Slashdot Mirror
How Linux Beats Windows in ID Management Ease
Amy Kucharik writes "Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices. In this tip, Paul Murphy discusses the evolution of LDAP and how using it, along with Linux, can make an administrator's job easier."
I don't really get much from this article. Just that LDAP is out there, and that there are online manuals to help you get started. I figured that much out already. I'm not seeing much of a comparison between LDAP and AD/etc here. Anyone got some in-depth experience to share?
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
What a lousy article to post. There is one comment in the article saying that Windows admins hate user identity management, then it goes about with a little blurb about the history of NIS, etc, and then it has a couple of links to LDAP stuff. WTF? What kind of article is this? Are they going to start posting FAQs now? What a useless article!
Exactly. I was expecting to see something like, "In a test implementation using ThisDistro, a complete mult-server LDAP solution using ThatLDAP covered 90% of the functionality of Windows user management, but at a fraction of the cost. You can use ThoseLDAPTools 2.2.8 to administer from Windows or Linux, or if you're willing to allow for a slower client, OtherLDAPUtils 1.0.4 runs in any Sun JVM."
This is an elegant version of "If you don't like Windows, try LDAP on Linux!" It may well trigger something useful here, though. One can hope.
You can never go home again... but I guess you can shop there.
The article just says "Windows ID management is bad. LDAP is better. Why is Windows' ID management bad? I'm not telling. Why is LDAP better? I'm not telling." It does nothing explain the position the title purposes.
This isn't to say I disagree but calling this article "news" is like calling the OpenLDAP FAQ news.
Free of Flash! Free of Flash!
ID management's biggest problem will never be solved by Linux. Nor will it be solved by Windows.
As long as we have people putting passwords on post-its attached to their screens, as long as we have people clueless enough to fall for even the most simple of social engineering, there's no real thing as a proper ID on a computer system.
In my (amazingly wonderful) opinion, no system deserves the name ID management unless it has a genuinely good chance of doing so. Physical tokens or biometrics (aka built-in physical tokens) are a minimum.
Well, unless you're after the account ID, but I think admins are normally more concerned about the ID of the person using the account.
We need to stop barricading the windows when people are walking merrily through the doors.
Haha :) You know, 90% of the people reading your post will not understand that you're being sarcastic. And not only is AD already there, you can get your Linux boxes to authenticate to the same infrastructure as well since AD is a Kerberos based technology. Not to mention that Kerberos is a lot more secure than the typical LDAP based user authentication implementation.
I prefer to use Kerberos for Authentication and LDAP for authorisation. It is very secure, easy to administer and universally supported by the commercial vendors. However for some reason, it does not get a lot of press.
The title of the story is "How Linux Beats Windows in ID Management." Okay, I read the TFA, and all I read was an introduction to LDAP. Where's the comparison that shows "Linux Beats Windows?" The article is not even about linux; it's about LDAP solutions that can be run on *nix systems. For the love of God please please don't run stupid stories like this again.
- Why did it take me 2 hours to configure xorg.conf to get my laptop working in 1400x1050 properly when Knoppix did it in 30 seconds?
- Why did I have to spend 3 hours writing bash scripts to make power management work?
- Why did I have to use fdisk when Mandriva has graphical partition manager?
- Why does Gentoo not detect my DVD drive when I use it in my other laptop?
- Why doesn't my mouse work automatically when I plug it into the USB port?
- Why do I have to install and configure alsa when Knoppix sets it up automatically?
Face it folks, linux has a long way to go before it makes desktop inroads. Sure you can put Mandriva on a PC and it'll work fine forever for office stuff, listening to music etc. But if the user want flexibility and ease of use? We want to update device drivers quickly to take advantage of new features, but without reading manpages. We want to change resolutions without fixing a text file. We want plug-and-play devices to perform as described. We want to print to different printers without referring to CUPS docs or learning to set up a Samba server.When will linux combine usability with power and flexibility? They're not mutually exclusive.
One is Free, the other is easy to use.
Funny?
This is the truth.
