How Linux Beats Windows in ID Management Ease

Amy Kucharik writes "Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices. In this tip, Paul Murphy discusses the evolution of LDAP and how using it, along with Linux, can make an administrator's job easier."

How's this different?

So how's user management via LDAP on Linux different from using Window's Active Directory?

There's nothing concrete in the article.

Where's the article

[kiltedtaco]

I read the link. It sounded like a good introduction to an interesting article. Then it abruptly stopped. Where, if I may ask, is the actual article describing how one might use LDAP effectively for user management?

Now I know somebody is going to say ARE YOU TOO STUPID TO USE GOOGLE!! No, I'm not. I'm simply saying that the article could have been much better, had they simply put actual information in instead of simply writing an introduction to the history of LDAP. As it stands, the article is exceedingly pointless.

Very fluffy article

[fahrvergnugen]

That's a very nice little starting point, but the article has no depth. A little meat, even a mention of connecting Windows 2k/XP desktops to an OpenLDAP system via SAMBA for authentication, rather than relying on an Active Directory, for example, would be welcome.

And for the record: Active Directory design isn't, IMHO, harder than the design of any other well-administered LDAP-based authentication system. Further, I'll say that Microsoft has done a fantastic job of making the administration tools transparent and easy-to-use, and the integration of Exchange mail servers & NIS authentication via Services For Unix into the same tool is icing on the cake. Sure, the per-server licensing fees aren't cheap, but you do get what you pay for in this instance.

LDAP != Identity Management

[flanker]

The author obviously has never dealt with any real IdM issues at a large company. With mergers and divestitures constantly happening, you end up with a patchwork of HR systems, facilities management systems, access request systems, application data stores and authentication systems. Saying "use OpenLDAP for IdM" is like saying "this paper airplane flies well - if you throw it hard enough, you can get it to the moon."

This is not to say it couldn't be part of the solution, but the end state is going to have a bunch of different components.

And MS's out-of-the-box tools (e.g. AD Users & Computers) are deeply pathetic for anything other than casual directory browsing. Third party tools are needed for the variety of different tasks involved in managing an AD-based NOS.

That being said, some of the cool new work being done with Samba taken with a Kerberos KDC for authorization and OpenLDAP for authentication could be a good place to start in building out an IdM system. Unfortunately, you would really need to be starting from scratch to have this be feasible....

Re:Nice, but...

[j00bar]

Yeah. Shitty article. But... We use OpenLDAP for a single signon in house... it was really ridiculously easy... The best part is that you can simply paste additional schemata onto the same leaves... We started using it as the staff directory for our email clients... then we made it also work as the user database for a Jabber server... we then added a VPN server that uses Radius to authenticate off of it using the radiusprofile schema... then we turned it into a Samba3 domain controller using nsswitch by adding the sambaSamAccount and posixAccount schemata... The flexibility has been incredible... How is that better than AD? I don't know -- I've never used AD. AD from what I understand is accessible through LDAP. *shrug* -j00 -jag