Slashdot Mirror
How Linux Beats Windows in ID Management Ease
Amy Kucharik writes "Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices. In this tip, Paul Murphy discusses the evolution of LDAP and how using it, along with Linux, can make an administrator's job easier."
dn: uid=anonymous, ou=linux, o=slashdot.org
changetype: add
slashComment: First Post!
slashModLevel: +5 Funny
Welcome to Slashdot, you must be new here.
That would be break
Duh. =)
Lost at C:>. Found at C.
I remember reading a long time ago (before Panther was released) that Apple was going to transition Mac OS X from NetInfo to LDAP for management purposes. Does anyone know what progress has been made in this transition, especially with the release of Tiger?
So how's user management via LDAP on Linux different from using Window's Active Directory?
There's nothing concrete in the article.
I read the link. It sounded like a good introduction to an interesting article. Then it abruptly stopped. Where, if I may ask, is the actual article describing how one might use LDAP effectively for user management?
Now I know somebody is going to say ARE YOU TOO STUPID TO USE GOOGLE!! No, I'm not. I'm simply saying that the article could have been much better, had they simply put actual information in instead of simply writing an introduction to the history of LDAP. As it stands, the article is exceedingly pointless.
I wish that Windows NT included some easy interface to LDAP for large corporations to manage all of their workstations ... like a directory. It could be used for logins, privileges, login scripts, mapping drives, controlling group policy, and even integrate with the mail and calendaring system. It would be one big active directory. That would be nice.
Video for Online Dating Profiles
I don't really get much from this article. Just that LDAP is out there, and that there are online manuals to help you get started. I figured that much out already. I'm not seeing much of a comparison between LDAP and AD/etc here. Anyone got some in-depth experience to share?
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
I am pretty sure I am not the only Linux veteran irritated by the increase in its user-friendliness, and mourning the loss of the good olde Linux, accessible only to those who enjoy kernel debugging. This is why I have decided to launch a new GNU/Linux distribution which requires extensive knowledge of Linux and of the computer system's internals.
The distribution shall be available in the combination of a floppy and a CD-ROM image. Why not only a CD-ROM image? I thought it would be a little too easy, and know you think that too; the CD-ROM is only accessible if you can read it, and this is why I provide a floppy: it contains an assembler and a linker, all you need to write a CD-ROM file system driver (and a partition driver to install the files). Here, I'll give you a head start: ISO 9660 specification. Don't expect every task to be so simple, I won't be giving the answers each time.
The distribution is somewhat minimalistic, but can do pretty much everything one demands from a modern computer.
Obviously, all tasks are accomplished through the command line interface (no GUI is provided).
A Web browser isn't included (as if you expected one to be anyway), just telnet to port 80 of the Web sites to surf the Internet.
As for an email client, telnet to port 25 and learn how to use your email server.
For FTP capabilities, you may telnet to port 21 and use the standard commands.
As I have demonstrated, this is a very versatile and capable GNU/Linux distribution, meanwhile staying available only to real men who back up to FTP and not to tape (to ensure this, legacy support for tape drives is excluded).
Since potential users may have varying levels of experience, I am hence providing different versions of the distribution:
Your suggestions are welcome, and I hope you enjoy using my GNU/Linux distribution.
... was an embarassment because OpenLDAP is a pile of junk compared to the quality of flagship OSS products like the LAMP stack.
Thankfully, Redhat's new Directory Server (based off iPlanet's) should be much easier to use and deploy.
Go somewhere random
That's a very nice little starting point, but the article has no depth. A little meat, even a mention of connecting Windows 2k/XP desktops to an OpenLDAP system via SAMBA for authentication, rather than relying on an Active Directory, for example, would be welcome.
