Slashdot Mirror
How Linux Beats Windows in ID Management Ease
Amy Kucharik writes "Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices. In this tip, Paul Murphy discusses the evolution of LDAP and how using it, along with Linux, can make an administrator's job easier."
I remember reading a long time ago (before Panther was released) that Apple was going to transition Mac OS X from NetInfo to LDAP for management purposes. Does anyone know what progress has been made in this transition, especially with the release of Tiger?
So how's user management via LDAP on Linux different from using Window's Active Directory?
There's nothing concrete in the article.
I read the link. It sounded like a good introduction to an interesting article. Then it abruptly stopped. Where, if I may ask, is the actual article describing how one might use LDAP effectively for user management?
Now I know somebody is going to say ARE YOU TOO STUPID TO USE GOOGLE!! No, I'm not. I'm simply saying that the article could have been much better, had they simply put actual information in instead of simply writing an introduction to the history of LDAP. As it stands, the article is exceedingly pointless.
That's a very nice little starting point, but the article has no depth. A little meat, even a mention of connecting Windows 2k/XP desktops to an OpenLDAP system via SAMBA for authentication, rather than relying on an Active Directory, for example, would be welcome.
And for the record: Active Directory design isn't, IMHO, harder than the design of any other well-administered LDAP-based authentication system. Further, I'll say that Microsoft has done a fantastic job of making the administration tools transparent and easy-to-use, and the integration of Exchange mail servers & NIS authentication via Services For Unix into the same tool is icing on the cake. Sure, the per-server licensing fees aren't cheap, but you do get what you pay for in this instance.
Even Jesus hates listening to Creed.
Pretty thin article- if you were expecting a detailed argument for why OpenLDAP is better/easier to manage than ActiveDirectory, you'll have to look somewhere else.
He basically just summarized the history of NIS and OpenLDAP, then gave us a link to some documentation for setting up OpenLDAP. Have fun editing slapd.conf, kids!
I was expecting that he'd at least mention Redhat Directory Server, which is the most interesting recent development as far as easy-to-manage Linux identity servers go.
pi = 3.141592653589793helpimtrappedinauniversefactory7
I've tried, and the results were less than spectacular (they were actually more like craptacular.)
There are AD Unix "extensions" that are supposed to make it supply Unix-y stuff like numeric UIDs. But when I installed them, they made the AD server hang whenever a new user gets added. (Which took out the whole machine - as everything goes through AD.)
In the end, I had to reinstall the whole of Win2K (luckily I'm not stupid enough to do something like this on a production system) - it was the only way to make the system usable again.
So yeah - I'd like an explanation of how to do it too.
Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles...
Flame me for this, but Windows is a hell of a lot easier to learn and manipulate for the regular Joe users. In windows, if you want to change settings, you hit Start, Settings, Control Panel and you just select what you want to play with. In Linux, you actually have to know (very well) what you're doing and how to do it. Now compare this. What will common users choose? Ease of use and user-friendliness, or painful, long and extensive research (read: understanding how it works first, then understanding the 3rd party softwares to administrate it, then learning how that one works, then learning the command syntax) before typing shit out in a console?
A computer makes it possible to do, in half an hour, tasks which were completely unnecessary to do before.
The author obviously has never dealt with any real IdM issues at a large company. With mergers and divestitures constantly happening, you end up with a patchwork of HR systems, facilities management systems, access request systems, application data stores and authentication systems. Saying "use OpenLDAP for IdM" is like saying "this paper airplane flies well - if you throw it hard enough, you can get it to the moon."
This is not to say it couldn't be part of the solution, but the end state is going to have a bunch of different components.
And MS's out-of-the-box tools (e.g. AD Users & Computers) are deeply pathetic for anything other than casual directory browsing. Third party tools are needed for the variety of different tasks involved in managing an AD-based NOS.
That being said, some of the cool new work being done with Samba taken with a Kerberos KDC for authorization and OpenLDAP for authentication could be a good place to start in building out an IdM system. Unfortunately, you would really need to be starting from scratch to have this be feasible....
Left shift 1 for e-mail...
All op-fluff without even coherent editorial never mind subject matter. If /. cannot stop dupes because no one is reading them, it should follow that the articles being linked to aren't being read either.
I wonder how long till someone writes a three paragraph submission linking to goatse and tubgirl and it gets through.
In the meantime, Windows has point and click administration and the only people who find it difficult are beginners and people from other platforms. Exprienced Win admins don't tend to have a lot of problems.
Thankfully, Linux has more and more GUI apps and there's some for administering it. Just as hard to use as Windows domain controllers ever were, which means equally easy once you know what Unix systems expect and hardcore Windows admins, especially the security conscious, have more than a bit of passing familiarity with finer grain permissions and so forth.
I am not seeing the news or stuff that matters here.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Since it isn't possible for one article to explain how to configure identification, authentication, and authorization for all systems, the article contained links to more information.
Even so, the article was really weak compared with the blurb that they submitted to Slashdot. At 650 words, the article is barely an introduction to the topic. The links were a minor plus, but the article didn't really fulfill the promise of the title, let alone that breathy 50-word blurb.
I would have been perfectly fine with the article if they had submitted it by saying, "LDAP has a neat history, and if you try it, you might learn something. But we won't tell you what or how, and we certainly won't show you how to solve any problems you actually have."
Setup a user for her in your domain, with an Exchange Mailbox. Have all email to that box forwarded to her real email address, and not stored locally. That user can then be allowed to view the calander. Assuming she is using Outlook (probably, if you want her to see the calander), just have her add another email account to her profile, which connects to your Excahnge server, using the username/password combination you created. The downside of this is that your Exhange Server will need to be exposed to the internet, which is likely to be the case anyway. Also, she really doesn't have a way to update her password. However, it gets the job dones, and provides a contact for her in your address book, which can be added to distribution lists easily.
This assumes that you don't want to go through the trouble of setting up a two way domain trust with the other company.
Necessity is the mother of invention.
Laziness is the father.
Yeah. Shitty article. But... We use OpenLDAP for a single signon in house... it was really ridiculously easy... The best part is that you can simply paste additional schemata onto the same leaves... We started using it as the staff directory for our email clients... then we made it also work as the user database for a Jabber server... we then added a VPN server that uses Radius to authenticate off of it using the radiusprofile schema... then we turned it into a Samba3 domain controller using nsswitch by adding the sambaSamAccount and posixAccount schemata... The flexibility has been incredible... How is that better than AD? I don't know -- I've never used AD. AD from what I understand is accessible through LDAP. *shrug* -j00 -jag
When all you have is a hammer, everybody looks like a Messiah.
Yea, you're damned right. Microsofts' point-and-click stuff really backfires on them sometimes because you end up with these Admins that set up AD systems completely half-assed.
AD works. Sure, Windows 2000 without any service packs sucked, but they've pretty much nailed down most of the functionality bugs by now. And, it's not all that hard to use AD as a directory for all your systems, including Linux and Mac systems.
There's a lot of considerations for AD design and if you spend some quality time designing the directory and infrastructure with knowledgable people, you'll get it running well and it will stay running well.
As much as I dislike Microsoft, and as much as I didn't like AD at first, it's not all that bad.
- It's not the Macs I hate. It's Digg users. -