Deploying OpenLDAP

Dustin Puryear writes "I work extensively with LDAP as a consultant, and so I'm always reading the latest and greatest books and articles on the subject. It's just part of the business. So I was excited to see "Deploying OpenLDAP," by Tom Jackiewics and published by Apress, on Amazon's electronic bookshelf. After reviewing the Table of Contents I quickly ordered the book. This looked good. After all, Jackiewicz had some great chapter titles such as 'Implementing Deployment, Operations, and Administration Strategies.' That just sounds smart. Before giving you my feelings on the book, let me first say that I'm already well experienced with LDAP. This is especially true with OpenLDAP. With a title like "Deploying OpenLDAP" I was expecting a book that tackled not just low-level tactical issues such as installing OpenLDAP binaries, but strategic ones as well, e.g., how to design access control. So if you have never used OpenLDAP then your experience with the book may differ." Read on for the rest of Puryear's review.

Deploying OpenLDAP
author	Tom Jackiewicz
pages	344
publisher	Apress
rating	5
reviewer	Dustin Puryear
ISBN	1590594134
summary	HOWTO for installing and using OpenLDAP.

The book begins with a quick note that the target audience is those wishing to install and configure OpenLDAP, and not those that wish to delve into the intricacies of LDAP architecture. Unfortunately, Jackiewics delivers on this promise. While I didn't expect the book to provide me with a guide on enterprise-level LDAP deployment, I had hoped to see more focus placed on design, but that wasn't forthcoming.

The first chapter, "Accessing Your Environment," is a moderately good review of how to identify key elements of your company that are appropriate for inclusion in a directory service. In addition, Jackiewics makes a clear case that an LDAP directory is not a relational database -- so don't try to replace Oracle with OpenLDAP. A very good point.

Chapter 2, "Understanding Data Definitions," provides background information on how schemas are defined. Basically, a schema is just the types of object classes and attributes that your directory supports. Jackiewics actually does a good job covering customized schemas, which is a troublesome area for new OpenLDAP administrators.

It was in Chapter 3, "Implementing Deployment, Operations, and Administration Strategies," that I was hoping to get some real nuggets of information. Alas, that wasn't forthcoming. The chapter should be renamed to "Where to put your OpenLDAP server on the network, and what to name the server." There are some areas of this chapter that really disappointed me. The most culpable: Jackiewics spends almost four pages explaining how to come up with a good hostname for your server, and then a brief page on understanding OpenLDAP's log file, and that brief page mostly contains example output. This chapter is also a good example of a bad book layout -- why are we reading about hostname conventions in the same chapter that discusses debug output?

Chapter 4, "Installing OpenLDAP," is a decent HOWTO for installing OpenLDAP. It also provides several manpages in case you accidentally deleted the 'man' command on your own system.

Chapter 5, "Implementing OpenLDAP," is kind of the "catch all" chapter. Jackiewics discusses how to decide on hardware, but his examples aren't very clear. One of the real gems of the book is his discussion on SASL and OpenLDAP. In addition, there is a reasonable discussion of replication between OpenLDAP servers. Alas, there is almost no troubleshooting on replication, and replication does hiccup at times. (Indeed, this book contains essentially no help in troubleshooting any problems.) Another sore point: Jackiewics only provides a single paragraph on access control (i.e., OpenLDAP ACLs). That topic alone deserves its own chapter.

Because Jackiewics had specifically stated that this book's scope was quite narrow I would typically be more lenient. However, Chapter 6, "Scripting and Programming LDAP," consumes sixty pages that are immediately outside the book's scope. I would prefer to see this chapter removed entirely, and the sixty pages devoted to a chapter on troubleshooting OpenLDAP and deciphering slapd's debug log file, and perhaps another chapter on designing a scalable replication infrastructure using OpenLDAP. Unfortunately, what we get is essentially sixty pages of manpages and documentation labeled as "Scripting and Programming LDAP."

Jackiewics closes the book with Chapter 7, "Integrating at the System Level," and Chapter 8, "Integrating OpenLDAP with Applications, User Systems, and Client Tools."

Chapter 7 discusses how to replace "old technology," such as NIS and Sendmail alias files, with LDAP. Not a bad chapter, although Jackiewics continues to delve too far into man-page material. Chapter 8 provides examples of using LDAP in Apache, Pine, Samba, and various other types of clients.

Overall, I would say that I left this book with little new information. People that are just now installing OpenLDAP may find the book beneficial, but I really didn't see any material that stood out. My personal belief is that this "Deploying OpenLDAP" needs to provide far more troubleshooting and example deployment scenarios and less regurgitation of manpages and HOWTOs.