And for the record: Active Directory design isn't, IMHO, harder than the design of any other well-administered LDAP-based authentication system. Further, I'll say that Microsoft has done a fantastic job of making the administration tools transparent and easy-to-use, and the integration of Exchange mail servers & NIS authentication via Services For Unix into the same tool is icing on the cake. Sure, the per-server licensing fees aren't cheap, but you do get what you pay for in this instance.
Even Jesus hates listening to Creed.
Exactly. I was expecting to see something like, "In a test implementation using ThisDistro, a complete mult-server LDAP solution using ThatLDAP covered 90% of the functionality of Windows user management, but at a fraction of the cost. You can use ThoseLDAPTools 2.2.8 to administer from Windows or Linux, or if you're willing to allow for a slower client, OtherLDAPUtils 1.0.4 runs in any Sun JVM."
This is an elegant version of "If you don't like Windows, try LDAP on Linux!" It may well trigger something useful here, though. One can hope.
You can never go home again... but I guess you can shop there.
The article just says "Windows ID management is bad. LDAP is better. Why is Windows' ID management bad? I'm not telling. Why is LDAP better? I'm not telling." It does nothing explain the position the title purposes.
This isn't to say I disagree but calling this article "news" is like calling the OpenLDAP FAQ news.
Free of Flash! Free of Flash!
ID management's biggest problem will never be solved by Linux. Nor will it be solved by Windows.
As long as we have people putting passwords on post-its attached to their screens, as long as we have people clueless enough to fall for even the most simple of social engineering, there's no real thing as a proper ID on a computer system.
In my (amazingly wonderful) opinion, no system deserves the name ID management unless it has a genuinely good chance of doing so. Physical tokens or biometrics (aka built-in physical tokens) are a minimum.
Well, unless you're after the account ID, but I think admins are normally more concerned about the ID of the person using the account.
We need to stop barricading the windows when people are walking merrily through the doors.
OpenLDAP is a snap! Its so easy to use, even a 10-year unix veteran can get it integrated with some systems assuming everything is setup properly and has been designed for integrating in this manner!
Thanks SearchEnterpriseLinux.com!
Sure, Linux is one way.
However, I'm very impressed by Novell NSure.
Do not overlook this product if you're looking for a solid LDAP based Identity Management solution.
Pretty thin article- if you were expecting a detailed argument for why OpenLDAP is better/easier to manage than ActiveDirectory, you'll have to look somewhere else.
He basically just summarized the history of NIS and OpenLDAP, then gave us a link to some documentation for setting up OpenLDAP. Have fun editing slapd.conf, kids!
I was expecting that he'd at least mention Redhat Directory Server, which is the most interesting recent development as far as easy-to-manage Linux identity servers go.
pi = 3.141592653589793helpimtrappedinauniversefactory7
I don't even know what Linux is, I just come here for the pretty colours.
There's nothing better in ID management the eDirectory, either running on Linux, NetWare, or yes.... even Windows. MS always promises that the *next* Active Directory version will have the features that eDirectory had 15 years ago. True container based security and delegation, partitioning, replication, all with the greatest of use. Yes, it's more expensive that OpenLDAP, but WAY better.
please excuse my apathy
LDAP, is a directory service, or database, that also has the ability to verify ID/Pass pairs, which is the most basic form of authentication.
For stronger authentication, using tickets for further authorization, use Kerberos. With LDAP, you must punch in your password repeatedly. Yes, it is the same password, but it must still be entered multiple times. In a properly Kerberized environment, you enter the PW once, and that's it. And, if desired, you can do some neat P
And, to head off some arguments -- Kerberos is pretty easy to setup. It is, at least, no harder than OpenLDAP to set up.
Try Kerberos -- you'll like it.
10b||~10b -- aah, what a question!
I just hope they aren't using any of Excel's statistical functions. Or if they are, I hope they don't care about accuracy. There are so many problems with Excel's statistical functions (even the latest-and-greatest version) that it has been repeatedly ruled "unsuitable for serious statistical analysis". That's fine if "a large majority of people in my area need Excel to function" just be aware of its shortcomings (which are many). Gnumeric (and I think KSpread and StarCalc) is significantly better than Excel in this area (and many others, but I digress).
