implemented Active Directory, and re-re-implemented Active directory, and re-re-re-implemented Active Directory. Eventually some contractors came around to each system that was dorqued and fixed it, sort of. They had to get help from both us contractors, and the local systems guy.

Wow! Thanks!

In other news, "Linux" is an alternative to Windows that has been around a while. It started out as a free clone of UNIX, but now it has come into its own and started a lot of other interesting projects. You can find out more about it on the Internet!

Re:news? Stuff that matters?

I just hope they aren't using any of Excel's statistical functions. Or if they are, I hope they don't care about accuracy. There are so many problems with Excel's statistical functions (even the latest-and-greatest version) that it has been repeatedly ruled "unsuitable for serious statistical analysis". That's fine if "a large majority of people in my area need Excel to function" just be aware of its shortcomings (which are many). Gnumeric (and I think KSpread and StarCalc) is significantly better than Excel in this area (and many others, but I digress).

Of course, both this post, the parent and the parent's parent are "-1 Off Topic".

Live CD?

So how about a live cd so we can take a look and have a test? Heck, it could even save data to a USB stick and actually be useable.

Where's the comparison?

[oringo]

The title of the story is "How Linux Beats Windows in ID Management." Okay, I read the TFA, and all I read was an introduction to LDAP. Where's the comparison that shows "Linux Beats Windows?" The article is not even about linux; it's about LDAP solutions that can be run on *nix systems. For the love of God please please don't run stupid stories like this again.

Re:Where's the comparison?

the TFA ?

*sigh*

Re:Where's the comparison?

[WarmNoodles]

I read TFA too and modded the author troll.
I am an experienced ID security professional and the article title does not match its content.
I don't know how this got on slash dot but whatever your smoken up thier, pass it down here.

I expected to see an article on server side deployment level activities Ms vs Linux, not some LDAP Noobie articles. This was a joke.

In my professional opinion the whole thread should be nukes as it's premise was a lie.

After reading TFA..

[concept10]

- Disclaimer: This could easily be considered as a troll or flameblait, but its only an observation since I have completely switched to using Linux last year and may be offtopic, but ... I immediately thought about how software/package management and administration is also easier in Linux. Yes, i'm talking about APT. Now before you mod me down, please consider this: Does Windows offer anything that allows you to upgrade ALL installed packages (providing that updates are out there) with one command? Does Windows allow you to make core changes to the installed packages and continue your computing tasks without rebooting? Does Windows allow you to browse, download and install over free 15000 packages at once if that is your choice? (Synaptic - This is the best thing since sliced bread, you can do so much with this application) Don't get me wrong, Linux does suffer with package installation sometimes, but I think MS should investigate how to implement something like APT into Windows. This may be a far stretch, but it is worth a mention. I _used_ to hate trying to clean up my machine, and the files that are on it by digging through the registry, and the rest of that crap. Also some software sometimes refuses to uninstall. This is something that has always annoyed me.

Linux is a guy from Sweden

He wrote the Ecmas editor in 1943 and started the Foundations for Getting Softwares for Free. In 1986 he was involved in a six-issue battle with Phil Gates for the ultimate control of the universe plus the Internets. It was a pretty decisive victory for Linux, but Phil got away, swearing revenge.

Re:Linux is a guy from Sweden

[bwintx]

He wrote the Ecmas editor in 1943 and started the Foundations for Getting Softwares for Free. In 1986 he was involved in a six-issue battle with Phil Gates for the ultimate control of the universe plus the Internets. It was a pretty decisive victory for Linux, but Phil got away, swearing revenge.

However, his proposed lawsuit against the estate of Charles M. Schultz never quite panned out.

OT Shuttle scrubbed

13:34ET - The low fuel sensor network is failing to respond, triggering a scrub. The sensor would detect an unsafely low fuel level, which could lead to catastrophic failure in the event a booster should run out of fuel at 100% throttle.

Re:OT Shuttle scrubbed

[mogrify]

It's true... http://www.nasa.gov/returntoflight/launch/launch-v lcc.html

Re:OT Shuttle scrubbed

Yep. It's good to know when the tank is getting empty. Finding diesel fuel is hard enough, but trying to find a gas station which carries rocket fuel is a real pain in the ass.

Your are sew write!

[drizst+'n+drat]

Sorry -- just had to do that. You're right of course ... fingers got ahead of the thought.

ID Management Problems - Cross Company

With the explosion of networking, the real ID Management problem is that teams form across administrative zones. Within a company, things are fairly simple, but how you you authroize Mary from a partner company see your Excange calendar?

Re:ID Management Problems - Cross Company

[Sylver+Dragon]

Setup a user for her in your domain, with an Exchange Mailbox. Have all email to that box forwarded to her real email address, and not stored locally. That user can then be allowed to view the calander. Assuming she is using Outlook (probably, if you want her to see the calander), just have her add another email account to her profile, which connects to your Excahnge server, using the username/password combination you created. The downside of this is that your Exhange Server will need to be exposed to the internet, which is likely to be the case anyway. Also, she really doesn't have a way to update her password. However, it gets the job dones, and provides a contact for her in your address book, which can be added to distribution lists easily.
This assumes that you don't want to go through the trouble of setting up a two way domain trust with the other company.

Re:ID Management Problems - Cross Company

[c_g_hills]

Microsoft will be soon introducing a tool to do just that, called Microsoft Active Directory Federation Services. Of course, Mary could just publish her free/busy information to an unrestricted part of her company's website.

Get real.

[Some+Random+Username]

If you can configure apache then you can configure openldap, its very simple and easy to setup. And "LAMP" is an embarassment, apache is a bug-riddled security nightmare, PHP is an order of magnitude worse, mysql is a wonderful replacement for flat files, but is worthless as a database, and linux doesn't really matter in the whole thing, any OS could be used and it would make no difference.

Kind of... its called Update Services

[MSFanBoi]

Currently Windows Update Services is out which allows for very good, grandular control of software updates and management, should more control be needed, there is always SMS2003. No it's not just for Windows. The newer releases of Update Services update all supported software detected on the system, this will include 3rd party applications as well. If applications follow standard Microsoft development "rules" one would not have to clean up anything, but as usual, people take the shortest and quickest path possible and leave crap all around. Is it perfect? Nope. But it works well when used properly.

Article improperly credits Project Athena for PAM

[Otterley]

The article incorrectly states that PAM (Pluggable Authentication Modules) came out of Project Athena.

However, it was actually invented by Sun, and was eventually adopted as RFC 86.0 by the Open Software Foundation in 1995.

Ditto - I've tried..

I've tried, and the results were less than spectacular (they were actually more like craptacular.)

There are AD Unix "extensions" that are supposed to make it supply Unix-y stuff like numeric UIDs. But when I installed them, they made the AD server hang whenever a new user gets added. (Which took out the whole machine - as everything goes through AD.)

In the end, I had to reinstall the whole of Win2K (luckily I'm not stupid enough to do something like this on a production system) - it was the only way to make the system usable again.

So yeah - I'd like an explanation of how to do it too.

Re:Ditto - I've tried..

[|<amikaze]

A friend and I tried the same thing and got the same results.

Actual information

[lheal]

Swoosh.

Since it isn't possible for one article to explain how to configure identification, authentication, and authorization for all systems, the article contained links to more information.

That's because you often have to learn about things in order to do them. With flexibility comes a price, and that price is work. Luckily, they pay you for that, if you do it well enough.

Or maybe he should have published a GUI along with the article? Sorry for being flippant, but I think you're expecting too much hand-holding.

Re:Actual information

[dubl-u]

Since it isn't possible for one article to explain how to configure identification, authentication, and authorization for all systems, the article contained links to more information.

Even so, the article was really weak compared with the blurb that they submitted to Slashdot. At 650 words, the article is barely an introduction to the topic. The links were a minor plus, but the article didn't really fulfill the promise of the title, let alone that breathy 50-word blurb.

I would have been perfectly fine with the article if they had submitted it by saying, "LDAP has a neat history, and if you try it, you might learn something. But we won't tell you what or how, and we certainly won't show you how to solve any problems you actually have."

