How Linux beats Windows in ID management easePaul Murphy
13 Jul 2005
Rating: --- (out of 5)
SourcePop quiz: What's the hardest thing to do in Windows systems management?
Backups, you say? Yes, well, I wanted something people actually do. So, here's a hint: It goes by a multitude of different names, depending on which Microsoft product generation formed the basis for the speaker's view of it.
If you thought of one of the forms of user identity management give yourself a gold star -- and if you realized that a Linux conversion may be your ticket away from the daily hassles of managing and licensing domain controllers and related software devices, tell your boss I said it should be made of real gold.
In the beginning, or at least in the mid-eighties, Sun created something called "Yellow Pages" which promptly became Network Identity Services (NIS/NIS+) for copyright reasons. The technology's basic approach to the single sign-on problem was first to assume that the administrative users of other machines could be trusted, and therefore to simply migrate the /usr/passwd entries, then define user privileges on each machine to all the machines within the locally trusted group. Project Athena at MIT (to part of which the IBM/Carnegie Mellon distributed file system is an open source successor) then generalized that solution across the Internet, inventing a number of now-critical technologies -- including pluggable authentication modules (PAM) and the Kerberos authentication protocol -- in the process.
Things have gotten a little more complicated since, but neither the underlying problem nor the conceptual basis for the solution have really changed and the old methods still work for a lot of people. Users with simple environments may, for example, need nothing more than the password file-based approach pioneered at Berkeley in 1981 or, in marginally more complex environments, the NIS/NIS+ solutions developed at Sun in the late eighties. For most of us, however, the right place to start is with the Lightweight Directory Access Protocol (LDAP) directory and authentication solution developed at the University of Michigan and popularized in the mid-nineties.
LDAP started out as a protocol, not code. Originally, it specified only the format for the exchange between a mail client looking for an authenticated address and a directory server getting ready to supply it. However, in computing, things get more complicated as more and more people get involved… and LDAP has been no exception. The Open LDAP project is a worldwide collaborative effort that aims to develop a fully featured, commercial-grade open source LDAP suite of applications and development tools.
In the current context, however, what counts is that the LDAP-compliant tools typically available with your Linux release are the right place to start getting your identity management house in order. Once you've got this up and running, you can take the time to assess other options, knowing that almost all of them take that same LDAP software as their starting point.
In the long run, you might -- for example -- want to change the database, centralize your identity server, or even adopt the worldwide identity management protocols proposed and supported by the self-labeled Liberty Alliance. In each case, you'll get the same pleasant surprise: You don't throw out what you know, you just add to it.
None of this stuff is really easy once you get past single server systems, but there are online LDAP setup manuals that help you get the default system in place. With the default system running, you can see how it works, figure out what your users really need, and go do that with a minimum of trauma.
That's one of the great undersold benefits of Linux, or any other Unix: There are lots of choices, and you can usually run several of them at the same time. You can learn as you do this, and when you discover that most of what you did the first time was wrong, you just change it by building on what you already know, not by throwing everything out and starting over.
Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry.