How Linux Beats Windows in ID Management Ease

Amy Kucharik writes "Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices. In this tip, Paul Murphy discusses the evolution of LDAP and how using it, along with Linux, can make an administrator's job easier."

Novell NSure

[michael+path]

Sure, Linux is one way.

However, I'm very impressed by Novell NSure.

Do not overlook this product if you're looking for a solid LDAP based Identity Management solution.

eDirectory

[malraid]

There's nothing better in ID management the eDirectory, either running on Linux, NetWare, or yes.... even Windows. MS always promises that the *next* Active Directory version will have the features that eDirectory had 15 years ago. True container based security and delegation, partitioning, replication, all with the greatest of use. Yes, it's more expensive that OpenLDAP, but WAY better.

Re:news? Stuff that matters?

I just hope they aren't using any of Excel's statistical functions. Or if they are, I hope they don't care about accuracy. There are so many problems with Excel's statistical functions (even the latest-and-greatest version) that it has been repeatedly ruled "unsuitable for serious statistical analysis". That's fine if "a large majority of people in my area need Excel to function" just be aware of its shortcomings (which are many). Gnumeric (and I think KSpread and StarCalc) is significantly better than Excel in this area (and many others, but I digress).

Of course, both this post, the parent and the parent's parent are "-1 Off Topic".

Article improperly credits Project Athena for PAM

[Otterley]

The article incorrectly states that PAM (Pluggable Authentication Modules) came out of Project Athena.

However, it was actually invented by Sun, and was eventually adopted as RFC 86.0 by the Open Software Foundation in 1995.

Re:Mac OS X And LDAP

[spiralscratch]

I know for a fact that OS X 10.3 (Panther) Server included OpenLDAP, not sure if it was there earlier. The whole package, with OpenLDAP, Kerberos, the GUI admin and such, is called Open Directory.

More info here.

NetInfo is now pretty much relegated to storing info for the local machine only.

Useful Utility

[alistair]

Since the article didn't really say anything about managing LDAP or playing with OpenLDAP, I thought I would share a useful utility my team has recently started using for LDAP management and administration.

Have a look at JXplorer (or alternate Sourceforge link).

It's a really nice open source LDAP administration and management utility that not only lets you do the easy entry editing stuff but a lot of the more complex tree management operations. It also has some really nice search building interfaces. I'm in no way connected with this project but it has replaced a number of free and commercial utilities we used to use.

It also lets you play with populating an OpenLDAP installation so you can begin to understand some of its real power and tuning potential.

Re:How's this different?

[jacksonj04]

One is free, but needs a lot of implementation to get it to work.

One costs, but it's damn easy to use.

Personally, for mucking around improving skills I'd use the Linux/LDAP but as soon as you hit a corporate environment, Group Policy wins hands down for speed, integration and ease of use.

Re:My new GNU/Linux Distribution

[Wylfing]

Just in case you missed the sarcasm, because you may have never tried to set up LDAP before, this is a reflection of what LDAP is like. It is not a product, it's a set of (impossibly arcane) tools with which you can create a product, over the course of several human lifetimes, that might have the same features as Active Directory. And it's got "Isla de Muerte" documentation -- nobody can understand it unless they already know how it works.

Meaningless fluff

[glenmark]

Not only is the article light on content, but it is rather meaningless to argue that LDAP is better than Active Directory, since AD is an implementation of LDAP (featuring Kerberos authentication and the LDAP data stored in a multimaster replicated database).

Of course, it has taken MS a while to catch up with the features Novell's NDIS directory offerings, but they are finally getting it right with 2003, and it is arguably the easiest to manage enterprise-scale LDAP implementation around. It isn't perfect mind you (we dig up plenty of bugs), but does seem to be the best thing going. Furthermore, Group Policy Objects are a seriously kick-butt feature. Besides, nothing else can properly issue authorization tokens (SID keychains) for Windows clients.

Now if only they would fix the huge heaping piles of Exchange integration bugs in Entourage...

(No, I'm not a MS apologist. They piss me off on a regular basis, both in terms of product quality, or lack thereof in many cases, and in terms of business practices; however, folks are barking up the wrong tree where these criticisms of AD are concerned. In a short time it has matured into a quality product.)

my experience with this configuration

[graham+the+pet+fish]

I've looked into using Linux with OpenLDAP, SAMBA and Kerberos before and in it's current state it simply isn't going to work as a replacement Windows domain controller.

All the key components exist, but none of them are well enough integrated to provide a convincing solution. Notably, Windows machines that log onto a domain use a microsofti[sz]ed version of the LDAP standard, CLDAP (Connectionless LDAP) which from my understanding OpenLDAP doesn't want to support because it's non-standard. This makes it's unsuitable for a Linux-based domain controller but suitable for most other tasks. Also, SAMBA 3 doesn't support Kerberos as an authentication backend, and so password synchronisation and single signon is difficult in a mixed windows and *nix environment.

The up and coming SAMBA 4 is promising to fix these shortfalls, with an inbuilt implementation of CLDAP, support for Kerberos authentication, etc. Until this happens, SAMBA and LDAP aren't going to meet the requirements of most medium size businesses as a replacement domain controller.

The lesson I learnt from my research is that a Windows server currently makes more sense for a Windows environment for things other than relatively simple implementations that a Linux one.


Graham

Re:Feature Request

[schon]

For something more complex (like specifying unix UIDs, login shells, home directories, etc) you need to look at Microsoft Services for Unix (to extend the AD schema)

Which (in my experience) just tanks your AD server.

I've tried it twice, and both times turned my AD server into a doorstop - the AD service locks hard, and there's no way to bring it back.. which makes the entire machine useless (as you can't log in without AD running) - a reinstall was required to fix it.

And apparently I'm not the only one this has happened to.

Re:RDS questions

[schon]

Is that open source?

Yes

The page makes it look like it isn't.

You're correct, RH's page is pretty misleading (maybe because they want you to buy a support contract from them?) - I had to hunt around for quite awhile before I found the source.

Is this the reincarnation of Netscape Directory Server?

Yes, although it's now known as "Fedora Directory Server"

They have a wiki for the project here