Re:Actual information

[kiltedtaco]

Thank you for responding more reasonably than the OMG USE GOOGLE respondants i'm used to. I still think that you're essentialy saying the same thing as them though.

The point of an article is to show the readers something new. It's to help them, to teach them something, often on slashdot it's to show new ways of doing things. This article does none of these. It provides a few links, but little that google and wikipedia could not do.

In your response you mention a GUI, alluding to a GUI vs. console debate. An excellent analogy, I think i'll use it in my riposte:

GUI's are easier to use. This is just true. I'm sure someone can point out a bad GUI and a good text interface, but a good GUI can almost always beat out a good text interface. I know this is hard for slashdot users to accept, because we feel the need to occult our trade behind the command line which is so impenetrable to "users". Anyone who uses a GUI must not know how to use a command line, and obviously does not know anything. The same way C++ users don't know assembly, and obviously can't program anything. This sort of thinking is nothing but counter-productive elitism.

Getting back to the subject at hand, this article is very much like the command line. It's difficult, unhelpful, and hard to use. It taught me nothing about LDAP. I suggested that an article more like a GUI (metaphoricaly) would be better, and you seem to disagree with me, on the grounds that a GUI provides too much hand-holding. Exactly right, I want an article that is informative and easy to use. Do you really think that is a bad thing?

Re:Actual information

[lheal]

>GUI's are easier to use. This is just true.

It's true, but it's like saying it's easier to drive a car than fly a helicopter. With a GUI, you can only do what the GUI-writer allows. With a command line, you're free to do what you want.

GUI is fine for apps. For admin work, give me a CLI any day.

Re:Actual information

[kiltedtaco]

It's true, but it's like saying it's easier to drive a car than fly a helicopter.
Dumb analogy. A helicopter is fundamentally different than a car. A helicopter flies. There is no similar fundamental difference with GUI vs. CLI. There's no reason a GUI can't do everything the CLI can.

With a GUI, you can only do what the GUI-writer allows. With a command line, you're free to do what you want.
With a command line, you can only do what the command-line app writers allow you to do.

GUI is fine for apps. For admin work, give me a CLI any day.
The graphical admin tools suck for linux, but that's why they need to be improved. It's not an excuse to continue touting the command line as the only interface for Real Admins.

Once again, the same elitist bullshit.

Re:Actual information

[lheal]

There is no similar fundamental difference with GUI vs. CLI.

Your claim is that the two are isomorphic, that is, that there is a mapping of every function of a GUI to a CLI and that all functions of a CLI are met by the GUI.

That is clearly false, since while I can quickly issue a command under a Unix shell that will repeat until I kill it, GUIs never (or seldom) provide a checkbox for that. That's just one example. There is a limitless supply of examples, since I can create ad hoc command scripts to extend the functionality of the CLI.

elitist bullshit

Noobie mewling.

Re:Actual information

[kiltedtaco]

What prevents a GUI from having just such a checkbox?

What prevents a GUI from having a scripting language?

Just because most of the GUI's you're familiar with don't have such features, doesn't mean that no GUI can have them.

Re:Actual information

[lheal]

What prevents a GUI from having just such a checkbox?

You are so intent on being right that you can't see the plain truth in front of you. It's not that a GUI can't have a checkbox, it's that unless it does, the feature is not available. A CLI tool, on the other hand, needs no check box because the functionality is inherited for all tools.

What prevents a GUI from having a scripting language?

The paradigm. GUIs are intended to be easy, and scripting languages are not "easy" in that sense. Writing a script is an operation most users just won't perform. Besides, I thought your point was that with a GUI you don't need a script? Maybe that wasn't your point.

Just because most of the GUI's you're familiar with don't have such features, doesn't mean that no GUI can have them.

That is correct. In fact:

• The GIMP is scriptable.
• Many times, especially in old school Unix flavors, the vendor would provide both GUI and CLI access. NeXTStep (and probably OSX, but I've never used it), for instance, allowed access to the underlying NetInfo database from the command line and the GUI.
• Microsoft, in their next-gen scripting language, will apparently allow you to get at the same objects that their GUI tools use.

What all these share, however, is that the GUI tools allow access to a certain set of operations, and the CLI scripting language allows access to a certain set of operations, and one is a proper subset of the other.

Re:Actual information

[kiltedtaco]

You are so intent on being right that you can't see the plain truth in front of you.

That's just meaningless and confrontational.

It's not that a GUI can't have a checkbox, it's that unless it does, the feature is not available.

I don't know how you can believe that a feature of a GUI is any different than a feature of a CLI. If a command line doesn't have a way to run a program repeatedly, then the command line can't do it either, right? Do you really think there's a difference between adding a checkbox to a GUI and adding a command line switch or job control functions to a shell?

What all these share, however, is that the GUI tools allow access to a certain set of operations, and the CLI scripting language allows access to a certain set of operations, and one is a proper subset of the other.

You still haven't pointed out any operations that are only possible with a CLI. You pointed out something that most GUI's don't do, but that doesn't mean no GUI could.

You also seem to forget about the world of Windows, where it is far easier to use the graphical tools than the terrible command line provided. In windows, the set of CLI operations is very much a subset of GUI operations.

Re:Actual information

I think not. Here's why.

[c0ldfusi0n]

Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles...

Flame me for this, but Windows is a hell of a lot easier to learn and manipulate for the regular Joe users. In windows, if you want to change settings, you hit Start, Settings, Control Panel and you just select what you want to play with. In Linux, you actually have to know (very well) what you're doing and how to do it. Now compare this. What will common users choose? Ease of use and user-friendliness, or painful, long and extensive research (read: understanding how it works first, then understanding the 3rd party softwares to administrate it, then learning how that one works, then learning the command syntax) before typing shit out in a console?

Re:I think not. Here's why.

[nurhussein]

Err, directory services aren't easy to setup even with MS solutions. The directory everyone seems to sing praises of is Novell's.

Re:I think not. Here's why.

So you're saying you'd like to administer a huge centralized network without even knowing what you're doing?

May God help you so your boss don't read /. today

Re:I think not. Here's why.

[drsmithy]

Err, directory services aren't easy to setup even with MS solutions.

Say what ? Basic AD infrastructure is about half a dozen mouseclicks. Integration into Exchange, for a global address book (the other thing most people seem to want DS for) is, if anything, even easier.

If anything, DS on Windows is *too easy*.

LDAP != Identity Management

[flanker]

The author obviously has never dealt with any real IdM issues at a large company. With mergers and divestitures constantly happening, you end up with a patchwork of HR systems, facilities management systems, access request systems, application data stores and authentication systems. Saying "use OpenLDAP for IdM" is like saying "this paper airplane flies well - if you throw it hard enough, you can get it to the moon."

This is not to say it couldn't be part of the solution, but the end state is going to have a bunch of different components.

And MS's out-of-the-box tools (e.g. AD Users & Computers) are deeply pathetic for anything other than casual directory browsing. Third party tools are needed for the variety of different tasks involved in managing an AD-based NOS.

That being said, some of the cool new work being done with Samba taken with a Kerberos KDC for authorization and OpenLDAP for authentication could be a good place to start in building out an IdM system. Unfortunately, you would really need to be starting from scratch to have this be feasible....

Re:LDAP != Identity Management

[HrothgarReborn]

You hit the nail on the head. I am working on a project installing the Novell identity management system at a very large enterprise that has grown by aquisition. Huge challanges in getting everybody talking to the system.

Fortunately Novell has done great work how it approaches it. In a nutshell there is a master repository will everyones data in it. Data is fed in through standardized XML feeds. Plugins are available for common data sources like PeopleSoft and AD to translate their data to XML. Then this master vault can generate LDAP trees in various formats with various subsets of the data on the fly. Very cool. It also can populate Active Directory trees. So it can keep up a Posix compliant LDAP tree for the Unix world and AD for the Wintel servers all with data being fed into the vault automatically as HR hires peoples, as new business relations are establed in other software etc.

The problem is it only takes 6.3 Billion years to get all systems feeding data in properly and authenticating against it.

Re:LDAP != Identity Management

[pavera]

The author also specifically mentions using these things in small setups. No IdM in a large enterprise is easy, simple or straight forward. However, if you've got a 50 seat network, I gaurantee you using samba+ldap on a linux server for IdM is much easier to manage, more straight forward to setup, and a whole lot cheaper than Windows Server 2003 Domain Controllers. Oh yeah, also it performs better.

