Deploying OpenLDAP 117
Deploying OpenLDAP | |
author | Tom Jackiewicz |
pages | 344 |
publisher | Apress |
rating | 5 |
reviewer | Dustin Puryear |
ISBN | 1590594134 |
summary | HOWTO for installing and using OpenLDAP. |
The book begins with a quick note that the target audience is those wishing to install and configure OpenLDAP, and not those that wish to delve into the intricacies of LDAP architecture. Unfortunately, Jackiewics delivers on this promise. While I didn't expect the book to provide me with a guide on enterprise-level LDAP deployment, I had hoped to see more focus placed on design, but that wasn't forthcoming.
The first chapter, "Accessing Your Environment," is a moderately good review of how to identify key elements of your company that are appropriate for inclusion in a directory service. In addition, Jackiewics makes a clear case that an LDAP directory is not a relational database -- so don't try to replace Oracle with OpenLDAP. A very good point.
Chapter 2, "Understanding Data Definitions," provides background information on how schemas are defined. Basically, a schema is just the types of object classes and attributes that your directory supports. Jackiewics actually does a good job covering customized schemas, which is a troublesome area for new OpenLDAP administrators.
It was in Chapter 3, "Implementing Deployment, Operations, and Administration Strategies," that I was hoping to get some real nuggets of information. Alas, that wasn't forthcoming. The chapter should be renamed to "Where to put your OpenLDAP server on the network, and what to name the server." There are some areas of this chapter that really disappointed me. The most culpable: Jackiewics spends almost four pages explaining how to come up with a good hostname for your server, and then a brief page on understanding OpenLDAP's log file, and that brief page mostly contains example output. This chapter is also a good example of a bad book layout -- why are we reading about hostname conventions in the same chapter that discusses debug output?
Chapter 4, "Installing OpenLDAP," is a decent HOWTO for installing OpenLDAP. It also provides several manpages in case you accidentally deleted the 'man' command on your own system.
Chapter 5, "Implementing OpenLDAP," is kind of the "catch all" chapter. Jackiewics discusses how to decide on hardware, but his examples aren't very clear. One of the real gems of the book is his discussion on SASL and OpenLDAP. In addition, there is a reasonable discussion of replication between OpenLDAP servers. Alas, there is almost no troubleshooting on replication, and replication does hiccup at times. (Indeed, this book contains essentially no help in troubleshooting any problems.) Another sore point: Jackiewics only provides a single paragraph on access control (i.e., OpenLDAP ACLs). That topic alone deserves its own chapter.
Because Jackiewics had specifically stated that this book's scope was quite narrow I would typically be more lenient. However, Chapter 6, "Scripting and Programming LDAP," consumes sixty pages that are immediately outside the book's scope. I would prefer to see this chapter removed entirely, and the sixty pages devoted to a chapter on troubleshooting OpenLDAP and deciphering slapd's debug log file, and perhaps another chapter on designing a scalable replication infrastructure using OpenLDAP. Unfortunately, what we get is essentially sixty pages of manpages and documentation labeled as "Scripting and Programming LDAP."
Jackiewics closes the book with Chapter 7, "Integrating at the System Level," and Chapter 8, "Integrating OpenLDAP with Applications, User Systems, and Client Tools."
Chapter 7 discusses how to replace "old technology," such as NIS and Sendmail alias files, with LDAP. Not a bad chapter, although Jackiewics continues to delve too far into man-page material. Chapter 8 provides examples of using LDAP in Apache, Pine, Samba, and various other types of clients.Overall, I would say that I left this book with little new information. People that are just now installing OpenLDAP may find the book beneficial, but I really didn't see any material that stood out. My personal belief is that this "Deploying OpenLDAP" needs to provide far more troubleshooting and example deployment scenarios and less regurgitation of manpages and HOWTOs.
You can purchase Deploying OpenLDAP from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Chapter title based review (Score:5, Insightful)
What a surprise. I would have expected each of these substantial areas to have their own individual chapters on strategy.
Re:Can somebody answer this (Score:5, Insightful)
There are many books available that cover this topic. From this review, I would skip this particular book.
Good things about this book (Score:1, Insightful)
Re:Can somebody answer this (Score:4, Insightful)
Note, however, that some directory servers do not perform well or scale very well to larger systems, and therefore they often recommend that you break up the DIT so you can spread it across multiple systems in order to handle the necessary load. If you're in a situation where this might be necessary, then perhaps it's a better idea to look at a directory that can scale.
Re:You can spot trolling ACs... (Score:4, Insightful)
I hope you never write an article about a piece of GNU software. Better start expanding that one now.