Of course, both this post, the parent and the parent's parent are "-1 Off Topic".
The title of the story is "How Linux Beats Windows in ID Management." Okay, I read the TFA, and all I read was an introduction to LDAP. Where's the comparison that shows "Linux Beats Windows?" The article is not even about linux; it's about LDAP solutions that can be run on *nix systems. For the love of God please please don't run stupid stories like this again.
Currently Windows Update Services is out which allows for very good, grandular control of software updates and management, should more control be needed, there is always SMS2003. No it's not just for Windows. The newer releases of Update Services update all supported software detected on the system, this will include 3rd party applications as well. If applications follow standard Microsoft development "rules" one would not have to clean up anything, but as usual, people take the shortest and quickest path possible and leave crap all around. Is it perfect? Nope. But it works well when used properly.
The article incorrectly states that PAM (Pluggable Authentication Modules) came out of Project Athena.
However, it was actually invented by Sun, and was eventually adopted as RFC 86.0 by the Open Software Foundation in 1995.
Swoosh.
Since it isn't possible for one article to explain how to configure identification, authentication, and authorization for all systems, the article contained links to more information.
That's because you often have to learn about things in order to do them. With flexibility comes a price, and that price is work. Luckily, they pay you for that, if you do it well enough.
Or maybe he should have published a GUI along with the article? Sorry for being flippant, but I think you're expecting too much hand-holding.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles...
Flame me for this, but Windows is a hell of a lot easier to learn and manipulate for the regular Joe users. In windows, if you want to change settings, you hit Start, Settings, Control Panel and you just select what you want to play with. In Linux, you actually have to know (very well) what you're doing and how to do it. Now compare this. What will common users choose? Ease of use and user-friendliness, or painful, long and extensive research (read: understanding how it works first, then understanding the 3rd party softwares to administrate it, then learning how that one works, then learning the command syntax) before typing shit out in a console?
A computer makes it possible to do, in half an hour, tasks which were completely unnecessary to do before.
The author obviously has never dealt with any real IdM issues at a large company. With mergers and divestitures constantly happening, you end up with a patchwork of HR systems, facilities management systems, access request systems, application data stores and authentication systems. Saying "use OpenLDAP for IdM" is like saying "this paper airplane flies well - if you throw it hard enough, you can get it to the moon."
This is not to say it couldn't be part of the solution, but the end state is going to have a bunch of different components.
And MS's out-of-the-box tools (e.g. AD Users & Computers) are deeply pathetic for anything other than casual directory browsing. Third party tools are needed for the variety of different tasks involved in managing an AD-based NOS.
That being said, some of the cool new work being done with Samba taken with a Kerberos KDC for authorization and OpenLDAP for authentication could be a good place to start in building out an IdM system. Unfortunately, you would really need to be starting from scratch to have this be feasible....
Left shift 1 for e-mail...
- Why did it take me 2 hours to configure xorg.conf to get my laptop working in 1400x1050 properly when Knoppix did it in 30 seconds?
- Why did I have to spend 3 hours writing bash scripts to make power management work?
- Why did I have to use fdisk when Mandriva has graphical partition manager?
- Why does Gentoo not detect my DVD drive when I use it in my other laptop?
- Why doesn't my mouse work automatically when I plug it into the USB port?
- Why do I have to install and configure alsa when Knoppix sets it up automatically?
Face it folks, linux has a long way to go before it makes desktop inroads. Sure you can put Mandriva on a PC and it'll work fine forever for office stuff, listening to music etc. But if the user want flexibility and ease of use? We want to update device drivers quickly to take advantage of new features, but without reading manpages. We want to change resolutions without fixing a text file. We want plug-and-play devices to perform as described. We want to print to different printers without referring to CUPS docs or learning to set up a Samba server.When will linux combine usability with power and flexibility? They're not mutually exclusive.
