top | item 12043416

(no title)

jms18 | 9 years ago

Could you expand on this?

> LDAP management on non-Windows systems is like stepping back 30 years.

How so? And managing which components -- the directory server or the clients?

> there wasn't even a supported UI for directory operations

What directory operations? add/mod/del? There are quite a few packages that handle that. Or are you talking about operations on the server side?

> typing DN's by hand is for the birds!

I concur. Though, it's pretty rare to type in a DN anywhere. I can't think of many places where a simple RDN or search filter on a unique value (uid, mail, etc.) doesn't suffice.

discuss

Karunamon|9 years ago

Both. Again, I may be coming from a standpoint of ignorance here, but setting up a Linux client requires manual mucking about with PAM and its associated config files, with different steps required for every major distro.

Same with the server side - there's no good equivalent to the Windows' "Active Directory Users & Computers". Plenty of good command line tools, but I don't think those are that useful when reasoning about a "tree" structure used in LDAP.

teacup50|9 years ago

We got hosed by PADL and rfc2307/rfc2307bis.

In short:

We never standardized a viable schema that covered the majority of real-world enterprise use-cases. Active Directory did. We got stuck with the broken rfc2307 (essentially NIS-in-LDAP), and the slightly better but abandoned rfc2307bis.

Without a standardized schema, every management tool out there had to either expose LDAP directly, or provide a limited subset of operations supportable across random schema.

We could solve this issue with a new RFC defining a modern standard server schema, including things like sshPublicKey, but I don't know if there's any UNIX/Linux vendor still alive that would invest in doing so.

vidarh|9 years ago

I've never managed an LDAP server from the command line on Linux.

As for PAM, I did a PAM LDAP config once about 8 years ago, and have never needed to make a change since. Since then it's been a matter of a few config files that are part of the standard config we deploy automatically to new systems. It's not exactly particularly much effort.

jamiesonbecker|9 years ago

We actually offer a pretty robust LDAP/AD integration on Userify, but I still recommend against it, especially since it's not just painful but adding LDAP/AD decreases overall security. I used to like LDAP in the early 00's, but now I just think it's anything but lightweight.. as well as insecure and obsolete.

teacup50|9 years ago

LDAP/AD is neither insecure nor obsolete.

Using a 3rd-party cloud-based service to manage server authentication, SSH keys, et al, seems insanely insecure however -- especially when your alternative is simply running LDAP locally.

Karunamon|9 years ago

Could you elaborate a bit? I've heard many criticisms leveled at LDAP over the years, but never that it's insecure or obsolete.