AD?
So why would I want to choose the worst LDAPv3 implementation out there instead of a true LDAP or SSO implementation? Especially when AD crumbles under real world authentication requirements.
Microsoft has expanded the capabilities of its identity and access management infrastructure to allow for single sign-on of a multitude of corporate apps. The upgrades to Windows Azure Active Directory were announced on Sunday, and bring pre-integrated single sign-on for apps from Office 365 to Box.com, Salesforce.com, and …
While Active Directory is not the best LDAP implementation it DOES have the largest installed base by a long margin.
There are a LOT of admins out there with AD skills and CxO's are comfortable with the technology.
Betting against Microsoft tends to be a bad idea in everything but game consoles.
". and phones, tablets, web servers, embedded OSs, server OSs, to mention a few failed products only??"
Hi Eadon, nice to have you back
Embeded OS fail?
So none those ATM's, POS, or Arcade machines are working then?
Server OS's, yes because no one ever uses those either.
A bit late to reply, but this post deserves it:
1- I'm not Eadon
2- ATM's/POS: do you mean that the number of ATMs/POS is bigger than the number of home routers, TV settop boxes, media players, etc? mmm... you surely live in an area with high concentration of... banks??
3- Arcade machines: last time I checked, Xbox was only winning in the US of A against PS3. Everywhere else it's PS3. Globally, Wii wins, of course. MS has lost the console wars.
"Especially when AD crumbles under real world authentication requirements."
Indeed. Which is why AD is at the core of nearly every medium to large business for their authentication requirements. I've worked at both Oracle and Microsoft and have worked with many, many large companies that use a variety of directory services. If you think AD crumbles in real world deployments you must be an intern that has yet to work in the "real world".
If you think AD crumbles in real world deployments you must be an intern that has yet to work in the "real world".
6 years experience, financial sector, worked for a certain bank that has a large presence in America (the continent). One particular system has 10+ million users, supports about 2000 concurrent users in peak hours and is managed by *two* LDAP servers. Real LDAP servers.
In comparison, a 700 user deployment requires no less than 11 AD Domain Controllers just to work, for another not-so-large organization. The same product that copes with the 2000 concurrent users in the other place, shits itself because of AD's weird behavior.
I'd like to note that most, if not all of the big financial institutions actively avoid the MS ecosystem. AD is used only for the in-company PCs, but the business stuff is using either LDAP, some Identity/Access Managment stack or RACF. AD is a joke among the application security market and is usually limited to only the MS stack and/or the Windows boxes in the company.
There are a LOT of admins out there with AD skills and CxO's are comfortable with the technology.
Betting on AD ended up killing our Production Environment for a couple of days at a former job. The CEO actually listened the "I told you so" crowd and are now switching platforms. They're not pleased with what they ended up getting with MS.
Not sure what your admin is doing but you do not need 11 ad servers for 700 users. I pretty sure I can match what you are doing with similar hardware and ldap lookup requirements. You may have had a junior admin putting your system together.
I'll take AD any day over many other 'enterprise ldap' directories.
"I'd like to note that most, if not all of the big financial institutions actively avoid the MS ecosystem."
Just saying something, doesn't make it true. I've worked in financial services for over 15 years and every company I've worked for or with have been heavy Microsoft users for both desktop and server. Just because other systems are used in house, doesn't mean that they are avoiding MS. The word you are looking for is heterogeneous.
AD Killing your production envrionment just means that the people who installed, maintained and configured it didn't know what they were doing. I have never heard of AD failing for any reason other than user incompetence and I've worked with some big, heavily loaded, globally distributed ADs. The largest had over 100k users and ran in at least three continents.
Oh, I've been there when AD failed big time and it wasn't user incompetence.
Only management can screw up this big:
They wouldn't let the admins point to a proper public time server so it was left on its defaults. And the defaults defaulted to the ancient Cisco core switch that they wouldn't pay to upgrade. And for whatever reason the core switch reset itself to the default date in its BIOS. At which point the AD servers reset. And then started tombstoning all the active sessions on the network because the date differential was too big.
But your general point stands: it failed because the wetware responsible for designing and maintaining it failed to follow best practices. And yes there were several MSCEs with years of experience somewhere in the mix. Of course the person screaming the loudest about the bad configurations and equipment practices didn't so he was soundly ignored.
