[jms18]

Could you expand on this?

> LDAP management on non-Windows systems is like stepping back 30 years.

How so? And managing which components -- the directory server or the clients?

> there wasn't even a supported UI for directory operations

What directory operations? add/mod/del? There are quite a few packages that handle that. Or are you talking about operations on the server side?

> typing DN's by hand is for the birds!

I concur. Though, it's pretty rare to type in a DN anywhere. I can't think of many places where a simple RDN or search filter on a unique value (uid, mail, etc.) doesn't suffice.

[Karunamon]

Both. Again, I may be coming from a standpoint of ignorance here, but setting up a Linux client requires manual mucking about with PAM and its associated config files, with different steps required for every major distro.

Same with the server side - there's no good equivalent to the Windows' "Active Directory Users & Computers". Plenty of good command line tools, but I don't think those are that useful when reasoning about a "tree" structure used in LDAP.

[teacup50]

We got hosed by PADL and rfc2307/rfc2307bis.

In short:

We never standardized a viable schema that covered the majority of real-world enterprise use-cases. Active Directory did. We got stuck with the broken rfc2307 (essentially NIS-in-LDAP), and the slightly better but abandoned rfc2307bis.

Without a standardized schema, every management tool out there had to either expose LDAP directly, or provide a limited subset of operations supportable across random schema.

We could solve this issue with a new RFC defining a modern standard server schema, including things like sshPublicKey, but I don't know if there's any UNIX/Linux vendor still alive that would invest in doing so.

[vidarh]

I've never managed an LDAP server from the command line on Linux.

As for PAM, I did a PAM LDAP config once about 8 years ago, and have never needed to make a change since. Since then it's been a matter of a few config files that are part of the standard config we deploy automatically to new systems. It's not exactly particularly much effort.

[jamiesonbecker]

We actually offer a pretty robust LDAP/AD integration on Userify, but I still recommend against it, especially since it's not just painful but adding LDAP/AD decreases overall security. I used to like LDAP in the early 00's, but now I just think it's anything but lightweight.. as well as insecure and obsolete.

[teacup50]

LDAP/AD is neither insecure nor obsolete.

Using a 3rd-party cloud-based service to manage server authentication, SSH keys, et al, seems insanely insecure however -- especially when your alternative is simply running LDAP locally.

[jamiesonbecker]

0. I believe that both LDAP and AD have complex models (well, arguably less complex than Vines/NDS/x.500/etc if you go back that far) and they're certainly more secure than NIS/NIS+ based on historical vulns, but I find it hard to argue that they're 'secure' based on their long and sordid history of vulns ( https://www.cvedetails.com/vulnerability-list/vendor_id-439/... )

0a. and, well, I wouldn't want to connect boxes to LDAP because I prefer to log into my boxes, even when LDAP is unavailable, the VPN is down, etc. but, nscd et al.. caching doesn't work either on an autoscaled box in the cloud, nor would I want to expose my enterprise directory infrastructure to my VPC. I also don't want to introduce a new PAM and NSS configuration on every single box (with separate layering for different boxes into different projects etc) and introduce yet another avenue for mistakes and compromise... was that required, requisite, or optional? Ergo, obsolete. :) (imo)

1. (btw, We don't do server authentication. That is a key difference between a directory and Userify. We only distribute keys. The servers themselves authenticate their own users with Userify just like with the traditional model, whereas with a directory the LDAP/AD server itself performs every authentication.)

2. We also recommend purchasing and running Userify Enterprise locked down locally to your VPC/LAN, and our larger customers tend to prefer that as well (especially when connected to LDAP w/ the same disconnected model we designed into our core product). We also offer a free cloud-based edition for unlimited use because we're nice like that.

3. We're paranoid, just like you: we go through bi-monthly independent penetration tests, we encrypt all data w/ NaCl, we avoid using passwords where possible and has with bcrypt elsewhere, and we're hardened against XSS, CSRF, and any sort of injection. The shim source is available here: https://github.com/userify/shim (see https://userify.com/faq/ for more on the security stuff we do and we're open to more ideas) and, please, find our vulnerabilities. We'll pay you for them. https://support.userify.com/solution/articles/14000036246-fi... Sometimes even our larger partners don't do that unfortunately.. ( https://github.com/aws/aws-codedeploy-agent/issues/30 )

But, seriously, people who are happy with their current solution should probably stick with it. I don't expect to convince you to take another look, and I do agree that there are good arguments to be made that LDAP/AD is neither insecure nor obsolete. I just disagree with (most of) those arguments. ;)

note:

AD/LDAP connectivity in Userify: you can still authenticate natively via LDAP/AD, while Userify provides a user-friendly dashboard for key management for your teams. A particularly cool demo: remove or disable an account in Windows AD and seconds later watch all of the SSH sessions on all of the servers in all of the projects terminate. It's very slick.. and that's another thing that LDAP/AD directory authenticated solutions can't do.

[vidarh]

> but I find it hard to argue that they're 'secure' based on their long and sordid history of vulns

The big difference here is that vs. a third party setup, my LDAP setup is running entirely behind our firewalls and not reachable from outside a suitably encrypted VPN. It's certainly possible to do stupid stuff with it.

