Slashdot Mirror
How Linux Beats Windows in ID Management Ease
Amy Kucharik writes "Fed up with Windows systems management? A Linux conversion may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices. In this tip, Paul Murphy discusses the evolution of LDAP and how using it, along with Linux, can make an administrator's job easier."
dn: uid=anonymous, ou=linux, o=slashdot.org
changetype: add
slashComment: First Post!
slashModLevel: +5 Funny
So how's user management via LDAP on Linux different from using Window's Active Directory?
There's nothing concrete in the article.
I read the link. It sounded like a good introduction to an interesting article. Then it abruptly stopped. Where, if I may ask, is the actual article describing how one might use LDAP effectively for user management?
Now I know somebody is going to say ARE YOU TOO STUPID TO USE GOOGLE!! No, I'm not. I'm simply saying that the article could have been much better, had they simply put actual information in instead of simply writing an introduction to the history of LDAP. As it stands, the article is exceedingly pointless.
I wish that Windows NT included some easy interface to LDAP for large corporations to manage all of their workstations ... like a directory. It could be used for logins, privileges, login scripts, mapping drives, controlling group policy, and even integrate with the mail and calendaring system. It would be one big active directory. That would be nice.
Video for Online Dating Profiles
I don't really get much from this article. Just that LDAP is out there, and that there are online manuals to help you get started. I figured that much out already. I'm not seeing much of a comparison between LDAP and AD/etc here. Anyone got some in-depth experience to share?
perl -e 'foreach(values %SIG){$_="IGNORE";}while(){}'
I am pretty sure I am not the only Linux veteran irritated by the increase in its user-friendliness, and mourning the loss of the good olde Linux, accessible only to those who enjoy kernel debugging. This is why I have decided to launch a new GNU/Linux distribution which requires extensive knowledge of Linux and of the computer system's internals.
The distribution shall be available in the combination of a floppy and a CD-ROM image. Why not only a CD-ROM image? I thought it would be a little too easy, and know you think that too; the CD-ROM is only accessible if you can read it, and this is why I provide a floppy: it contains an assembler and a linker, all you need to write a CD-ROM file system driver (and a partition driver to install the files). Here, I'll give you a head start: ISO 9660 specification. Don't expect every task to be so simple, I won't be giving the answers each time.
The distribution is somewhat minimalistic, but can do pretty much everything one demands from a modern computer.
Obviously, all tasks are accomplished through the command line interface (no GUI is provided).
A Web browser isn't included (as if you expected one to be anyway), just telnet to port 80 of the Web sites to surf the Internet.
As for an email client, telnet to port 25 and learn how to use your email server.
For FTP capabilities, you may telnet to port 21 and use the standard commands.
As I have demonstrated, this is a very versatile and capable GNU/Linux distribution, meanwhile staying available only to real men who back up to FTP and not to tape (to ensure this, legacy support for tape drives is excluded).
Since potential users may have varying levels of experience, I am hence providing different versions of the distribution:
Your suggestions are welcome, and I hope you enjoy using my GNU/Linux distribution.
That's a very nice little starting point, but the article has no depth. A little meat, even a mention of connecting Windows 2k/XP desktops to an OpenLDAP system via SAMBA for authentication, rather than relying on an Active Directory, for example, would be welcome.
And for the record: Active Directory design isn't, IMHO, harder than the design of any other well-administered LDAP-based authentication system. Further, I'll say that Microsoft has done a fantastic job of making the administration tools transparent and easy-to-use, and the integration of Exchange mail servers & NIS authentication via Services For Unix into the same tool is icing on the cake. Sure, the per-server licensing fees aren't cheap, but you do get what you pay for in this instance.
Even Jesus hates listening to Creed.
The article just says "Windows ID management is bad. LDAP is better. Why is Windows' ID management bad? I'm not telling. Why is LDAP better? I'm not telling." It does nothing explain the position the title purposes.
This isn't to say I disagree but calling this article "news" is like calling the OpenLDAP FAQ news.
Free of Flash! Free of Flash!
ID management's biggest problem will never be solved by Linux. Nor will it be solved by Windows.
As long as we have people putting passwords on post-its attached to their screens, as long as we have people clueless enough to fall for even the most simple of social engineering, there's no real thing as a proper ID on a computer system.
In my (amazingly wonderful) opinion, no system deserves the name ID management unless it has a genuinely good chance of doing so. Physical tokens or biometrics (aka built-in physical tokens) are a minimum.
Well, unless you're after the account ID, but I think admins are normally more concerned about the ID of the person using the account.
We need to stop barricading the windows when people are walking merrily through the doors.
Sure, Linux is one way.
However, I'm very impressed by Novell NSure.