Anyway, for large multi-site enterprises, nothing is simple (Novell, Windows, Linux, doesn't matter large is hard). For small businesses Active Directory is overkill (in price, features, and scalability). LDAP is a good fit there.

Re:LDAP != Identity Management

[GPB]

Kerberos KDC for authorization and OpenLDAP for authentication

Isn't this backwards? I always thought Kerberos was for authentication and LDAP was for authorization? I could be wrong, but I am using Kerberos for authentication only.

-B

Fedora Directory Server

[QuantumRiff]

Didn't redhat just release the new fedora directory server, based off of netscapes code?

worse..

[delire]

The article is on an enterprise Linux related site - there's your converted. The chances of this fabulous, life-saving news reaching Win32 admins is self-defeatingly low.

Funny because it's true

[mnemonic_]

I run Gentoo, but while hearing all these guys talk about how Linux has advanced on the desktop I have to wonder:

• Why did it take me 2 hours to configure xorg.conf to get my laptop working in 1400x1050 properly when Knoppix did it in 30 seconds?
• Why did I have to spend 3 hours writing bash scripts to make power management work?
• Why did I have to use fdisk when Mandriva has graphical partition manager?
• Why does Gentoo not detect my DVD drive when I use it in my other laptop?
• Why doesn't my mouse work automatically when I plug it into the USB port?
• Why do I have to install and configure alsa when Knoppix sets it up automatically?

Face it folks, linux has a long way to go before it makes desktop inroads. Sure you can put Mandriva on a PC and it'll work fine forever for office stuff, listening to music etc. But if the user want flexibility and ease of use? We want to update device drivers quickly to take advantage of new features, but without reading manpages. We want to change resolutions without fixing a text file. We want plug-and-play devices to perform as described. We want to print to different printers without referring to CUPS docs or learning to set up a Samba server.

When will linux combine usability with power and flexibility? They're not mutually exclusive.

Re:Funny because it's true

[shane2uunet]

Dude, if you don't want to do it yourself from scatch then don't use Gentoo. I use Fedora Core 4 and have none of the problems you suggested. Yes I: -Have a DVD burner that works great automatically with K3B -Use a wireless USB mouse. -Use a USB drive occasionally. -Play mp3's etc. Takes me about 2 hours to install/setup Fedora.

Re:Funny because it's true

Are you trolling? All your examples show a linux distro that can do it already. So what exactly is your point?

Re:Funny because it's true

[kebes]

Sure you can put Mandriva on a PC and it'll work fine forever for office stuff, listening to music etc. But if the user want flexibility and ease of use?

You seem to be implying that there's something Mandriva can't do that all the other "more flexible" linux distros can. I'm not aware of such a thing. I'm not a linux guru... but I run Mandriva on a few machines and there's never been something that I wanted to do that I couldn't (remote administration, webserver, MythTV, etc.). I understand the "fun" of setting up a Gentoo machine... but if you want ease of use combined with power and flexibility, then use Ubuntu, Mandriva, etc. Everything installs easily, and then you can configure and fine-tune to your heart's content.

Re:Funny because it's true

[cloudmaster]

So, you wanted an easy to use, user-friendly, don't have to know anything Linux distribution. Then you chose Gentoo? Is that the first result that comes up in a Google search for Linux, or what?

Go to Ubuntulinux.org. Really. Once installer CD and an internet connection later, you'll have your nice friendly install. Well, about as friendly as Linux generally gets. You don't even have to use fdisk - it'll do that for you.

Re:Funny because it's true

[koreaman]

There's 3 types of Linux

1) Desktop distros
2) Server distros
3) BS distros that don't work

Gentoo falls firmly into category 3.

Re:Funny because it's true

[stoborrobots]

Hmm... maybe try Suse... I just upgraded to 9.3 (Previously running RH9.0)

Responding to your main points:

* laptop working in 1400x1050 properly: Check - automagic.
* power management works: Check - automagic.
* graphical partition manager: Check - Yast2
* plug-n-play DVD drive: Check
* mouse work automatically: Check
* alsa set up automatically: Check - aplay and alsamixer Just Work (TM).
* Printer setup: Check - KDE kprinter "Add Printer" wizard, accessible right from the print dialog.
* combine usability with power and flexibility: Check - YaST2

HTH. YMMV. HAND.

Re:Funny because it's true

[Neoprofin]

I was advised by my friend who spends entirely too much time tweaking, because that's what he likes to do, to install gentoo on my laptop.

Days of minor annoyance later I downloaded the ubuntu CD and 30 minutes later I was ready to go. There are still some things I'm utterly lost on and have to spend an hour reading forums and guides, but all in all it's functional and friendly right out of the box.

Re:Funny because it's true

[Neoprofin]

Ubuntu also did fine in a similar situation.

But to put it in perspective. I've spent more time in the past month looking up how to get updates and handle new packages in Linux than I've spent in Windows since I got my first computer.

Linux is getting better by the day, but as long as people need to use a text editor and command line to get more software packages it's still going to be daunting and inaccessable to a large population.

Re:Funny because it's true

" * Why did it take me 2 hours to configure xorg.conf to get my laptop working in 1400x1050 properly when Knoppix did it in 30 seconds?"

You should have used xf86cfg-gentoo-hi, which would have configured hi-res screen size with only a single command.

" * Why did I have to spend 3 hours writing bash scripts to make power management work?"

Check /etc/pwmon. The scripts are already there.

" * Why did I have to use fdisk when Mandriva has graphical partition manager?"

The graphical disk partition manager is called genfdisk and runs in the frame buffer, so you can use it during install.

"* Why does Gentoo not detect my DVD drive when I use it in my other laptop?"

Because it's still plugged into the first laptop.

"* Why doesn't my mouse work automatically when I plug it into the USB port?"

Use ps22usb. It's a daemon that monitors if you unplug the mouse from the ps2 port and plug it into a USB one.

"* Why do I have to install and configure alsa when Knoppix sets it up automatically?"

genkernel-alsa will compile the kernel and set up the aconf for your sound cards.

As you can see, I find Gentoo very easy to use, as I make up solutions for problems with little or no grounding in reality. It's more efficient to use a distro like Fedora for your main work, but create imaginary solutions for Gentoo, as the time spent tracking down the actual problem is vastly reduced.

Re:Funny because it's true

[Cerberus7]

You don't happen to have a list of distros and which of those categories they each fall into, do you? That'd make for an interesting website...

Re:Funny because it's true

[dtfinch]

Gentoo isn't the most user friendly distro.

Re:Funny because it's true

I run Gentoo, but while hearing all these guys talk about how Linux has advanced on the desktop I have to wonder:

* Why did it take me 2 hours to configure xorg.conf to get my laptop working in 1400x1050 properly when Knoppix did it in 30 seconds?
* Why did I have to spend 3 hours writing bash scripts to make power management work?
* Why did I have to use fdisk when Mandriva has graphical partition manager?
* Why does Gentoo not detect my DVD drive when I use it in my other laptop?
* Why doesn't my mouse work automatically when I plug it into the USB port?
* Why do I have to install and configure alsa when Knoppix sets it up automatically?

Because you run Gentoo.

Re:Funny because it's true

[Darby]

Why did it take me 2 hours to configure xorg.conf to get my laptop working in 1400x1050 properly when Knoppix did it in 30 seconds?

Because you didn't think to just copy the config over?

Re:Funny because it's true

[colinrichardday]

In SUSE, use Yast2 --> Software --> Online Update.

Re:Funny because it's true

[schnits0r]

From my perspective:

1) Desktop distros

Ubuntu, Mandriva, Knoppix, Red Hat (Tho RPM sucks), Linspire (but Apt-get is fucked on it), Debian (kinda with a little poking around)

2) Server distros
>> Slackware, Debian.

3) BS distros that don't work
>>Gentoo (Grub would not find my kernel), *BSD (I know it's not linux, and I din't really do a lot of experimentation on them, so I may be unfairly rating it)

But thats my opinon from whwere I stand.