More
One of the really tragic points is that although NDS and eDirectory were already ahead of what MS-Active Directory (AD) is now *ten* years ago. AD is suddenly what all the MS fanbois talk about to the exclusion of the more mature, secure, flexible, and compatible options like either eDirectory or plain ol' Kerberos + LDAP.
Actually, most AD articles don't cover many facts or even how to operate in a multi-platform environment. Plus there are a lot of short comings *still* in AD like scalability, performance and interoperability with non-MS systems. These are problems that you don't get with eDirectory or plain LDAP/Kerberos.
I'm sure part of it can be explained by the fanboi mentality where anything and everything from Redmond is great, especially the next version which is just over the horizon, etc. And that MS "valued" partners are more or less forbidden from looking at competing technology. Maybe other parts can be explained by MS' standard marketing methods, like the smear campaign against Novell.
I guess more of it makes sense if one looks at MS like a marketing company, as other posters have pointed out, rather than a software company. Though to me that's a bit 90's. MS is now heavily into lobbying and is bordering more on a political movement than a technology. Talk of AD is then a way of signaling membership in the movement/ideology. That would be another way of explaining fanbois who ignore LDAP+Kerberos or products like eDirectory, not even doing shoot outs against these competitors. doesn't make sense.
I miss the days the product comparisons actually compared useful tools and brought up the good and bad points of the ones examined rather than going over pre-approved 'talking points' I guess even Consumer Reports is no longer unaffected.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
If you just want simple authentication (ie: "is this username and password valid") then use winbind. Use this if you just have a samba server you want to auth back to your AD.
For something more complex (like specifying unix UIDs, login shells, home directories, etc) you need to look at Microsoft Services for Unix (to extend the AD schema) and optionally pam_ldap/nss_ldap. I say "optionally" because SFU comes with a NIS server that can authenticate unix users - but you might not want to use NIS. Use this if you want your basic unix authentication to be centralised around AD.
We are in the process of implementing the latter. Since our environment is somewhat more complex than average (multiple Domains) we're having some teething problems, but with just a single domain it's trivial.
Hear, hear!
ID management is a problem computer science students like to work on, hence it works well in linux. Actually making an operating system that people find useful and usable is an uninteresting and difficult problem, hence little work is done in that direction.
Moding a comment down because you disagree is double plus ungood.
I have to agree with you. I have implemented LDAP systems and its no peice of cake. How do you get Windows and Linux using the same system? How do you deal with groups (there are at many different ways each with different applications supporting them)? What about tying in web applications? can you have a seemless sign on or do users need to reenter their password? What about security on those web apps; are they going to use basic, digest, NTLM? Are we going to syncronize with Active Directory or maybe just expand the AD schema? What about user provisioning and protecting sensitive data in the tree. What about tree structure?
Basically if all I needed was a place to look up email addresses I can just throw up OpenLDAP on a linux box and be done. If I want identity management I need some real planning and some serious engineering. Even the comercial solutions like Novell is offing using eDirectory on Linux are complicated and resource intensive implementations in anything but the simplest environments.
The idea of "it's Linux" so there is no throw away work is foolish.
Your claim is that the two are isomorphic, that is, that there is a mapping of every function of a GUI to a CLI and that all functions of a CLI are met by the GUI.
That is clearly false, since while I can quickly issue a command under a Unix shell that will repeat until I kill it, GUIs never (or seldom) provide a checkbox for that. That's just one example. There is a limitless supply of examples, since I can create ad hoc command scripts to extend the functionality of the CLI.
elitist bullshit
Noobie mewling.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
WindowsAD(Win2k3) + SQL Server + Exchange + .Net or VBS WMI = Extremely simple administration.
LDAP is like 5% of what AD provides. Remember that AD offers authentication as well as OS level authroization. I don't know of anything in the Linux world that offers that just by running through a wizzard (ever set up AD?). You don't have to type anything if you don't want too, and for the programming heads, WMI/ADSI can do what isn't in the tools. There are also a lot of 3rd party products that can plug into AD.