Re:Disgustingly Bad Book (Score:0, Insightful)
Re:Disgustingly Bad Book (Score:2, Insightful)
My problems with ldap:
1. Why do you have to buy a 'commercial' product (no not MS - but say IBM (domino),Novell (nds))
2. or Enterprise Linux?
Please do not get me wrong
1. Writing ldif files is easy
2. Ldap (i assume is easy) but only if you have done it before
Openldap still appears to be a 'priesthood' occult.
Re:Disgustingly Bad Book (Score:1, Insightful)
It's not going to be usefull for a web/file/print server unless they are part of a wider sceme.
It's for managing large amounts of desktop users (as in Microsoft's LDAP service (aka Active Directory)), and user information, which isn't something you see very often with Linux deployments.. yet.
Re:Can somebody answer this (Score:3, Insightful)
Microsoft Won (Score:5, Insightful)
If ldap had any documentation for how it would be used, there would be stunning amazing products to pound the living tar out of Active Directory. Unfortunately for free software and whatever author-should-be that never decided to get rich, no one has stepped up to the plate.
There is no more pressing need. Period. At all. Directory services are absolutely vital to absolutely everyone.
I've been pissed off over this for years. I got the whole LDAP+Kerberos+PAM+every service known to man thing working but could not for the life of me figure out how to build an ldap infrastructure to manage it. Albiet I was so tired of the whole project by the time I got there I didnt have much patience (and all too many other projects).
Basically RedHat and Novell exist based on making people pay for their proprietary directory services. I realize cutting them out could be concieved of as a bad thing, but I'm sure they can adapt. On the other hand, Microsoft will finally have gained a sincere challenger.
Myren
In reality (Score:2, Insightful)
Re:Microsoft Won (Score:5, Insightful)
First off, and FYI, AD is LDAP+Kerberos. "It has nothing to do with LDAP in general"
MS domination of the desktop is because of services like Active Directory, not the other way around. Windows would be nowhere if evolution ended at shared folders. You yourself state "In order to have a well managed windows based network you need AD," which is exactly my point. To have a well managed network you need directory services. No directory services, no prayer, no desktop domination.
Which brings me back to my point; its a joke to think of people trying to promote Linux to buisness or consumers when there's no directory services and no docs for how design them should you be dumb enough to try building them yourself. There's docs for how to build them (as in,
Myren
Re:Can somebody answer this (Score:2, Insightful)
Yes, this was on real LDAP- SUN and Netscape.
The 10 million was for a very large ISP (as was the 8 million). They had similiar setups-- ou=isp, ou=people, ou=companies, ou=administrators. Again, worked great.
One mistake people make in LDAP is to make it look like an organization chart-- big mistake. Use your attributes to create context and you'll be fine. Just keep your entry small.
Again, not a replication nightmare at all, its actually the opposite that's true-- the more complex the tree, the harder replication is to complete and index properly.
Re:Microsoft Won (Score:3, Insightful)
I've done a study for the company I work for now, to help make a choice between directory services (Free Software/Open Source, Novell OES, Microsoft AD). I have also implemented the OpenLDAP/Kerberos/PAM/... platform in the past.
I saw the problems. You are right with the fact that nowadays, there is still a lack of administrative tools. That is the only lack, though a big one.
Vendors like Red Hat are taking care of that right now, they will have a solution soon, and Novell already has one.
With the rest I disagree. Saying that AD is LDAP+Kerberos is misleading at best. Yes it is based on these, but these it is not. It is not even LDAPv3 compliant, try switching the directory for a LDAPv3 compliant one (actually you can't). Their Kerberos implementation is not standard either, you can not mix.
I would say that without MS domination of the desktop, AD would not even have been possible. I say that because of the administration tools. With an Open solution, if you have only Linux desktops, you have 80 % of your admin tools centralized (perhaps even 90 %), but when you start putting Windows desktops, the admin tools plummet to 40 %, and you need a LOT of development to bring the level of centralized admin tools to 100 %. You need tools to manage rights delegation, centralised filesystem rights tuning for users, centralised printers administration,
And when you provide directory services, you MUST be able to cope with every client. The sole exception is Microsoft. Microsoft AD virtually only support Windows desktops, and they can get away with it, because of their monopoly. Because if you try to admin Linux desktops with AD, you are toast, AD is far worse than anything else on this.
As for the docs on enterprise scale ldap solution, I agree there is no dedicated book to build one, but that is because of the Windows desktops monopoly. Knowing that, you think Samba, and look in the Samba books (on their site), you will find such deployments help, with hints (but not solutions) on how to administer such a deployment. See the problem ? Samba is essential because of the Windows desktops.
To end this post, not every company need directory services, it is very specialized and need professional admins to build, and maintain the solution. I've not even started on meta directory services (but I do not know what MMS can do, so I will not be objective).