Re:Funny because it's true

[Spit]

When will linux combine usability with power and flexibility?

Your gripe seems to be with Gentoo, after all Knoppix has a linux kernal and as you say all that shit works.

Perhaps you should rephrase:

When will gentoo combine usability with power and flexibility?

Re:Funny because it's true

[Neoprofin]

In Ubuntu use System > Administration > Synaptic Package Manager.

I can tell you that now, but I couldn't have then, and I still have no clue what Yast2 is, so I hope that in the context of having SUSE running it's some obvious choice.

It's easy to hit the right button, once someone points it out to you.

Re:Funny because it's true

[colinrichardday]

in SUSE (and YaST is a SUSE program) click gecko (start) -> system. Also, the boxed version of SUSE includes some serious paper documentation.

Re:Gimme a brake -- you're just figuring this out

I bet that the parent did mean brake, as in "Stop the world I want to get off..."

Useful Utility

[alistair]

Since the article didn't really say anything about managing LDAP or playing with OpenLDAP, I thought I would share a useful utility my team has recently started using for LDAP management and administration.

Have a look at JXplorer (or alternate Sourceforge link).

It's a really nice open source LDAP administration and management utility that not only lets you do the easy entry editing stuff but a lot of the more complex tree management operations. It also has some really nice search building interfaces. I'm in no way connected with this project but it has replaced a number of free and commercial utilities we used to use.

It also lets you play with populating an OpenLDAP installation so you can begin to understand some of its real power and tuning potential.

Re:news? Stuff that matters?

[grasshoppa]

I was referring to actual work applications ( in my case, Xray software, practice management software ect... ), thanks for asking.

Now, someone please mod parent "-1 Clueless"

Re:Bah -- LDAP is weak authentication - NOT

[DaveCar]

Er, you can bind to LDAP in multiple ways y'know. Including Kerberos.

Re:news? Stuff that matters?

[catman]

Lacking mod points, I think I'll simply repeat your post, since even those that don't read AC posts should see it:

I just hope they aren't using any of Excel's statistical functions. Or if they are, I hope they don't care about accuracy. There are so many problems with Excel's statistical functions (even the latest-and-greatest version) that it has been repeatedly ruled "unsuitable for serious statistical analysis". That's fine if "a large majority of people in my area need Excel to function" just be aware of its shortcomings (which are many). Gnumeric (and I think KSpread and StarCalc) is significantly better than Excel in this area (and many others, but I digress).

LDAP

[a3217055]

So we learned what the history of LDAP is and how easy it is on linux. But what about other systems etc...
Not a good article. Slashdot has reached the prime of its peak and is now in its decline.
This might be better
Guy is strapped down into a pack of pressurized tanks and launched into the air.
It is windows media file but xine and mplayer under linux (x86) can open it.

http://www.lookatentertainment.com/v/v-1169.htm

These self-promoting articles have got to stop.

The article has been submitted by someone with a TechTarget email address, for a vapid, puff piece article on a TechTarget website.

Editors, do your fucking jobs.

Book idea

I always wanted to do a TCL interface to LDAP book and call it slapd and TCL("slap-d and tickle"). I hate to steal Theo's model of free code and selling T-shirts but please buy our edible thongs.

Mindshare of a political movement

[SgtChaireBourne]

I agree. It's always the *next* version, upgrade, or patch for Windows that's the panacea. After that everything will work as advertised. Until then we just have to cough up enough money / hang on / maintain status quo / install a spare copy / etc. Shoot, we've been hearing about WinFS for what, ten or eleven years? It was supposed to be in Win95.

One of the really tragic points is that although NDS and eDirectory were already ahead of what MS-Active Directory (AD) is now *ten* years ago. AD is suddenly what all the MS fanbois talk about to the exclusion of the more mature, secure, flexible, and compatible options like either eDirectory or plain ol' Kerberos + LDAP.

Actually, most AD articles don't cover many facts or even how to operate in a multi-platform environment. Plus there are a lot of short comings *still* in AD like scalability, performance and interoperability with non-MS systems. These are problems that you don't get with eDirectory or plain LDAP/Kerberos.

I'm sure part of it can be explained by the fanboi mentality where anything and everything from Redmond is great, especially the next version which is just over the horizon, etc. And that MS "valued" partners are more or less forbidden from looking at competing technology. Maybe other parts can be explained by MS' standard marketing methods, like the smear campaign against Novell.

I guess more of it makes sense if one looks at MS like a marketing company, as other posters have pointed out, rather than a software company. Though to me that's a bit 90's. MS is now heavily into lobbying and is bordering more on a political movement than a technology. Talk of AD is then a way of signaling membership in the movement/ideology. That would be another way of explaining fanbois who ignore LDAP+Kerberos or products like eDirectory, not even doing shoot outs against these competitors. doesn't make sense.

I miss the days the product comparisons actually compared useful tools and brought up the good and bad points of the ones examined rather than going over pre-approved 'talking points' I guess even Consumer Reports is no longer unaffected.

Re:Mindshare of a political movement

[YU+Nicks+NE+Way]

So help me here, dude. You do realize that AD supports a full implementation of LDAP, don't you? And that it has built-in Kerberos (which, unlike the MIT version, doesn't keep sprouting inconvenient security holes)? So what is there in LDAP/Kerberos that hasn't been in AD for ten years?

Oh, sorry -- those are facts. And you don't like facts. Never mind...back to your sandboxes.

Re:Mindshare of a political movement

[SgtChaireBourne]

Ok. Here's the help you were looking for: MS has a broken implementation of Kerberos, so it is difficult to get it working as needed in a cross platform environment. The LDAP implementation that AD claims to support is only an add on, AD itself doesn't use LDAP nor do MS-Windows machines that connect to it. They all use an internal proprietary protocol. For normal LDAP you need NDS/eDirectory or plain old OpenLDAP. So far the MIT Kerberos on which AD's non-compliant variant is presumably based has a better track record than AD's variant. So does Heimdal Kerberos.

So if you're going to run some sort of ID management for a Windows environment, the best choice is probably to put LDAP/Kerberos on an OpenBSD box. If off-the-shelf stuff is a must, then eDirectory is where the proven track record is.

Re:Mindshare of a political movement

[YU+Nicks+NE+Way]

Sorry, puppy, but you make three factual claims in your post...and all three of them are wrong.

(1) The "brokenness" of Microsoft's kerberos implementation is an extension using a field that is designed to support extensions. If you don't need authorization data, just ignore that field. It's standards compliant and everything -- it's the Unix implementations which are broken. Hint: if the standard says "this field is provided for implementation-based extensions. Its contents should be ignored when they are not undersood." it's a good idea to follow the standard.

(2) No, for normal ldap, you need to open the correct port on the AD server. WSS uses a more efficient and expressive wire protocol, so is superior, but, if you want LDAP, it's got LDAP.

(3) Both MIT Kerberos and Heimdal Kerberos (neither of which is the base for Microsoft's implementation; it's clean room) have had significant remote access bugs in the last year (MIT's in the last week). Microsoft's implementation has *never* had an exploitable bug, even though it's been widely deployed in the field for six years now.

Re:Mindshare of a political movement

[SgtChaireBourne]

1) If it can't connect to a plain vanilla MIT kerberos server, then it's broken.

2) As I said, LDAP is an add-on in that case. The main protocol is a proprietary one.

3) Without auditing the source code there's no way to support the claim that it's a "clean room" implementation. The MS variant could well be a derivative of either MIT or Heimdal kerberos. The MIT license seems to even permit that kind of activity. Past behavior indicates that it is probably a derivative. Heimdal and MIT Kerberos get pretty much constant scrutiny.

However, putting Kerberos on an insecure system defeats the purpose of it and the MS varian can only be installed on MS-Windows. Write back when AD is actually a separate service installable on other platforms and not baked (metastasized?) into the OS like MSIE.

Saying Nothing Much

[gabriel29]

It's amazing that an article can go on and on and say absolutly nothing at all. It was a passible history of LDAP, but it didn't address how LDAP was any better or worse than MS AD.

Have you heard of LDAP.

[shane2uunet]

Ok, I give. LDAP is initially hard to understand (objectclasses, schemes, replica's, DNs), but once you do, it's a snap.