Since the article didn't really say anything about managing LDAP or playing with OpenLDAP, I thought I would share a useful utility my team has recently started using for LDAP management and administration.
Have a look at JXplorer (or alternate Sourceforge link).
It's a really nice open source LDAP administration and management utility that not only lets you do the easy entry editing stuff but a lot of the more complex tree management operations. It also has some really nice search building interfaces. I'm in no way connected with this project but it has replaced a number of free and commercial utilities we used to use.
It also lets you play with populating an OpenLDAP installation so you can begin to understand some of its real power and tuning potential.
A friend and I tried the same thing and got the same results.
One of the really tragic points is that although NDS and eDirectory were already ahead of what MS-Active Directory (AD) is now *ten* years ago. AD is suddenly what all the MS fanbois talk about to the exclusion of the more mature, secure, flexible, and compatible options like either eDirectory or plain ol' Kerberos + LDAP.
Actually, most AD articles don't cover many facts or even how to operate in a multi-platform environment. Plus there are a lot of short comings *still* in AD like scalability, performance and interoperability with non-MS systems. These are problems that you don't get with eDirectory or plain LDAP/Kerberos.
I'm sure part of it can be explained by the fanboi mentality where anything and everything from Redmond is great, especially the next version which is just over the horizon, etc. And that MS "valued" partners are more or less forbidden from looking at competing technology. Maybe other parts can be explained by MS' standard marketing methods, like the smear campaign against Novell.
I guess more of it makes sense if one looks at MS like a marketing company, as other posters have pointed out, rather than a software company. Though to me that's a bit 90's. MS is now heavily into lobbying and is bordering more on a political movement than a technology. Talk of AD is then a way of signaling membership in the movement/ideology. That would be another way of explaining fanbois who ignore LDAP+Kerberos or products like eDirectory, not even doing shoot outs against these competitors. doesn't make sense.
I miss the days the product comparisons actually compared useful tools and brought up the good and bad points of the ones examined rather than going over pre-approved 'talking points' I guess even Consumer Reports is no longer unaffected.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Ok, I give. LDAP is initially hard to understand (objectclasses, schemes, replica's, DNs), but once you do, it's a snap.
Here is my real world setup.
1. RedHat Enterprise server
2. OpenLDAP
3. Postfix (SMTP auth, Spamassassin, TLS, Postgrey)
4. Cyrus Imap Server
5. Samba File server
6. Apache WebDav
Right now I have a master copy of LDAP on the internal file server. Then two other servers (on the DMZ) are replicas. Samba pulls info from LDAP, Cyrus, Postfix, WebDAV as well. Not using Kerberos at this time, but all passwords for Logging onto the computer, email, outgoing email, are same username/password.
Very nice. Some of the configuration and stuff I have documented no my wiki
http://www.spydorweb.com/wiki/
This space available for rent.
All op-fluff without even coherent editorial never mind subject matter. If /. cannot stop dupes because no one is reading them, it should follow that the articles being linked to aren't being read either.
I wonder how long till someone writes a three paragraph submission linking to goatse and tubgirl and it gets through.
In the meantime, Windows has point and click administration and the only people who find it difficult are beginners and people from other platforms. Exprienced Win admins don't tend to have a lot of problems.
Thankfully, Linux has more and more GUI apps and there's some for administering it. Just as hard to use as Windows domain controllers ever were, which means equally easy once you know what Unix systems expect and hardcore Windows admins, especially the security conscious, have more than a bit of passing familiarity with finer grain permissions and so forth.