> 0a. and, well, I wouldn't want to connect boxes to LDAP because I prefer to log into my boxes, even when LDAP is unavailable, the VPN is down, etc.

This is only an issue if you don't ensure you have at least one account that is present locally on the box that you can authenticate against.

With what I suggested - LDAP for user info, OpenSSH certificates for authentication and authorisation, any user that can be looked up locally on the box can be logged into (with the caveat that you then need to explicitly revoke keys for those users) even when LDAP is down, giving you an easy out.

But making LDAP quite resilient to outages is easy, by replicating it and specifying more than one server to connect to. For that matter, slapd is lightweight enough that you could run replicas on most servers if this is actually a problem (it's never been for me).

> nor would I want to expose my enterprise directory infrastructure to my VPC.

Why would you need to? Filtering what you replicate is easy enough.

> 1. (btw, We don't do server authentication. That is a key difference between a directory and Userify. We only distribute keys. The servers themselves authenticate their own users with Userify just like with the traditional model, whereas with a directory the LDAP/AD server itself performs every authentication.)

This is only true if you want it to be. It is not true if you use OpenSSH certificates for the authentication.

> A particularly cool demo: remove or disable an account in Windows AD and seconds later watch all of the SSH sessions on all of the servers in all of the projects terminate. It's very slick.. and that's another thing that LDAP/AD directory authenticated solutions can't do.

That's got nothing to do with LDAP, and everything to do whether a specific application supports periodically checking whether or not a user or key is still authorised, or not. LDAP is just a replicated data store.

Some applications do, some don't. For my part it's not generally an issue because their VPN key will get revoked and will immediately stop working, at which point all other connections will fail and time out whether or not individual applications pick up that the keys have been revoked and the user removed.

If you insist on doing this at the level of individual ssh connections, it's not particularly hard to force connections through a command that will periodically check that the key is still authorised.

I don't doubt that you have a slick solution, and I'm sure it'll be great for some. I don't particularly like LDAP. But for me at least, trusting this to a third party - even though it sounds like you're doing a lot of things the right way - is something I'd be extremely reluctant to, while LDAP is proven and despite various warts and problems, it's well understood and well supported by most applications we use.

[Karunamon]

Could you elaborate a bit? I've heard many criticisms leveled at LDAP over the years, but never that it's insecure or obsolete.

[jamiesonbecker]

Thank you for your civility :). The word 'secure' is subjective and thus always a matter of opinion (since obviously nothing is truly secure).

LDAP is insecure: it has a long history of serious problems. (for example, https://www.cvedetails.com/vulnerability-list/vendor_id-439/... ) (389ds and IPA are all based on the slapd OpenLDAP code.)

0) it's enormous: both as an implemented application and as a protocol and specification. Complexity is the enemy of security.

1) it widens your network footprint and isn't hardened against modern attacks (all LDAP directories that I'm aware of also have a regrettable history a la bugtraq/cert). (even without bringing krb5 into the picture)

2) it is complex and allows schema/ACL changes to expose attributes in non-obvious ways

3) no commercially available LDAP implementation natively encrypts all data

4) ouch, LDAP injection (https://www.owasp.org/index.php/LDAP_injection)

5) A centrally managed directory represents a very rich target for the secrets it contains

6) particularly when used as an authentication backend, it also presents a nice DoS target. (I have personal experience from a previous life..) :(

7) An LDAP server exposed to a LAN is rapidly (today) approaching being exposed to the Internet as VPN connections join multiple clouds and formerly internal datacenters, for anything but the tiniest of network footprints.

8) Most of the interlocking services, such as KRB5, have a sordid history of really bad root-level vulns.(https://www.cvedetails.com/vulnerability-list/vendor_id-42/p...)

Obviously many of these concerns can be somewhat mitigated but my strong personal opinion is that the size and complexity of LDAP makes it its own worst enemy. With that said, there's no real replacement for it, right?

With regards to things like SSO and SAML2, oauth (which also has its own share of problems due to the same problems of size and complexity) is beginning to make the need for an enterprise-wide directory moot, but this will obviously take time.

Not to mention - implementation to integrate with something like FreeIPA or similar is just unmitigated pain, both up front (i.e., if you want to run it somewhere like AWS without control over reverse DNS) or on each node (I've written PAM modules before and I still think making PAM changes is a big pain and not without significant risk.)

[Karunamon]

Thanks for the details.

Regarding insecurity: I don't give much credence to a "history of serious problems". Any (and I do mean any) application which deals with arbitrary input and data types has had a history of particularly nasty security holes.

You'd eliminate every major web browser here too. I see a large number of CVEs as a good thing, as that means there are eyes on the code and the exploits are getting found and fixed. The alternative is worse; it means there are bugs and they aren't being found.

Survivor bias :)

Regarding complexity: Security/authentication tools are complex, and they kind of have to be given the number of requirements, ciphers, data types, etc. There is no solution to this problem.

Regarding attack targeting: Any repository used for authentication will be a DoS/hacking target. Again, it's nature of the beast, it's a high value target and always will be.

Regarding SSO/SAML/oauth: Those have to authenticate against something, yes? What is that "something" in this case that makes it a true alternative?