WingNews

Microsoft is pushing everyone onto Entra. There are so many exploits for AD but few for Entra.

Tenable has been pushing an internal initiative to eliminate all AD use. This action speaks volumes considering they acquired an AD security company and sell a product specifically designed to secure AD.

The consequences of a compromised AD domain are drastic. We should not try to build the same vulnerabilities into Linux environments, but it’s undeniable there is value in leveraging FreeIPA et al. to interoperate with legacy environments.

elcritch|11 days ago

The byzantine and overly complex nature of FreeIPA is a feature not a bug. It lends itself to consulting money for RedHat et al in those legacy markets. Sure, the server might be free but good luck getting it running.

ipython|12 days ago

Yes. And Microsoft Active Directory has integrated this stack with an easy to use graphical interface for almost 30 years now.

bzzzt|12 days ago

Active directory is dying along with local computer networks. Microsoft is pushing customers to Entra (formerly Azure Active directory). Modern, hybrid AD is not easy to use and difficult to manage.

ElectricalUnion|12 days ago

Ideally you want to run all those trusted (read: security critical, if compromised entire system is no longer trustworthy) processes on separated and audited machines, but instead busy people end up running them all together because they happen to be packaged together (like FreeIPA or Active Directory), and that makes it even harder to secure them correctly.

StopDisinfo910|12 days ago

It's always been awful. OpenLDAP by itself is already attrocious and a pain to make work.

I have always been convinced it was on purpose. It's the point where you were supposed to decide paying Redhat is actually a good idea and nowadays it pushes towards a cloud based authentication solution you can integrate.

Realistically, who has any interest in fixing the mess?

xorcist|12 days ago

> you were supposed to decide paying Redhat

Fwiw, all Red Hat LDAP products are based on 389DS because they thought OpenLDAP had too many pain points or something.

doctorpangloss|12 days ago

> Realistically, who has any interest in fixing the mess?

Okta is a multi billion dollar company, there is a lot of venture opportunity in this space.

nimbius|12 days ago

There used to be a time in history when a system administrator had to know all this shit in order to keep their job. I guess nowadays devops just means dev as we furiously pump tokens into the AI Wurlitzer whenever we dont know how to do something and hope it doesnt gaslight us into deleting prod.

- Freeipa is Linux AD, includes DNS, dogtag, and OpenLDAP.

- SSSD is how linux machines authenticate with a central directory. this includes AD.

- nss is the order of operations in which the system attempts lookups against various directories for services.

- pam is the subsystem of authentication in linux.

- kerberos is a ticket based authentication system started by MIT and popularized by Microsoft.

- ldap is a directory for information and authentication data

- DNS should not need an explanation.

Active Directory is the exact same byzantine architecture, the only reason you dont complain about it is because Microsoft has hidden nearly every meaningful internal from you with fun buttons and dropdowns like a childs toy.

Make no mistake, when it breaks it is much more cataclysmic in its complexity. major multinational corporations can spend weeks with external consultants and even Microsoft themselves trying to debug it. Most failure modes result in rebuilding the entire directory from scratch out of the sheer futility of trying to recover anything. things as simple as an OS update can cause the complete failure of the directory, replication, kerberos key subsystem, or even the ADUC tool you use to interface with any of this. Most of the time your only solution is to wait for MS to release a fix.

FreeIPA isnt complete. it doesnt include things like group policies or account expiration but its infinitely easier to debug. its individual components are well documented and offer standalone debug and trace features. most if its components have existed longer than their competitive Microsoft offerings, or at very least vastly outscale and outperform them.

Kubernetes is just as complex, but cloud providers will happily bill you by the nanosecond for the gentle equivalent of Microsofts buttons and dropdowns. Microsoft will gladly bill you for "cloud" based AD. You can just as easily deploy local users in ansible.

p_ing|12 days ago

Dang, your failure modes certainly are extreme. What companies actually performed a from-scratch rebuild because they failed to take a backup or thought "today's thursday, it's too complicated to restore!"?

If an "OS upgrade" nukes your directory, that means you're running a single DC. The question is... why would you do that?

linksnapzz|12 days ago

There used to be a time in history when a system administrator had to know all this shit in order to keep their job. I guess nowadays devops just means dev as we furiously pump tokens into the AI Wurlitzer whenever we dont know how to do something and hope it doesnt gaslight us into deleting prod.

Thanks, that sentence made my day.

Nextgrid|12 days ago

It's also a ton of security-sensitive code that parses untrusted data in a memory-unsafe language.

Smar|12 days ago

LDAP Kerberos 5 SSSD is pretty easy to configure and more or less maintenance free for a small set of servers and users. By my personal experience.

The costs usually come from complexity: every new user needs its credentials, guidance to services and help in error situations. New services need to be integrated to existing systems. But those won't go away, be the system anything.

(no title)

discuss