I am not seeing the news or stuff that matters here.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
Setup a user for her in your domain, with an Exchange Mailbox. Have all email to that box forwarded to her real email address, and not stored locally. That user can then be allowed to view the calander. Assuming she is using Outlook (probably, if you want her to see the calander), just have her add another email account to her profile, which connects to your Excahnge server, using the username/password combination you created. The downside of this is that your Exhange Server will need to be exposed to the internet, which is likely to be the case anyway. Also, she really doesn't have a way to update her password. However, it gets the job dones, and provides a contact for her in your address book, which can be added to distribution lists easily.
This assumes that you don't want to go through the trouble of setting up a two way domain trust with the other company.
Necessity is the mother of invention.
Laziness is the father.
Hear, hear!
ID management is a problem computer science students like to work on, hence it works well in linux. Actually making an operating system that people find useful and usable is an uninteresting and difficult problem, hence little work is done in that direction.
Moding a comment down because you disagree is double plus ungood.
First it is not LDAP, but LAPD. Everybody knows that it is the LAPD that beats on others. So now, Paul is haveing the LAPD help Linux beat Windows. Cool. Can not wait until the law suit.
I prefer the "u" in honour as it seems to be missing these days.
Not only is the article light on content, but it is rather meaningless to argue that LDAP is better than Active Directory, since AD is an implementation of LDAP (featuring Kerberos authentication and the LDAP data stored in a multimaster replicated database).
Of course, it has taken MS a while to catch up with the features Novell's NDIS directory offerings, but they are finally getting it right with 2003, and it is arguably the easiest to manage enterprise-scale LDAP implementation around. It isn't perfect mind you (we dig up plenty of bugs), but does seem to be the best thing going. Furthermore, Group Policy Objects are a seriously kick-butt feature. Besides, nothing else can properly issue authorization tokens (SID keychains) for Windows clients.
Now if only they would fix the huge heaping piles of Exchange integration bugs in Entourage...
(No, I'm not a MS apologist. They piss me off on a regular basis, both in terms of product quality, or lack thereof in many cases, and in terms of business practices; however, folks are barking up the wrong tree where these criticisms of AD are concerned. In a short time it has matured into a quality product.)
*** Quantum Mechanics: The Dreams of Which Stuff is Made ***
I've looked into using Linux with OpenLDAP, SAMBA and Kerberos before and in it's current state it simply isn't going to work as a replacement Windows domain controller.
All the key components exist, but none of them are well enough integrated to provide a convincing solution. Notably, Windows machines that log onto a domain use a microsofti[sz]ed version of the LDAP standard, CLDAP (Connectionless LDAP) which from my understanding OpenLDAP doesn't want to support because it's non-standard. This makes it's unsuitable for a Linux-based domain controller but suitable for most other tasks. Also, SAMBA 3 doesn't support Kerberos as an authentication backend, and so password synchronisation and single signon is difficult in a mixed windows and *nix environment.
The up and coming SAMBA 4 is promising to fix these shortfalls, with an inbuilt implementation of CLDAP, support for Kerberos authentication, etc. Until this happens, SAMBA and LDAP aren't going to meet the requirements of most medium size businesses as a replacement domain controller.
The lesson I learnt from my research is that a Windows server currently makes more sense for a Windows environment for things other than relatively simple implementations that a Linux one.
Graham
Is that open source?
Yes
The page makes it look like it isn't.
You're correct, RH's page is pretty misleading (maybe because they want you to buy a support contract from them?) - I had to hunt around for quite awhile before I found the source.
Is this the reincarnation of Netscape Directory Server?
Yes, although it's now known as "Fedora Directory Server"
They have a wiki for the project here
WindowsAD(Win2k3) + SQL Server + Exchange + .Net or VBS WMI = Extremely simple administration.
LDAP is like 5% of what AD provides. Remember that AD offers authentication as well as OS level authroization. I don't know of anything in the Linux world that offers that just by running through a wizzard (ever set up AD?). You don't have to type anything if you don't want too, and for the programming heads, WMI/ADSI can do what isn't in the tools. There are also a lot of 3rd party products that can plug into AD.