Daniel, you've come out with the same spiel previously and I suspect you probably do so every time the topic of Active Directory comes up. I'll point out what I pointed out last time. LDAP is a protocol. Active Directory provides an infrastructure that makes use of LDAP. You are comparing two completely different things, and as I mentioned last time (and others have mentioned here) if you need 11 domain controllers to support 700 users in terms of performance you are doing something seriously wrong in terms of planning and implementation. That's before pointing out that when customers have several Domain Controllers there are usually other reasons, typically redundancy and/or bandwidth preservation across AD sites. Two 'real' LDAP servers, as you put it, implies a maximum of two sites, so your comparison is incredibly simplistic. Oh and by the way if that's two LDAP servers on one site you need a better DR planner.
Finally in a previous post you pushed the same claim, but that time it was 11 Domain Controllers struggling to support 2000 users. Different customer? Some very heavy layoffs? Or just making stuff up from whole cloth?
eDirectory knock(s/ed) spots off AD years ago quite literally. AD has always been just about good enough for pretty small set ups.
The KCC bollocks annoys me intensely and it doesn't usually work properly without assistance and the speed of convergence is dreadful unless you force it along (yes I do know what I am doing wrt star and fully meshed topologies). It's frankly crap and unnecessary.
I see no evidence of multi in and outbound sync, different speeds for different attributes and a woeful lack of built in object types.
You have to DNS federate everything.
As for the sheer number of naming attributes for a user object - it's arse.
The PDC emulator and the other FSMO things are awful hangovers from the old days. Why the hell do you need a Schema Master thing anyway in this day and age and why the blazes do you have to register a .DLL to even see the bloody thing in a GUI?
I'm bored of this - I can't even be bothered to get excited about whinging about AD any more. Yes, its popular but it's still shit.
Cheers
Jon
Paris - because when I read "AD Admin" writ in bold on a CV that's what I think of the writer ...
"Yes, its popular but it's still shit."
Ahh there lies the total problem with your point of view and of so many people who comment on technology trends. You really think that AD is shit and yet has gained massive acceptance and popularity from small business to massive enterprise?
eDirectory was a fantastic product, but it had its flaws, as does Microsoft's AD. But if eDirectory was the vast superior solution, how come its use is in massive decline?
I feel you need to take off those worn out glasses and get a fresh set of lenses through which to view the technology world.
eDirectory was a fantastic product, but it had its flaws, as does Microsoft's AD. But if eDirectory was the vast superior solution, how come its use is in massive decline?
The one LDAP solution that I've seen installed more than AD, and used by the financial sector is Sun's DSEE. And yes, it actually outperforms AD everywhere, and it's used in the financial and telecoms sector. In fact, it is one of the Sun products that actually survived the Oracle acquisition because of this, and its offspring OpenDS was morphed into the Oracle Unified Directory.
IBM also has its own LDAP, and it basically has a shared market with DSEE, especially in places where IBM iron is running. While eDirectory has declined in usage, at least IBM's Tivoli Directory Server, ODSEE/OUD, 389 Directory Server and others have taken its place and are still used a lot. AD is actually the ugly duckling.
Indeed, DSEE is an excellent product and was born in the telecoms sector. It was by far the widest used LDAP server. I had many a conversation about DSEE with the Sun guys when they came into Oracle. But you can't compare AD with DSEE, they are very different solutions. AD may have an LDAP interface which supports LDAP queries. But AD does a lot more than DSEE in terms of functionality.
Oracle will find a way to screw up DSEE though. I used to work at Oracle HQ here in the bay area and if you think the engineering genius is going to continue through ODSEE into the future, think again. If you want a massive performance LDAP solution from Oracle, they want customers to buy OID. Why? Because a nice big fat database resides behind it.
You think IBM and Oracle have been the majority of solutions that have taken the place of eDirectory? Wow, now you really are showing your lack of knowledge in the industry. In the last 6 years (when I spent time at both Oracle and Microsoft in front of their biggest customers) I didn't see a single customer moving from eDirectory to IBM or Oracle. At Oracle even their own sales org would recommend to eDirectory customers to use AD.