---

You can purchase Deploying OpenLDAP from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Disgustingly Bad Book

[njcajun]

I love the publisher, but I HATE this book. This book covers nothing new, and covers what has been covered ad nauseum poorly, and in such a way as to do a disservice to the reader. The book makes assertions that are completely incorrect, misleading, false, and many other very negative words. For just one highly simplistic example: Tom, LDAP is NOT a database. Gerald Carter's "LDAP System Administration" is a better intro to OpenLDAP, though not a great primer on higher-level LDAP concepts. For that, you need "Understanding and Deploying LDAP Directories": the bible of LDAP. Novell keeps lots of good docs on LDAP lying around, and if you need more on OpenLDAP, there are also some docs on my website. I REPEAT: STAY AWAY FROM THIS "book".

ldapsh

[oneiros27]

I'd highly recommend that anyone who has to administer LDAP (that's Lightweight Directory Access Protocol, for those who don't use it. [aka NetInfo Services for the mac, or Active Directory for windows]), especially if it's on systems that have tight ACIs for admin rights to look into ldapsh [mayalane.com], which lets you walk the tree using cd, and use vi to edit records.

Re:Thanks for the Review. Any recomendations?

[chronicon]

Samba-3 By Example [samba.org] has some useful information on implementing LDAP. Available in dead tree and .pdf format.

Also, The Samba/LDAP How-To using Samba v. 3 [k12.me.us] by David Trask may be helpful to you as well.

Finally, while I have not reviewed this one it sounds like what you are searching for: LDAP System Administration [oreilly.com] from O'Reilly.

Happy authenticating!

Re:ldapsh

[TheGuapo]

Or for a graphical interface, try the ldapbrowser. http://www-unix.mcs.anl.gov/~gawor/ldap/ [anl.gov]

Missed opportunity

[iksrazal_br]

Too bad about the book, I'm in the market. I've used OpenLDAP for the last 1 1/2 years as a programmer and administrator. I struggled alot and google only helped so far. What I would like to see is an OpenLDAP book that:

1) Has a good explanation of how to implement InetOrgPerson, including userCertificate;binary and digital certificates.

2) Explains ACL's in depth, particular to OpenLDAP.

3) Cover some of the schemas, such as java.schema for storing serialized java objects like Strings and HashMaps. I never did get a Java X509CertStore to work.

4) Tuning and performance.

5) How to migrate a DB with a basic USER table to OpenLDAP, and the advantages/disadvantages for doing so.

6) Explain SSL and kerbosos authentication.

I'd buy a book that explained half of that.

iksrazal

Re:OpenLDAP Schemas?

[Anonymous Coward]

To get information on what schema elements (objectclasses and attributes) with syntactic rules and dependencies, you can either login to your server running slapd and start reading *.schema, or you can use some gui-tool like Luma or GQ. Both these and possibly other tools have schemabrowser.

Proprietory implementations like Oracle Internet Directory and Sun Java Directory Server among others have their own java gui to browse and edit schema elements as they store this information inside the ldap dabase and not in flat files like OpenLDAP.

As for writing your own schemas, specifically for use with OpenLDAP, I suggest looking at
http://www.openldap.org/doc/admin22/schema.htm l#Ex tending%20Schema
and http://cvs.sourceforge.net/viewcvs.py/gnomis/norEd u/norEduPerson.schema?rev=1.3
and see how they make use of ObjectIdentifier for increased readability of OID numbers in attributes and objectclasses.

Re:Disgustingly Bad Book

[tjackiewicz]

There are various improvements that could be made to this book and I appreciate some of the comments that are being made. As a whole, I think that I did a good job with the theory buy could do better in expanding some of the sections and removing areas percieved as filler. In the programming section, which was put together with significant help from Lane Davis, who was responsible for the C section, we could expand into some realistic do's and don'ts and more commentary on the code itself. On reshashing man pages, various parameters were explained and then used in subsequent sections. Additional commentary was given to explain their meaning. But I see how it doesn't give the best first impression in that's what someone flipped to first. Regardless, it's nice when reading them in the restroom away from a terminal ;) They didn't take up a significant portion of any of the sections. For any errors, I think the point got across and I still think there the bulk of the book is a useful guide.

Another excellent free book

[shancock]

MS has for free downloading their wonderful book on LDAP: Windows_Security_and_Directory_Services_for_UNIX.z ip
(a large pdf file inside the zip)
Search for the title on MS Downloads site. This is a very good book that covers the Unix side of LDAP as well as it does their AD implementation of LDAP.

This is one area that MS got right. They started with open standards and then enhanced it for their servers, while keeping full access to Unix servers. I have no problem with this. We want LDAP mostly so we can interoperate with window servers. Without this crucial piece we would not be able to get Linux servers in the door of most of our clients.

Re:Can somebody answer this

[Anonymous Coward]

OUs work great for healthcare.

corporate office -> many hospitals -> many clinics & doctors offices / users on local network

Its useful depth :)

A shallow OU for us would be a nightmare