Ok, this post started off in my Linux Drop-In Replacement for Microsoft Exchange???? post but I went off on a tangent but what I thought was an interesting tangent so I moved it to here…
So this guy at PostPath that I know, he is a pretty bright guy, I know this because where we used to work together he was involved with a team writing some code for UNIX for handling platform agnostic Web Auth software for the company’s intranet. The company is very large and a website could be on Windows (from NT to the bleeding edge beta) or Linux (any version) or on Unix (darn near any version from any vendor, for a start HPUX, Solaris, AIX, IRIX, NEC TeraServer UNIX whatever that is called…)or on mainframe (IBM) or on miniframe (IBM, DEC) or what have you… So just using, say… Windows Integrated Auth, is pretty much worthless and you really don’t want to have all sites using their own Auth when SSO is so very cool….
So he worked on the system that handled all of this web auth, one of the cool pieces that he was involved with writing and why I dealt with him was to switch the auth system over from using an iPlanet backend auth source to using Active Directory (HAHAHAHA All you platforms are using Windows to do your auth!). You are saying, big whoop… anyone can do that with 10 minutes, notepad, and vbscript… And I pretty much agree, anyone can do it and many do do it and they do it very poorly and either end up making it so it works for crap or breaking AD or any combination of those plus more things… This system was different, it was very smart and had things like its own intelligent tuneable caching mechanism, looked at the status of users before authing them to ascertain things about their state (disabled, locked, etc) and when their passwords were scheduled to expire, etc etc etc. But the absolute coolest part of all of it and the part that was really exciting for me…
Well first, someone wants to integrate a UNIX app into AD and they ask the AD Admins what questions???? Come on now, what is the main question asked?
What is the hostname of the directory server???? DRRRRRR
So you “generally”[1] have two ways of handling this…
1. You give them a hostname of one of the DCs. They plug that in, finally get past the fact and bitching that they can’t read the directory anonymously (yeah *NIX is way secure…) then one day they either
a. Drag the DC to the ground because what they do overwhelms the DC because they used objectclass=user everywhere.
b. Completely break when you reboot the DC for a critical hot fix or because it stopped replicating or just because you felt like it because you know that MOST[2] Windows apps don’t care if the DC is there or not and if it isn’t, the app goes and finds another one….
2. Try to explain to them this cool concept of SRV records and how applications should know how to find the resources they are looking for and here is this nice standard way of doing it and then the UNIX person bitches that Microsoft is so proprietary and then you point them at the proper RFCs for SRV records and they still don’t get it because as much as the UNIX admins like to point at the RFCs many still can’t actually read them and understand them so you finally break down and do #1, give them a hostname of one of the DCs.
Â
Well this team actually listened when myself and my good friend Dave explained how Windows locates resources. They thought that was mondo cool and immediately saw the benefit and wrote a SRV Lookup DNS module for the Web Auth Tool. So all they have to do is in the config for the app is specify what site the UNIX server is in that is fielding the Web Auth requests from all of the clients (actually Web Servers of multiple platforms) and then it will do the rest by finding the appropriate DCs to use to do the auth work. And yes, I mean DCs, they have the app pick multiple DCs and load balance the requests across them…. BRILLIANT!!!!
I am telling you, this is unusual, most UNIX folks if you told them they could do something like that they would look at you like you had purple hair, a pink nose, and had just appeared in front of them while they were sitting on the toilet reading the latest copy of SysAdmin.
 joe
Â
[1] Yes I know about using hardware load balancers and funky DNS aliases but you know what…. YOU SHOULDN’T HAVE TO, WINDOWS DOESN’T NEED IT!!! I have always successfully fought off anyone who tried to do this…. When someone does this they are trying to force ME to do extra work to crutch THEIR app that doesn’t work well. Oh wait, the response is… *NIX doesn’t need multiple machines, our machines don’t go down!!! So yeah, go support a 250,000 globally distributed desktop base with SSO and full redundancy and fail over and do it with one server. Have a nice day.
[2] Don’t be pulling this trick around my favorite app… Exchange.
SRV records are so old, and I can’t believe that Microsoft is the only group to use them… but they pretty much are. And SRV is soooo simple.
Nod
hi,
unix guys are not necessarily dns experts. Neither are windows guys, by the way. I yet have to meet the first windows admin that actually uses srv records consciously and/or for other uses than what AD does. We use them for our sip server en our kerberos realm, for instance, with bind9. No sweat. I will give you that windows networks use it more than unix networks, but not because the admins are aware of that 😉
As to unix being or not being secure because you can access the directory anonymously: well, it depends on what the anonymous login is allowed to see. If it only sees e-mail addresses, what is the point in logging in? It only adds overhead to a ldap query to find an address. I really do not see the added value in forcing me to specify my user name and password to query an AD if everything is traveling plain text accross the wire and it works! what kind of security is that? force me to use ldaps or tls at least, but no, I have to disclose my credentials in order to find an address. So as everything in life, it’s not white, it’s not black …
Anyway, I came accross your blog by coincidence and I am quite enjoying it. keep it up.
Natxo,
I believe, your statement about clear text password transmission over the wire is not entirely accurate. MS supports variety of authentication mechanisms and protocols (GSSAPI, Kerberos, flavors of NTLM etc.) in addition to the clear text option.
Windows clients and server do not transmit clear text passwords unless specifically instructed by applications or policies. The default set of policies favors irreversibly obfuscated passwords over the clear text ones.
The same more or less applies to encryption and integrity protection, with the caveat that the default set of policies, I recall, does not force encryption for most of attributes available through LDAP. Nevertheless, either or both encryption and integrity protection are possible and desirable if the LDAP client queries for sensitive information. It is application developer’s and admin’s responsibility to ensure that proper mechanisms are configured and applied.
I should mention that your statement is pretty much accurate for most of Unix client -> Win server cases. Most often developers take the simplest route of using the clear text password option. But again, it would be unfare to blame Microsoft for that. They’re guilty of many other things but not this one 🙂
One last comment: SSL/TLS is a viable alternative for a small number of servers. However, proper certificate maintenance becomes costly and resource consuming in geographically distributed deployments with tens of Active Directory domain controllers and global catalogs.