Oracle killed OID. It was one of those weird cases where Oracle actually checked out user feedback and installed base; they found out that OID was rarely used at all, while DSEE had the lion's share of the market. That's why they instead retooled OpenDS into Oracle Unified Directory. Source? Actual Oracle employees; in fact many former Sun and Oracle employees are in the IT Security market these days.
On DSEE, yes, I know Ludovic Poitou & friends are no longer at Oracle, but then there's OpenDJ which is OpenDS's fork, maintained by him. Personally I'd prefer OpenDJ, but the corporate world doesn't work like that.
I'm bored of your lack of informed information. Oracle has not killed OID and OID actually has a significant install base. What's the main directory deployed behind millions of Oracle application (eBusiness Suite) deployments? Yip... OID. Rarely used? Bah. Are you still in college?
Nice move of the goal posts here with OpenDJ :D
"You really think that AD is shit and yet has gained massive acceptance and popularity from small business to massive enterprise?"
This happens quite often in all walks of life.
"But if eDirectory was the vast superior solution, how come its use is in massive decline?"
Microsoft are having a big surge in their attempts to lock users into their "ecosystem" at the moment. Basically, same old same old. But it has nothing to do with quality of product.
"You really think that AD is shit and yet has gained massive acceptance and popularity from small business to massive enterprise?"
'Argumentum ad populum' may backfire quite badly here. Its vulgar translation is "zillions of flies can not be wrong, horse manure is the most delicious food on the planet".
What a stupid comparison. People choose to deploy and use AD. We don't chose to have horses shit and then eat it.
It's simple. If there was a superior solution to AD to do what AD does. People would be using it. AD is not perfect, it has faults and its initial incarnations had some terrible faults and problems. But to say that it's shit and doesn't work in the real world is a massively incorrect statement.
AD IS the most pervasive directory technology in use today. Fact. You can't dispute this. You also can't say that quality has nothing to do with popularity. Sure AD in NT 4.0 and Server 2000 had some really difficult issues. But eDirectory wasn't perfect either. But they both got better and Microsoft had the massive advantage they had a very popular client which they also developed and could therefore bring capabilities to both client and server that nobody else could so as quickly or as well integrated.
Microsoft had an advantage, either fair or not. They had a wildly successful client OS and they developed a wildly success server infrastructure which had a significant reliance on a directory based technology that helped manage the clients. Now what they are doing in the cloud era is looking at the similarities between the on premise world and the cloud world and building a solution for the cloud.
Is Microsoft trying to get as many customers to move onto its own cloud based directory? Of course they are. Will they leverage their other markets such as Office, Windows and so on? Who wouldn't? Is Microsoft the only company desperately trying to win the "Identity in the cloud" challenge? Nope...
SalesForce, Microsoft, Okta.com, Ping, McAfee, Verizon, Oracle... you name them. Everyone knows that if you can be the main vendor for identities in the cloud, you have a key piece of the future infrastructure for business.
Microsoft with AD became one of, in some instances the only, options for managing identity, devices and authenticating users in companies. It makes only sense they would invest heavily in bringing this to the cloud and finding ways to migrate existing customers over to a newer model.
So many people on this website seem to love to bitch about very specific things without having any real focus of the overall reasons these technologies exist.
"What a stupid comparison. People choose to deploy and use AD. We don't chose to have horses shit and then eat it."
Logical fallacies are already stupid things (assuming they are not used with malicious intent), so a little bit of mockery does not make it any worse.
Of course, it is very hard to avoid fallacies entirely, but it is certainly worth trying. Fallacious argument is like a division by zero, it causes some really nasty bugs in the thought process. Can't think of any truly benign reasons to use them.
Cheers!
> eDirectory knock(s/ed) spots off AD years ago quite literally. AD has always been just about good enough for pretty small set ups.
That is why you set up multiple AD servers and use sites properly
> The KCC bollocks annoys me intensely and it doesn't usually work properly without assistance and the speed of convergence is dreadful unless you force it along (yes I do know what I am doing wrt star and fully meshed topologies). It's frankly crap and unnecessary.
The hell are you talking about? Active Directory has no concepts of topologies.
> I see no evidence of multi in and outbound sync, different speeds for different attributes and a woeful lack of built in object types
Stop using Server 2000 and join us in the present
> You have to DNS federate everything.
Your point?
> As for the sheer number of naming attributes for a user object - it's arse.