Do not overlook this product if you're looking for a solid LDAP based Identity Management solution.
Pretty thin article- if you were expecting a detailed argument for why OpenLDAP is better/easier to manage than ActiveDirectory, you'll have to look somewhere else.
He basically just summarized the history of NIS and OpenLDAP, then gave us a link to some documentation for setting up OpenLDAP. Have fun editing slapd.conf, kids!
I was expecting that he'd at least mention Redhat Directory Server, which is the most interesting recent development as far as easy-to-manage Linux identity servers go.
pi = 3.141592653589793helpimtrappedinauniversefactory7
There's nothing better in ID management the eDirectory, either running on Linux, NetWare, or yes.... even Windows. MS always promises that the *next* Active Directory version will have the features that eDirectory had 15 years ago. True container based security and delegation, partitioning, replication, all with the greatest of use. Yes, it's more expensive that OpenLDAP, but WAY better.
please excuse my apathy
The article incorrectly states that PAM (Pluggable Authentication Modules) came out of Project Athena.
However, it was actually invented by Sun, and was eventually adopted as RFC 86.0 by the Open Software Foundation in 1995.
The author obviously has never dealt with any real IdM issues at a large company. With mergers and divestitures constantly happening, you end up with a patchwork of HR systems, facilities management systems, access request systems, application data stores and authentication systems. Saying "use OpenLDAP for IdM" is like saying "this paper airplane flies well - if you throw it hard enough, you can get it to the moon."
This is not to say it couldn't be part of the solution, but the end state is going to have a bunch of different components.
And MS's out-of-the-box tools (e.g. AD Users & Computers) are deeply pathetic for anything other than casual directory browsing. Third party tools are needed for the variety of different tasks involved in managing an AD-based NOS.
That being said, some of the cool new work being done with Samba taken with a Kerberos KDC for authorization and OpenLDAP for authentication could be a good place to start in building out an IdM system. Unfortunately, you would really need to be starting from scratch to have this be feasible....
Left shift 1 for e-mail...
One of the really tragic points is that although NDS and eDirectory were already ahead of what MS-Active Directory (AD) is now *ten* years ago. AD is suddenly what all the MS fanbois talk about to the exclusion of the more mature, secure, flexible, and compatible options like either eDirectory or plain ol' Kerberos + LDAP.
Actually, most AD articles don't cover many facts or even how to operate in a multi-platform environment. Plus there are a lot of short comings *still* in AD like scalability, performance and interoperability with non-MS systems. These are problems that you don't get with eDirectory or plain LDAP/Kerberos.
I'm sure part of it can be explained by the fanboi mentality where anything and everything from Redmond is great, especially the next version which is just over the horizon, etc. And that MS "valued" partners are more or less forbidden from looking at competing technology. Maybe other parts can be explained by MS' standard marketing methods, like the smear campaign against Novell.
I guess more of it makes sense if one looks at MS like a marketing company, as other posters have pointed out, rather than a software company. Though to me that's a bit 90's. MS is now heavily into lobbying and is bordering more on a political movement than a technology. Talk of AD is then a way of signaling membership in the movement/ideology. That would be another way of explaining fanbois who ignore LDAP+Kerberos or products like eDirectory, not even doing shoot outs against these competitors. doesn't make sense.
I miss the days the product comparisons actually compared useful tools and brought up the good and bad points of the ones examined rather than going over pre-approved 'talking points' I guess even Consumer Reports is no longer unaffected.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Sure you can put Mandriva on a PC and it'll work fine forever for office stuff, listening to music etc. But if the user want flexibility and ease of use?
You seem to be implying that there's something Mandriva can't do that all the other "more flexible" linux distros can. I'm not aware of such a thing. I'm not a linux guru... but I run Mandriva on a few machines and there's never been something that I wanted to do that I couldn't (remote administration, webserver, MythTV, etc.). I understand the "fun" of setting up a Gentoo machine... but if you want ease of use combined with power and flexibility, then use Ubuntu, Mandriva, etc. Everything installs easily, and then you can configure and fine-tune to your heart's content.
First it is not LDAP, but LAPD. Everybody knows that it is the LAPD that beats on others. So now, Paul is haveing the LAPD help Linux beat Windows. Cool. Can not wait until the law suit.
I prefer the "u" in honour as it seems to be missing these days.
Is that open source?
Yes
The page makes it look like it isn't.
You're correct, RH's page is pretty misleading (maybe because they want you to buy a support contract from them?) - I had to hunt around for quite awhile before I found the source.
Is this the reincarnation of Netscape Directory Server?
Yes, although it's now known as "Fedora Directory Server"
They have a wiki for the project here