Startup Infrastructure: Where Linux Fails

Category:WikiProject Cryptography participants
Image via Wikipedia

It is no secret that I’m an open source evangelist and so when it was time to set up internal infrastructure at work, naturally the first order of business was to evaluate the various OSS projects out there — everything from wikis, bug trackers, source control, code review and project management. Running Ubuntu LTS (10.04) on all of our servers was a no-brainer and there were plenty of excellent options for most everything else as well (a follow-up post on our final choices later). The Linux ecosystem is fabulous for most of the infrastructure needs of a startup, but I learnt the hard way that there are still some areas where Linux needs a lot of work before it can become competitive with proprietary, non-Linux solutions.

Authentication

Centralized account management (users and groups) and authentication is critical component in any IT deployment, no matter the size. Even for a small startup, creating users/groups repeatedly for each new server, separate authentication mechanisms for each new service is simply not scalable. That is precisely why Active Directory is so ubiquitous at enterprises.

LDAP was the obvious solution in Linux-land and I figured it would be trivial to setup an OpenLDAP server that can manage user/group information for us. It would also be the single authentication source for all servers and services. I was so wrong.

After struggling with OpenLDAP for several painful hours, I gave up — the documentation is fragmented, Google doesn’t help much and personally I think the LDAP creators had never heard of “usability” when designing it. The seemingly simple task of creating some new users and groups involved several black-magic incantations of the LDAP command line tools. Getting servers to authenticate against the resulting directory was even harder.

Just as I was about to throw in the towel and setup an AD instance in-house, I stumbled upon the 389 Directory Server (now known as the Fedora Directory Server). With a new found hope, I set about installing it on Ubuntu and hit another roadblock — there are no up-to-date packages of FDS for Ubuntu. Reluctantly, I setup a Fedora instance (the only one so far) and installed FDS. Thankfully, Red Hat has put together really comprehensive documentation and guides for the Directory Server, which was invaluable.

From there on, it was mostly downhill (only a few minor hiccups). Finally we have a nice GUI to manage users and groups, and all servers/services authenticate against a single Directory Server. But the journey was unnecessarily painful. Here’s what I’d like to see:

  • Up-to-date packages of FDS for Ubuntu. Sane defaults and functionality out-of-the-box
  • Ready to consume documentation on how to integrate LDAP with various web applications, Linux distros etc (I’ll put together some of this soon)
  • More awareness — I should have found FDS a lot sooner than I did, but it is certainly not very well marketed
  • Single sign on: This is a whole different beast

Remote Access

At my previous company, we had a Cisco VPN solution. There were plenty of Cisco compatible VPN clients on Windows and Mac. In fairness, it was relatively easy to get vpnc working on Ubuntu as well. In fact, with Network Manager, you can manage your VPN connections using a simple and intuitive UI.┬áBut the setup was not very reliable and my connections would get dropped relatively frequently. It was impossible to have a long-running VPN session without disruption. I’m not sure if the problem was with the Cisco hardware or the Ubuntu vpnc client; I did see similar issues with the built-in VPN client on Mac OS X.

But at least VPN on Linux works. I can’t say the same about other remote access mechanisms, in particular IPSec and L2TP over IPSec. It took me some time to figure out which package to use (Strongswan, Openswan, iked etc etc); another couple of hours to get the Openswan configuration just right; several hours of struggling to automatically setup DNS lookups when using the IPSec connection (gave up and ended up using entries in /etc/hosts!). There is no UI in Network Manager to manage IPSec connections either. Strongswan does have a NM plugin, but that only works for IKEv2 (certificate based authentication), while I had to use IKEv1 (shared key based authentication).

At the end of the day, I do have a working IPSec tunnel and it is definitely more reliable than the Cisco VPN (been up for more than 2 days without disruption). But all this can and should become a lot more seamless.

These are a few areas where Linux failed me in setting up the infrastructure for a startup; it shines most everywhere else. Hopefully these last few kinks will get ironed out soon.

8 comments

  1. Matt

    I’m a FOSS evangelist to.

    I have to agree with both the points in this post.

    At the place I currently work, as a developer I brought in LDAP, specifically OpenLDAP for SSO. I had some previous experience with it so getting it up and running wasn’t too hard. From there I was able to hand it over to the full time sys admins.

    But it turned out to be fragile and a complete hassle. Replication would often fail, and the whole setup would fall in a heap.

    We also use CISCO gear for the VPN. Unfortunately the proprietary CISCO client is a binary GUI blob, and the open source client VPNC (which I believe is behind Network Manager) is crash prone. It likes to sporadically emit some errors and then spin using 100% CPU, and not pass any packets until killed. Difficult to reliably reproduce so I haven’t been able to track down and fix.

    It all could be a lot easier.

  2. rdark

    I run OpenLDAP at home, where my environment is homogeneously Linux, and AD at work – where the environment is anything but homogeneous (far too many windows servers for my liking..)
    openLDAP lacks GUI-based administration tools, but as a server I’ve always found it to be rock-solid.
    As it’s a reference implementation of LDAP, you can use any LDAP administration tool to look after it – one of the best ones I’ve found is Apache Directory Studio – http://directory.apache.org/studio/

  3. rdark

    I run OpenLDAP at home, where my environment is homogeneously Linux, and AD at work – where the environment is anything but homogeneous, and not everyone is a Linux admin.
    openLDAP lacks GUI-based administration tools, but as a server I’ve always found it to be rock-solid.
    As it’s a reference implementation of LDAP, you can use any LDAP administration tool to look after it – one of the best ones I’ve found is Apache Directory Studio – http://directory.apache.org/studio/

  4. Reader

    Interesting post.. but I guess you are just frustrated but to me looks like expressing anger about wrong things.

    1) For some reason you already chose Ubuntu 10.04 and tried to setup something which you did not like.

    Then things worked very well on Fedora …so was is just the choice of Distro the problem ? Or was the user who chose the distro before application ?

    I am not going towards fedora Vs Ubuntu .. just trying to find out what was so wrong.

    While I would accept that I have not completely understood how distro guys can make money but this is where business aspect comes in .. all the polishing ..if it’s business just makes more likely to be better integration ( still with open source plz) .

    2) This is also one of the major complaint that I have always had about linu open source projects .. we just do not need many projects (again no user choices debate please ) We need to improve existing projects, add features than have something on fedora another on ubuntu etc..
    I know its very hard problem but it is for sure the reason for many of such issues with Linux. Issues like what you see on ldap,you would not find for apache ? Why ? its quite de facto standard for open source web server. But that does not mean ubuntu and fedora do not get to differentiate themselves when using apache.

    Just my 2 cents.

    • Diwaker Gupta

      There is certainly some amount of frustration on my part. As to the distro choice, you may argue that had I chosen Fedora up front, I’d have gone through less trouble. But then there are several things that are easier in Ubuntu than in Fedora. Ultimately I think the point is just that setting up Linux based centralized authentication still takes a lot of work.

Leave a Reply