True they bastardized the Kerberos implemention and you are locked into windows but without an enterprise wide OS level authentication/authorization Kerberos SSO model available you'll never convince a CIO to go linux with 20,000 desktops. IMO it's the reason that linux fails as a desktop. You simply can't sell it to corporations, even though it's free. Plus windows does much better to protect your system files than Linux, where any admin could use root to read any file without knowing it was done. In windows, you own your files and can restrict even domain admins access, unless they take ownership, but then they can't give it back.
You can linux vs windows all you want but Windows kicks the sh** out of linux when it comes to managing and administrating large environments. I also feel that windows has a much better security model and short of being the #1 target for hackers, has the potential to be much more secure than any Linux I've seen, short of SE Linux which does NOT make administration eaier at ALL. In fact I'll say that Windows is too easy to administrate. It still takes thinking like an admin to do it well but the truth is you could train someone who worked at Jewel's to administrate AD in about two weeks (it happened at my old gig). After using linux(Gentoo) for 6 months now I've determined that linux is the best system to work on and Windows is the best system to work in.
Flame on.
Ever done a `man` on `top` ?
Actually, no. LDAP is (strangely enough) a "Lightweight" Directory Access Protocol. It's convenient that it also happens to use the letters LDAP for that, don't you think?
Lots and lots of different directory-like products can speak LDAP (AD, OpenLDAP, Exchange, Novell Directory, Sun Directory, etc), but LDAP itself is not a tool or product.
You don't hear anyone saying "man I installed this sweet HTTP that lets me manage all my hypertext documents". For some reason this seems to happen a lot with LDAP (don't mean to pick on the parent post specifically). I'm not sure why, but maybe dumb product names like "OpenLDAP" have something to do with it.
You are so intent on being right that you can't see the plain truth in front of you. It's not that a GUI can't have a checkbox, it's that unless it does, the feature is not available. A CLI tool, on the other hand, needs no check box because the functionality is inherited for all tools.
The paradigm. GUIs are intended to be easy, and scripting languages are not "easy" in that sense. Writing a script is an operation most users just won't perform. Besides, I thought your point was that with a GUI you don't need a script? Maybe that wasn't your point.
That is correct. In fact:What all these share, however, is that the GUI tools allow access to a certain set of operations, and the CLI scripting language allows access to a certain set of operations, and one is a proper subset of the other.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
I agree. I think a large part of the problem, though, is that people are being given unrealistic demands for digital security wherever they go, that simply ignore everything we know about an ordinary human's cognitive ability. Even if a user can cope with one or two severely complicated passwords, nearly every organisation they deal with is going to require yet another one, whether it's their employer, separate sub-services within the same employer, a bank, or any number of online services. It's no surprise that people write down passwords, ignoring instructions---why should they respect instructions that are crazy and unrealistic?
Several years ago I was helping to implement a card reading system around the organisation for "extra security". Many of the employees decided to simply leave the cards in the readers continuously, even though they were told they should never do this. When I returned a couple of years later, even the branch that'd dished out the cards now had a compromise of simply storing the card in an unsecured drawer overnight. It was no huge surprise, however, because everyone was already flooded with other people wanting to force them to carry identity cards. There were at least another two, I think, just for independent parts of the same company! (Entering building, opening doors, etc.) There are only so many demands from all directions that people can be expected to submit to.
Many policies are very hypocritical, especially when compared with something like credit cards. Credit cards usually don't require remembering anything at all -- the "secret" number is written down, and people are encouraged to give it to anyone. Even my cash card only requires me to remember a 4 digit number (practically criminal according to many password policies), although I need the card to activate it.
Most people probably have more stake in their credit card security than in nearly any password-protected service. One of the differences is that Credit Card companies play a role in watching carefully for things that look like fraud. They have systems to restrict how much damage can be done if it's done (eg. credit limits), and have processes to deal with it after it happens.
I think passwords have just evolved from an ancient system that used to be more meaningful. Many organisations' policies are based on common beliefs instead of actual researched facts, and they're afraid to do something against the norm. Some users of some services clearly still require effective passwords, but other services demand it from everyone unrealistically. I'm convinced that we're often required to use impossible-to-remember passwords for the same reason we have impossible-to-read EULA's. It's about organisations protecting themselves from legal action so they can blame everything on the other party if something breaks.