๐ rant: Linux authentication is a freaking dog's breakfast
๐ก Newskategorie: Linux Tipps
๐ Quelle: reddit.com
This rant is a result of frustrations built from circling around the barn looking for something to replace NIS for relatively small (3 to 30 machine) networks. I haven't found an answer I like so I've kept looking trying to figure out if I've missed something. Feel free to ignore this screed.
I'm coming to the conclusion that the best replacement is AD and in my recent experience with AD says it's a dogs breakfast twice recycled. There's a fundamental mismatch between AD and Linux authentication. I think the reason people try to use it is because it happens to have an LDAP interface that you can kind of twist into working with an LDAP schema on Linux.
If that isn't enough there is the additional insult of paying rent to Microsoft. From what I can tell, even canonical has given up on having a Linux based authentication system because her latest desktops have built-in active directory integration. What the hell canonical?!?
Personally, I would stick with NIS except that I need to work with couple of application dedicated Red Hat systems and RH is planning on removing NIS from 8.X. FreePA looks like a reasonable, if overly complicated alternative but it only runs on Red Hat systems and I don't want to pay rent to Red Hat any more than I want to pay rent to Microsoft. I would consider using Centos except Red Hat took Centos out back behind the barn and shot it then didn't even have the decency to bury the body. They just left rotting in the sun.
I'm probably okay with using LDAP. In researching it, I found that I have to wrap all LDAP traffic in SSL because it uses forking clear text passwords just like NIS. Now I need to build a forking CA and maintain certificates not to mention some some ancible hack to set up and replicate data that isn't handled by LDAP. I am not looking forward to editing LDIF files for account management. The web interfaces have seen are either built for 10,000 person enterprises or are a web representation of an LDIF file. GaCk!
I would use the scripted shove-fractional-password-files-around-by-SSH model except I have to integrate with a TrueNAS Core for storage.
90% plus of my work fits nicely with NIS level functionality. It's easy to set up, easy to maintain. Only causes a little hair loss and is easily distributed.
I looked at alternatives like jumpcloud, okta and keycloak but again, I'm struck by the complexity and the fact that I'm signing up for a lifetime of monthly charges just to give someone a method for logging in.
I know I'm Bitching a lot about complexity and paying rent. If there's a reason for complexity, I haven't seen any good justifications. Tony Hoare said "There are two methods in software design. One is to make the program so simple, there are obviously no errors. The other is to make it so complicated, there are no obvious errors."
Linux distributed authentication has no obvious errors...
On the point of paying rent, distributed authentication is so core to everyday systems that should be built-in. It doesn't have to be enterprise scale but should let you bridge to enterprise scale. I have no problem paying for things like support contracts for OpnSense or Xen orchestra but paying for essential services like basic distributed authentication just doesn't sit right.
Unless I can find a better solution shortly, I'm probably going to go for a minimalist LDAP solution. I'll try to define it using cloud-init so other people can reproduce it in different environments and maybe not get as frustrated as I have been.
Rant rant rant rant rant. Thank you. I'm done
[link] [comments] ...