Here is my real world setup.

1. RedHat Enterprise server
2. OpenLDAP
3. Postfix (SMTP auth, Spamassassin, TLS, Postgrey)
4. Cyrus Imap Server
5. Samba File server
6. Apache WebDav

Right now I have a master copy of LDAP on the internal file server. Then two other servers (on the DMZ) are replicas. Samba pulls info from LDAP, Cyrus, Postfix, WebDAV as well. Not using Kerberos at this time, but all passwords for Logging onto the computer, email, outgoing email, are same username/password.

Very nice. Some of the configuration and stuff I have documented no my wiki
http://www.spydorweb.com/wiki/

Wow, that was one of the most inane posts yet

[suitepotato]

All op-fluff without even coherent editorial never mind subject matter. If /. cannot stop dupes because no one is reading them, it should follow that the articles being linked to aren't being read either.

I wonder how long till someone writes a three paragraph submission linking to goatse and tubgirl and it gets through.

In the meantime, Windows has point and click administration and the only people who find it difficult are beginners and people from other platforms. Exprienced Win admins don't tend to have a lot of problems.

Thankfully, Linux has more and more GUI apps and there's some for administering it. Just as hard to use as Windows domain controllers ever were, which means equally easy once you know what Unix systems expect and hardcore Windows admins, especially the security conscious, have more than a bit of passing familiarity with finer grain permissions and so forth.

I am not seeing the news or stuff that matters here.

A Book Plug

[wsanders]

The article is a plug for the author's book, "The Unix Guide to Defenestration" so it's part of a larger plot (I'm all for it BTW). Preaching to the PHB who gets bonuses based on the number of password resets and the bloat of his staff rather than overall security and performance. It doesn't seem to be a very technical book, and if you already know why it's good to defenestrate your AD server, then you probably already know how to do all the technical stuff.

worst article ever...

Obviously the author has never used Windows 2003 server. AD is a snap, easy to use, and easy to manage a large user base, if a competant person has set it up. After working in an environment running a large number of linux and windows servers, I never want to work with linux in a large scale ever again. Peice of shit compared with 2003 server.

what a dick. no proof or facts in his article backing up his claim.

Re:worst article ever...

[Xjavier]

If it were left to me , I would not permit Anonymous postings here - that would eliminate most of the flame/garbage from posters like you.

Re:worst article ever...

aside from his tone, he's right.. shitty ass story..
What I find amusing is most people on here claim not to even use windows.. yet you hear a lot of them claiming that AD is hard to setup etc.. Yeah probably for them it is - duh.. fact remains Active Directory has yet to be beaten in terms of ease of use for exactly what it does.. ID management across the enterprise. Article doesn't even get into that at all or prove how LDAP on Linux beats it in any respect. "Switch to LDAP on Linux to ease your management" well if it's a matter of using what you know.. yeah that's going to automatically appeal to the average slashdotter.. but best tool for the job? Still waiting for some bit of detail that proves Active Directory is not the best tool out there for managing LARGE enterprises.

Re:worst article ever...

[Pafuna]

Why, because he actually wrote something disparaging about your precious open-source LDAP crap? Give me a break.

Active Directory was a godsend to sysadmins. There is absolutely nothing like it from the open source world, period. What few attempts to even come close from oss are extremely bad implementations and are the difference between shooting a bullet and throwing it.

Man, if it were up to me, posters like you would actually be forced to RTFA over and over. That wouldn't really serve any public good other than annoy you and make me feel better.

LDAP is what it is supposed to be.

[Zombie+Ryushu]

OpenLDAP is what OpenLDAP is supposed to be. A Database Management Service. like MySQL. MySQL is one of the most sought after DBMS systems in the LAMP combo.

Now, couple things. MySQL's command line tools are no harder to use than LDAP's - It is not LDAP's responsibility to provide you with Graphical LDAP Management tools. Remember. LDAP is a Database architecture. That means its meant to communicate with other operating Facilities like:

PAM, NSS, MySQL, Apache, Kerberos, Nagios, PHP and the list goes on.

Its so difficult to configure LDAP to interconnect with all these other systems due to the lack of a Unified LDAP Management ultlity. LUMA and phpLDAPAdmin come close but still have a lot to go on.

There was a discontinued utility called Directory Administrator that is now obsolete

Someone needs to contribute to a standardized method of maniptlating the LDAP Databases, Managing slapd.conf (Core Configuration) slapd.access.conf (ACLs,) ldap.conf (LDAP Client).

I get so sick of listening of about how horrible OpenLDAP is because there is not enough inerta to create standardized LDAP Configuration Utilities in Perl, or PHP or C++ to manipulate the LDAP Database.

OpenLDAP is a good, solid implimentation of the LDAPv3 Protocol with as much flexibility as MySQL given peoples ability to use it correctly and having good third party open source Management Utilities.

I have operated LDAP for a number of years with very positive results my major problem being badly designed or non-existant third party management applications that lack flexibility.

I don't blame this on the OpenLDAP staff but rather the third party management tool makesrs like GQ, LUMA and phpLDAPAdmin for making LDAP so unweildly A properly configured Linux machine as an LDAP client is completely transparent.

Re:LDAP is what it is supposed to be.

[Tezkah]

I tried reading your post, but all the ACRNYMS blew my mind.

*blink*

Re:First POst

[delGrey]

Maybe even definitely .

You forgot

All the asshats who just scream RTFM whenever you ask a question

Re:news? Stuff that matters?

[kiltedtaco]

Hear, hear!

ID management is a problem computer science students like to work on, hence it works well in linux. Actually making an operating system that people find useful and usable is an uninteresting and difficult problem, hence little work is done in that direction.

Moding a comment down because you disagree is double plus ungood.

Far from it

I would guess that more than half, if not 2/3, of the readers here are Republican Window users. Many are in support of Windows, and the rest are in support of invading Iraq. Just look at all the comments.

No but...

[WindBourne]

his law suit against Chester Gould did win. So he renamed the area from McHenry to BULL Shit. Of course, the locals were opposed to that so it was renamed again to Bull Valley.

So Wrong

[WindBourne]

First it is not LDAP, but LAPD. Everybody knows that it is the LAPD that beats on others. So now, Paul is haveing the LAPD help Linux beat Windows. Cool. Can not wait until the law suit.

Re: Linux Wins

[mpapet]

I think you have forgotten the time and effort you made when you learned to use windows.

To use an old analogy:
Windows is like buying a car with the hood welded shut. Buy a new one when this one breaks.
Mac and OSX is like buying a luxury car. Lots of status and high-performance for driving to the market.
Linux is like owning a formula 1 race car. Very high performance, modifiable, and now with very attractive body. It has a hood you can open and modify to do exactly what you want. All at a very attractive price.

Finally, the oft-referred to "common user" uses what fills their needs. Linux can definitely fill their needs. My wife is quite happy and she is definitely the "common user."

Meaningless fluff

[glenmark]

Not only is the article light on content, but it is rather meaningless to argue that LDAP is better than Active Directory, since AD is an implementation of LDAP (featuring Kerberos authentication and the LDAP data stored in a multimaster replicated database).

Of course, it has taken MS a while to catch up with the features Novell's NDIS directory offerings, but they are finally getting it right with 2003, and it is arguably the easiest to manage enterprise-scale LDAP implementation around. It isn't perfect mind you (we dig up plenty of bugs), but does seem to be the best thing going. Furthermore, Group Policy Objects are a seriously kick-butt feature. Besides, nothing else can properly issue authorization tokens (SID keychains) for Windows clients.

Now if only they would fix the huge heaping piles of Exchange integration bugs in Entourage...

(No, I'm not a MS apologist. They piss me off on a regular basis, both in terms of product quality, or lack thereof in many cases, and in terms of business practices; however, folks are barking up the wrong tree where these criticisms of AD are concerned. In a short time it has matured into a quality product.)

my experience with this configuration

[graham+the+pet+fish]

I've looked into using Linux with OpenLDAP, SAMBA and Kerberos before and in it's current state it simply isn't going to work as a replacement Windows domain controller.

All the key components exist, but none of them are well enough integrated to provide a convincing solution. Notably, Windows machines that log onto a domain use a microsofti[sz]ed version of the LDAP standard, CLDAP (Connectionless LDAP) which from my understanding OpenLDAP doesn't want to support because it's non-standard. This makes it's unsuitable for a Linux-based domain controller but suitable for most other tasks. Also, SAMBA 3 doesn't support Kerberos as an authentication backend, and so password synchronisation and single signon is difficult in a mixed windows and *nix environment.

The up and coming SAMBA 4 is promising to fix these shortfalls, with an inbuilt implementation of CLDAP, support for Kerberos authentication, etc. Until this happens, SAMBA and LDAP aren't going to meet the requirements of most medium size businesses as a replacement domain controller.

The lesson I learnt from my research is that a Windows server currently makes more sense for a Windows environment for things other than relatively simple implementations that a Linux one.


Graham

Re:my experience with this configuration

[Rutulian]

Also, SAMBA 3 doesn't support Kerberos as an authentication backend, and so password synchronisation and single signon is difficult in a mixed windows and *nix environment.

Not sure what you mean by this. I have used both server = domain and server = ADS quite successfully, and both use Kerberos to authenticate against the PDC. The directory stuff, though, I agree is a bit of a problem. However, winbind or nss_ldap+schema extension for Windows PDC are fairly good solutions that can be used while you wait for Samba4.

Better articles can be found here

[NullProg]

LDAP for security Part 1;

Linux LDAP Tutorial;

Enjoy,

Re:EASIER?!?

[BinaryCodedDecimal]

He's talking about managin IDs on networked systems. Not standalone.

And your point is?

I worked at a facility when they implemented Active Directory, and re-implemented Active Directory, and re-re-implemented Active directory, and re-re-re-implemented Active Directory. Eventually some contractors came around to each system that was dorqued and fixed it, sort of. They had to get help from both us contractors, and the local systems guy.

Then it wasn't implemented correctly in the first place. Just because it's Windows (and therefore largely point-and-click) doesn't mean that it's easy to implement a large infrastructure with it. You have to know what you're doing, and clearly whoever implemented yours didn't - otherwise why did they need the external contractors? As for the contractors needing help - they probably didn't know what they were doing either...

I work at a institution that migrated from a Windows NT4 domain to a Windows 2003 Active Directory last year. We have nearly 30,000 users.

It worked first time, and it still works.

Posted by a flunky at searchenterpriselinux.com

These postings should be vetted first, no self-serving BS allowed. Also, ban these types of losers from posting in the first place, they will never have anything valuable to contribute.

RDS questions

[abulafia]

I was expecting that he'd at least mention Redhat Directory Server, which is the most interesting recent development as far as easy-to-manage Linux identity servers go.

I'll soon be shopping for a DS manager. I look back fondly on NDS, which I used in 1999. RDS looks interesting, but the RH product pages, as they always seem to be, are pure fluff. So, questions:

- Is that open source? The page makes it look like it isn't.

- Is this the reincarnation of Netscape Directory Server?

- If it isn't, is it similar in use/functionality/stability/scalability?

Bah, big annoying questions. If anyone has any answers, I'm grateful. Been out of the DS admin scene for a while, other than hand-loading OpenLDAP.

Re:RDS questions

[schon]

Is that open source?

Yes

The page makes it look like it isn't.

You're correct, RH's page is pretty misleading (maybe because they want you to buy a support contract from them?) - I had to hunt around for quite awhile before I found the source.

Is this the reincarnation of Netscape Directory Server?

Yes, although it's now known as "Fedora Directory Server"

They have a wiki for the project here

Re:RDS questions

[abulafia]

Thanks! I appreciate it.

Re:RDS questions

[T-Ranger]

It isnt clear if you have, but if so: Why have you discounted NDS/eDirectory?

Re:RDS questions

[abulafia]

I haven't. I'm just starting to poke around. (backburner project.) I've heard it is great, and I intend to look when I get there. Just saw a chance to ask a question that was bugging me... I'm familiar with this app from the Netscape days, so my first impulse is to look there - I just don't find directory services all that terribly interesting, and just want something that Just Works.

Re: Linux Wins

[c0ldfusi0n]

To use an old analogy: Windows is like buying a car with the hood welded shut. Buy a new one when this one breaks. Mac and OSX is like buying a luxury car. Lots of status and high-performance for driving to the market. Linux is like owning a formula 1 race car. Very high performance, modifiable, and now with very attractive body. It has a hood you can open and modify to do exactly what you want. All at a very attractive price.

And how easy is driving a Honda Civic (sorry i don't know any shutted hood cars) or a Lexus compared to a F1 Ferrari? As for your wife using Linux, she has you (which i assume is quite Linux-knowledgeable) to help her, she doesn't have to read three bibles of howtos and docs to get it to work. She just asks you, and if you want sex you can't tell her to RTFM. So you think every "common user" has a linux guru by their side willing to help them?

Quick question

[UnknowingFool]

With as many features and extensions that LDAP has added, at what point does it become simply DAP?

Re:Quick question

[afidel]

The L in LDAP comes from the fact that it was a stripped down version of the full X.500 directory schema. While LDAP is a big hairy beast of a standard it is NOWHERE near as complex to code or admin as a full X.500 implementation would be.

Yeah, right

"Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices."

That's more like "Fed up with Dandruff? A head transplant may be your ticket away from the daily hassles of washing and combing your hair."

Linux sucks at this....

[jozeph78]

This post won't make me many friends here

WindowsAD(Win2k3) + SQL Server + Exchange + .Net or VBS WMI = Extremely simple administration.

LDAP is like 5% of what AD provides. Remember that AD offers authentication as well as OS level authroization. I don't know of anything in the Linux world that offers that just by running through a wizzard (ever set up AD?). You don't have to type anything if you don't want too, and for the programming heads, WMI/ADSI can do what isn't in the tools. There are also a lot of 3rd party products that can plug into AD.

True they bastardized the Kerberos implemention and you are locked into windows but without an enterprise wide OS level authentication/authorization Kerberos SSO model available you'll never convince a CIO to go linux with 20,000 desktops. IMO it's the reason that linux fails as a desktop. You simply can't sell it to corporations, even though it's free. Plus windows does much better to protect your system files than Linux, where any admin could use root to read any file without knowing it was done. In windows, you own your files and can restrict even domain admins access, unless they take ownership, but then they can't give it back.

You can linux vs windows all you want but Windows kicks the sh** out of linux when it comes to managing and administrating large environments. I also feel that windows has a much better security model and short of being the #1 target for hackers, has the potential to be much more secure than any Linux I've seen, short of SE Linux which does NOT make administration eaier at ALL. In fact I'll say that Windows is too easy to administrate. It still takes thinking like an admin to do it well but the truth is you could train someone who worked at Jewel's to administrate AD in about two weeks (it happened at my old gig). After using linux(Gentoo) for 6 months now I've determined that linux is the best system to work on and Windows is the best system to work in.

Flame on.

Re:Linux sucks at this....

[member57]

WindowsAD(Win2k3) + SQL Server + Exchange + .Net or VBS WMI = Thousands of $$$

M$ Shill
Try telling a CEO,CIO,COO or whomever of a small (10-50 employees) company that they will need to shell out $5k or more for software and licensing and another $6k for the various "individual" servers that would be required to implement that setup.
Then I come along and steel your contract because I can implement samba+apache+php+mysql+postfix+ftp+dns+proxy+many others. For a fraction of the cost of a microcrap setup. I can get small companies all day long after a M$ shill talks to them. For large compaies, M$ maybe the way to go, I prefer hybrid setups, use *NIX for web related business, use M$ for backend, menial tasks that aren't security related.

LOL M$ much better security model?? Where have you been M$ shill? 65% of the http servers run apache, around 30% are M$ IIS. How come 30% is 90% of the problem? 200,000 servers infected in a few hours bhaaa ha ha haaa... M$ should stay on the desktop where it belongs, shouldn't be trusted on the internet or holding files you really want to keep. All you M$ shills say the same, "they were not being patched, etc.." I don't blame them, who wants to reboot everytime a low level patch or update is released? How much company time is being wasted rebooting once or twice a week on a primary server?