True they bastardized the Kerberos implemention and you are locked into windows but without an enterprise wide OS level authentication/authorization Kerberos SSO model available you'll never convince a CIO to go linux with 20,000 desktops. IMO it's the reason that linux fails as a desktop. You simply can't sell it to corporations, even though it's free. Plus windows does much better to protect your system files than Linux, where any admin could use root to read any file without knowing it was done. In windows, you own your files and can restrict even domain admins access, unless they take ownership, but then they can't give it back.
You can linux vs windows all you want but Windows kicks the sh** out of linux when it comes to managing and administrating large environments. I also feel that windows has a much better security model and short of being the #1 target for hackers, has the potential to be much more secure than any Linux I've seen, short of SE Linux which does NOT make administration eaier at ALL. In fact I'll say that Windows is too easy to administrate. It still takes thinking like an admin to do it well but the truth is you could train someone who worked at Jewel's to administrate AD in about two weeks (it happened at my old gig). After using linux(Gentoo) for 6 months now I've determined that linux is the best system to work on and Windows is the best system to work in.
Flame on.
Ever done a `man` on `top` ?
Winbind, part of Samba.
OR for apache use: auth_kerb_module
OR for authentication only (manually add dummy users) use pam_krb5.conf
Its all fairly easy and you don't need to touch the unix services toolkit.
Jason.
Yea, you're damned right. Microsofts' point-and-click stuff really backfires on them sometimes because you end up with these Admins that set up AD systems completely half-assed.
AD works. Sure, Windows 2000 without any service packs sucked, but they've pretty much nailed down most of the functionality bugs by now. And, it's not all that hard to use AD as a directory for all your systems, including Linux and Mac systems.
There's a lot of considerations for AD design and if you spend some quality time designing the directory and infrastructure with knowledgable people, you'll get it running well and it will stay running well.
As much as I dislike Microsoft, and as much as I didn't like AD at first, it's not all that bad.
- It's not the Macs I hate. It's Digg users. -
I agree. I think a large part of the problem, though, is that people are being given unrealistic demands for digital security wherever they go, that simply ignore everything we know about an ordinary human's cognitive ability. Even if a user can cope with one or two severely complicated passwords, nearly every organisation they deal with is going to require yet another one, whether it's their employer, separate sub-services within the same employer, a bank, or any number of online services. It's no surprise that people write down passwords, ignoring instructions---why should they respect instructions that are crazy and unrealistic?
Several years ago I was helping to implement a card reading system around the organisation for "extra security". Many of the employees decided to simply leave the cards in the readers continuously, even though they were told they should never do this. When I returned a couple of years later, even the branch that'd dished out the cards now had a compromise of simply storing the card in an unsecured drawer overnight. It was no huge surprise, however, because everyone was already flooded with other people wanting to force them to carry identity cards. There were at least another two, I think, just for independent parts of the same company! (Entering building, opening doors, etc.) There are only so many demands from all directions that people can be expected to submit to.
Many policies are very hypocritical, especially when compared with something like credit cards. Credit cards usually don't require remembering anything at all -- the "secret" number is written down, and people are encouraged to give it to anyone. Even my cash card only requires me to remember a 4 digit number (practically criminal according to many password policies), although I need the card to activate it.
Most people probably have more stake in their credit card security than in nearly any password-protected service. One of the differences is that Credit Card companies play a role in watching carefully for things that look like fraud. They have systems to restrict how much damage can be done if it's done (eg. credit limits), and have processes to deal with it after it happens.
I think passwords have just evolved from an ancient system that used to be more meaningful. Many organisations' policies are based on common beliefs instead of actual researched facts, and they're afraid to do something against the norm. Some users of some services clearly still require effective passwords, but other services demand it from everyone unrealistically. I'm convinced that we're often required to use impossible-to-remember passwords for the same reason we have impossible-to-read EULA's. It's about organisations protecting themselves from legal action so they can blame everything on the other party if something breaks.