You know you don't have to use them. They are there for the convenience of developers and admins and provides a handy place to keep user info
>The PDC emulator and the other FSMO things are awful hangovers from the old days.
If you don't use them, they don't do anything. They are there in case you have old systems or Linux boxes that need a PDC. Why are you so opposed to backward compatibility?
> Why the hell do you need a Schema Master thing anyway in this day and age
So you have a server with an 'authoritative' copy of the schema, that the point of it. Anything that is clustered / distributed require such a role
>and why the blazes do you have to register a .DLL to even see the bloody thing in a GUI?
Because you are still using XP, upgrade to an OS that isn't 10 yeas old.
>I'm bored of this - I can't even be bothered to get excited about whinging about AD any more. Yes, its popular but it's still shit.
Wahhh
None of the players offering this stuff can be trusted. They are, in essence, offering to *maybe* keep your information from third parties of *their* choosing, not yours. Going in, they give themselves access. We know from recent events (well, all of human history, duh) that they can't be trusted to stop the snooping there.
To be reasonably trustworthy, these systems need be encrypted end to end and custody needs to be spread across different data centers in different countries with multiple custodians.
It is very difficult to secure systems. It is impossible if you don't try. Nobody is even trying. Systems need to be designed to be resistant to full on attack by some of the custodians as well as third parties. It is possible to do this. They will not be unbreakable but they will be a *lot* more secure than they are now. There has been zero will to do this on the part of people currently entrusted with control of the Network.
Google, Microsoft, Amazon, facebook, etc do not need nearly the access to our information that they insist on taking. They can all do any legitimate tasks with practically no knowledge of contents or destinations of messages. They could entirely curtail their own knowledge and greatly enhance your control over your information. They choose not to. They are profit making entities whose mission does not include doing the right thing. Unless we oblige them to choose to protect our privacy, they will never do so.
Many things can now be improperly accessed that were never accessible before. This demands legislation to make much of what could be improperly obtained 'fruit of the poison tree'. Where is that legislation? A lot of the snooping going on is because we allow the people spying upon us to use improperly obtained information. We should not incent bad behavior by allowing these people to further their careers by improperly obtaining and using information. Instead, we should create very strong sanctions to punish any individuals or organizations that indulge in this behavior
The ability to secure communications is proportional to bandwidth. The more bandwidth, the greater the ability to secure messages. Bandwidth is ridiculously and unnecessarily constrained here in Canada at least. It is not a technical problem or a problem of costs. Where is the political drive to radically increase bandwidth across the board?
Addressing on the Internet is an impediment to security when it should be one of its main supports. What is with the lame and unimaginative successor to IPV4? IPV6 should have been so much more. It offers so few sensible advantages it is still not in wide use even though the address space of IPV4 is now effectively exhausted.
Everywhere I look I see vested interests whose goals are antithetical with the public good given ever more control over the network and increasingly abusing that control.
The current flap over NSA surveillance demonstrates wide ranging breaches of trust on all sides, yet we continue to allow these bad actors to control our increasingly precious global network.
Network Solutions is the last company I would trust. They have been caught in fantastical breaches of trust on more than one occasion, yet we cheerily place them at the root of the chain of trust everywhere. If we place a known, unrepentant bad player like Network Solutions at the center of the web of trust, how can we possibly expect to have a trustworthy network?
Most of the players with authority and control over the network should not even be allowed full rights, let alone control, less still complete control.
What we have now is the most treacherous of treacherous computing and it is getting worse every day. Most people can't be expected to know all the ins and outs of this stuff. However, all of the major players know and have a duty of care to know. We should not excuse their ongoing violation of our trust.
MS has supported SAML federation for awhile as an add-on to their base AD product. I think this also included templates for hooking into 3rd party services as well. What is really so different about this new push? Is it the names of the targets (Facebook, etc)? Others have made the case for/against using MS for your base IdM infrastructure, but I don't think that anyone will disagree that the ability to federate is an absolute minimum requirment today. The big problem I've always had with MS has been their refusal to adhere to standards, and even worse their willingness to mutate them in order to facilitate lock-in. If they're steering away from that now it would be good news for all of us. P.S. Well, actually Oracle is moving away from OID. The new kid on the block is OUD - Oracle Unified Directory, a/k/a OpenDS (which was also forked in ForgeRock's OpenDJ).