You claim to have been running Gentoo, I would never use Gentoo in a pruduction environment. A much better solution is running a good and trusted release of Red Hat, Mandriva, Suse, or even Slackware if performance is your cup of tea. (flame suit on)Gentoo is too unstable for production. IMHO. (flame suit off)
Contrary to popular M$ belief, Linux/*NIX does have it's place.

Re:Linux sucks at this....

Oh shut up you idiot!

Crying "waahhhhh wahhhhh M$ SHILL" at anyone who contradicts your petty, narrow little world view just makes you look like a complete fucking tool.

I don't think you'd know a pruduction (sic) environment if it bit your pimply ass.

Re:Linux sucks at this....

[jozeph78]

Try telling a CEO,CIO,COO or whomever of a small (10-50 employees) company that they will need to shell out $5k or more for software and licensing and another $6k for the various "individual" servers that would be required to implement that setup. Then I come along and steel your contract because I can implement samba+apache+php+mysql+postfix+ftp+dns+proxy+many others. For a fraction of the cost of a microcrap setup.

For 10-50 people, you could use a single computer with win2k3 sbs and exchange for $3k. That's not a lot of money even for a small business. Not to mention the comfort of having a place to point a finger when things go wrong. Besides, this is an administration thread. Who the hell considers managing 50ppl administration? Let's stick to the point.

I can implement samba+apache+php+mysql+postfix+ftp+dns+proxy+many others.

Samba is free on windows too, but why do I need it? Apache is great and can run on windows too, but IIS does AD authentication provided you are using asp.In .net you don't even have to write code, only change a configuration file. Php is a maintaince nightmare for enterprise sites and again, no AD integration. MySQL is not enterprise class- the tools suck, performance is no where near MSSQL and again, no AD integration. If you are a heavy DB shop you just doubled your administration woes since you can basically run MSSQL through all AD accounts. Postfix is IIS. FTP is IIS. DNS is AD. Proxy can eb done through AD. Pathetic. You just inistalled 8 programs to match what is integrated in the OS for the most part in windows.

LOL M$ much better security model?? Where have you been M$ shill? 65% of the http servers run apache, around 30% are M$ IIS. How come 30% is 90% of the problem? 200,000 servers infected in a few hours bhaaa ha ha haaa...

I thought we were talking OS's here. Why are you talking about IIS? Btw, where is the integrated Linux webserver that works with the integrated Keberos and integrated LDAP? Oh there isn't one.

I know it's scary, but it's true. Again, I'm not talking about a web server but I'm talking about the OS itself. Linux is primative in the fact it has no user heierachy. While root is protected from users, what protects users from root? What's to stop root from reading anythign they feel like? In windows, I can own a file and disallow even the enterprise admin from reading it without changing ownership. And you can't change back. Ok, neither of them protect the admin from reading it, but at least in windows you could tell the owner has been changed. If you look objectivly at Linux's security model, you'll realize it's primative which is why there is an emerging market for SE Linux.

All you M$ shills say the same, "they were not being patched, etc.." I don't blame them, who wants to reboot everytime a low level patch or update is released? How much company time is being wasted rebooting once or twice a week on a primary server?

Another perk of AD, SUS (system update server). I can make sure your unpatched POS windows box doesn't even connect to my domain without being properly patched. How much time is wasted rebooting the company server at 1am? I think it took me 2 minutes to learn how to write a script and schedule it. How much time is wasted managing countless user repositories because your BI product doesn't support OpenLDAP?

Contrary to popular M$ belief, Linux/*NIX does have it's place.

Sure! Academics, embedded systems, and high volume servers. But it has no place in the corporate environment because AD rules whatever 10 product OSS solution you think you can imlement better. And that's sad because we are talking 100 of thousands of desktops that could be linux, but it just isn't up to snuff due to lack of a tightly integrated authenticating/authorizing/Keberos ticket granting user repository supported by every MS product and just about every other product worth it's money.

Re:Linux sucks at this....

[drsmithy]

True they bastardized the Kerberos implemention [...]

Why do people say this when Microsoft's Kerberos extensions were done in exactly the way the standard allowed for ?

Re:Linux sucks at this....

I know it's scary, but it's true. Again, I'm not talking about a web server but I'm talking about the OS itself. Linux is primative in the fact it has no user heierachy. While root is protected from users, what protects users from root? What's to stop root from reading anythign they feel like? In windows, I can own a file and disallow even the enterprise admin from reading it without changing ownership. And you can't change back. Ok, neither of them protect the admin from reading it, but at least in windows you could tell the owner has been changed. If you look objectivly at Linux's security model, you'll realize it's primative which is why there is an emerging market for SE Linux.

You haven't heard of the BackupRead or ImpersonateLoggedOnUser functions, have you?

Re:Linux sucks at this....

[jozeph78]

I had a very hard time reading a keberos ticket from a Java program. Presumably because they include so much more information than the standard gssapi expects when reading it. I maybe bastardized isn't a good word, but it definately wasn't the same as working with a default MIT kerberos implementation.

"Where is the actual article" explanation!!

[coolGuyZak]

Where, if I may ask, is the actual article describing how one might use LDAP effectively for user management?

See, this article is the first in a 2 day series. He posted it here so /. would do his research for him.

Re:news? Stuff that matters?

[swv3752]

But Gnumeric is as good as Excel if not better.

So you want me to install OpenBSD?

... We already have a *nix like that ...

-GenTimJS

Unix and Windows going to the same backend

How do you get Windows and Linux using the same system?

pGINA: PAM modules for Windows.

Winbind

[jaseuk]

Winbind, part of Samba.

OR for apache use: auth_kerb_module
OR for authentication only (manually add dummy users) use pam_krb5.conf

Its all fairly easy and you don't need to touch the unix services toolkit.

Jason.

Wrong - LDAP is *NOT* authentication.

[schon]

LDAP, is a directory service

Correct.

that also has the ability to verify ID/Pass pairs, which is the most basic form of authentication

No. You can *USE* LDAP to store password information, but you are in no way required to, nor is it the only way to authenticate.

With LDAP, you must punch in your password repeatedly.

Umm, WHAT!?!?!

As you mentioned in your first (and only correct) sentence, LDAP is a directory service. What you use that directory for is up to you.

Comparing Kerberos and LDAP is like comparing apples and volkswagons. The two are completely different entities (that can be used together, or apart.)

Re:news? Stuff that matters?

[grasshoppa]

Moding a comment down because you disagree is double plus ungood.

Bleh, I half expected this. Attacking slashdot, however indirectly, always leads to being modded down. Well, almost always.

Regardless, I don't see why we should get all riled up by stating the obvious. Linux *is* good at ID management, always has been. Windows lags way behind linux in this dept. No one is surprised. It's making it usable to a wide variety of people that has been and will continue to be the problem.

Re:EASIER?!?

[cbreaker]

Yea, you're damned right. Microsofts' point-and-click stuff really backfires on them sometimes because you end up with these Admins that set up AD systems completely half-assed.

AD works. Sure, Windows 2000 without any service packs sucked, but they've pretty much nailed down most of the functionality bugs by now. And, it's not all that hard to use AD as a directory for all your systems, including Linux and Mac systems.

There's a lot of considerations for AD design and if you spend some quality time designing the directory and infrastructure with knowledgable people, you'll get it running well and it will stay running well.

As much as I dislike Microsoft, and as much as I didn't like AD at first, it's not all that bad.

Unrealistic security policies

[jesterzog]

As long as we have people putting passwords on post-its attached to their screens, as long as we have people clueless enough to fall for even the most simple of social engineering, there's no real thing as a proper ID on a computer system.

I agree. I think a large part of the problem, though, is that people are being given unrealistic demands for digital security wherever they go, that simply ignore everything we know about an ordinary human's cognitive ability. Even if a user can cope with one or two severely complicated passwords, nearly every organisation they deal with is going to require yet another one, whether it's their employer, separate sub-services within the same employer, a bank, or any number of online services. It's no surprise that people write down passwords, ignoring instructions---why should they respect instructions that are crazy and unrealistic?

Several years ago I was helping to implement a card reading system around the organisation for "extra security". Many of the employees decided to simply leave the cards in the readers continuously, even though they were told they should never do this. When I returned a couple of years later, even the branch that'd dished out the cards now had a compromise of simply storing the card in an unsecured drawer overnight. It was no huge surprise, however, because everyone was already flooded with other people wanting to force them to carry identity cards. There were at least another two, I think, just for independent parts of the same company! (Entering building, opening doors, etc.) There are only so many demands from all directions that people can be expected to submit to.

Many policies are very hypocritical, especially when compared with something like credit cards. Credit cards usually don't require remembering anything at all -- the "secret" number is written down, and people are encouraged to give it to anyone. Even my cash card only requires me to remember a 4 digit number (practically criminal according to many password policies), although I need the card to activate it.

Most people probably have more stake in their credit card security than in nearly any password-protected service. One of the differences is that Credit Card companies play a role in watching carefully for things that look like fraud. They have systems to restrict how much damage can be done if it's done (eg. credit limits), and have processes to deal with it after it happens.

I think passwords have just evolved from an ancient system that used to be more meaningful. Many organisations' policies are based on common beliefs instead of actual researched facts, and they're afraid to do something against the norm. Some users of some services clearly still require effective passwords, but other services demand it from everyone unrealistically. I'm convinced that we're often required to use impossible-to-remember passwords for the same reason we have impossible-to-read EULA's. It's about organisations protecting themselves from legal action so they can blame everything on the other party if something breaks.

Nice How tos but:

[Ruede]

well none of them will bring my ldap to work or even let me add a user....

wenn i add a user:

testmachine:/etc/ldap# ldapadd -x -D "cn=fakeuser,dc=fakedomain,dc=fakedomain2,dc=tld" -W -f fakeuser.ldif
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
testmachine:/etc/ldap#

can anybody give me some advice what could went wrong? maby here maby per email? rockor@rambler.ru

Your admins are really stupid to do that.

[cbreaker]

It's the truth. When you force users to conform to absurd password rules, you force them to write the passwords down.

Some admins believe that you should enforce these crazy long and complicated passwords, and then have everyone change them every month or less.

I wouldn't blame you for writing that password down on a sticky note, and I'm willing to bet that almost everyone else the company will do so as well. Not to mention the volume of calls that will be made to Help Desk when the people that DIDN'T write down their passwords forget what they were.

A strong password policy is fine, as long as it's loose enough for users to remember what they are. Forcing the changing of passwords too often is always bad, however.

The best solution would be some sort of SecureID type thing - but these hardware key solutions are often very expensive and come with their own set of problems. They aren't for every business. Not yet, at least.

I have a serious question

[toadlife]

Since when was managing AD difficult?

I've found AD to be the most usefull thing for managing windows users and machines since sliced bread. I have everything grouped in a nice logical order seperated by object type/role, then location. Just about ANYTHING i want to do to any computer or user in my organization, I can do via Active directory. Software on our computers is deployed via active directory. Local machine passwords are changed on a regular basis via active directory. user/computer settings are managed via active dierctory. I've even delegated out rights to HR to be able to change certain identity attributes of users, like department, location, job title, etc, and that data is dumped out to a database and used on our website's employee directory.

It's easy. It's powerfull. It's reliable.

Now, why in the hell would I want to replace that with some half-assed LDAP based implimetation?

LDAP *can provide* weak authentication

[forsetti]

Just to clarify -- the original article is about how to handle "Identity Management", but many of the comments here on /. refer to the AuthN/SSO capabilities of LDAP. My above comment probably could have been better title "Password Validation via LDAP Simple Bind is Weak Authentication" -- but I was lazy.

But -- to expand and defend my points:

• LDAP *does* have the ability to verify ID/Pass pairs, via a "Simple Bind". You don't *have to* use it for this, but it has the ability.
• If LDAP is your sole source of SSO (as many try to make it), there is no (e.g.) ticketing mechanism to remember your authN'd state -- you must re-authN at each and every application that is using Simple Binds for authN. Kerberos, CoSign, Shibboleth, Passport etc all provide ticketing mechanism that give you ISO (Initial Sign On)

You are absolutely correct in your statement "What you use that directory for is up to you." However, please take my above comment in the context of SSO/AuthN, as is being discussed in many of the /. comments. Kerberos and LDAP *are* apples and volkswagons -- but many try to hammer LDAP in to do the job that Kerberos was made for. Essentially, my point is that pam_ldap does not a SSO make.

Linux reduced management time over windows

[rivj0r]

Now theres a false statement. If this was even slightly true there would be far far less windows install bases. The ONLY selling point windows has is ease of management. When, or make that IF, another OS matches or beats it the market share numbers will dramaticly change. This article is just another bunch of fluff.

Oh wait, never mind.

[Frenchman113]

Am I the only one who did a double take with the words: "Linux" and "ease"?

heavly outdated article

[layer3switch]

Recently I've ran into a situtation where I had to fix Red Hat 8.0 with OpenLDAP server. Mac OX 10.2.x workstations were authenticating off Red Hat 8.0 OpenLdap server with DHCP w/ directory service string in broadcast. Curiously I've looked dazed at what the previous sysadmin had to go through to make secure athentication using OpenLDAP, Kerberos5, DHCP, DNS, YP, and nss-lib package.

Looking at the configuration and service list, anyone could have seen that the previous sysadmin had gone through hell to make it work.

And from my experience, it wasn't easy either. Working with AD from Win2K and Samba2-TNG with LDAP and Kerberos support isn't something I'm proud of doing. There were many hacks and workarounds done during that project which could have been a trivial to do under Windows AD only environment.

If I'd had to do it again, I wouldn't even try to LDIF strip off AD and make Linux machine act like Win2K AD server, just for the sake of "I have done it." bragging factor. I'm only glad that I've learned a lot about Win2k AD schema and authentication and OpenLDAP and nothing more.

If the intention of the article written was to entice naive Windows admins/Linux novice into migrating Linux into their environment, it's very misleading with captial "READ THE FINE PRINT".

Saying it's possible is totally different than it's practical and proven.

Re: Linux Wins

[paulbiz]

Except a Formula 1 racecar costs $15 million dollars and takes a world class team of engineers and mechanics to figure it out when something goes wrong.

Let's see your wife go take an F1 car for a spin and then fix the gearbox when it breaks :)

NIS = "Network Information Services"

[justinz]

NIS stood for "Network Information Services", BTW.

Why does Paul Murphy have a job as a writer?

[walterbyrd]

I'm not kidding. The man is an idiot. Any high-school kid could do a better job.

I'm not just saying that because of this article. The guy always writes idiotic crap. I think just about anybody familiar with Paul Murphy would agree.

Pretty amusing...

[Timex]

...is that the submitter works for the same company that the author of the linked article does. ...which happens to be my employer, too. ;)

Funny, how that works. Still an interesting article.

Re:Pretty amusing...

Paul's a contributor. I'm an editor. I don't write the articles, I just post 'em on SD and get flamed for it. That's my job. Fun! - akucharik@techtarget.com

Re:Pretty amusing...

[Timex]

Don't worry about it... You won't get flamed by ME... I don't wanna get pelted by the penguins surrounding your desk. ;)

And here are more tips sites

http://hacks.oreilly.com/pub/q/all_hacks
http://www.tldp.org/HOWTO/Tips-HOWTO.html
http://souptonuts.sourceforge.net/how_to_linux_and _open_source.htm
http://cyberciti.biz/nixcraft/vivek/blogger/blogge r.html

Somebody write a meaty tip on the topic?

Hi, as poster of "the worst story ever," I feel a responsibility to make good. If one of you smart SD people could write a tip on AD vs OpenLDAP or Kerberos, I would like to see it and could probably get it published for you. These are good questions that I can't answer, but somebody out there probably can: "How do you get Windows and Linux using the same system? How do you deal with groups (there are at many different ways each with different applications supporting them)? What about tying in web applications? can you have a seemless sign on or do users need to reenter their password? What about security on those web apps; are they going to use basic, digest, NTLM? Are we going to syncronize with Active Directory or maybe just expand the AD schema? What about user provisioning and protecting sensitive data in the tree. What about tree structure?"
Cheers,
akucharik@techtarget.com