Slashdot Mirror
Deploying OpenLDAP
The book begins with a quick note that the target audience is those wishing to install and configure OpenLDAP, and not those that wish to delve into the intricacies of LDAP architecture. Unfortunately, Jackiewics delivers on this promise. While I didn't expect the book to provide me with a guide on enterprise-level LDAP deployment, I had hoped to see more focus placed on design, but that wasn't forthcoming.
The first chapter, "Accessing Your Environment," is a moderately good review of how to identify key elements of your company that are appropriate for inclusion in a directory service. In addition, Jackiewics makes a clear case that an LDAP directory is not a relational database -- so don't try to replace Oracle with OpenLDAP. A very good point.
Chapter 2, "Understanding Data Definitions," provides background information on how schemas are defined. Basically, a schema is just the types of object classes and attributes that your directory supports. Jackiewics actually does a good job covering customized schemas, which is a troublesome area for new OpenLDAP administrators.
It was in Chapter 3, "Implementing Deployment, Operations, and Administration Strategies," that I was hoping to get some real nuggets of information. Alas, that wasn't forthcoming. The chapter should be renamed to "Where to put your OpenLDAP server on the network, and what to name the server." There are some areas of this chapter that really disappointed me. The most culpable: Jackiewics spends almost four pages explaining how to come up with a good hostname for your server, and then a brief page on understanding OpenLDAP's log file, and that brief page mostly contains example output. This chapter is also a good example of a bad book layout -- why are we reading about hostname conventions in the same chapter that discusses debug output?
Chapter 4, "Installing OpenLDAP," is a decent HOWTO for installing OpenLDAP. It also provides several manpages in case you accidentally deleted the 'man' command on your own system.
Chapter 5, "Implementing OpenLDAP," is kind of the "catch all" chapter. Jackiewics discusses how to decide on hardware, but his examples aren't very clear. One of the real gems of the book is his discussion on SASL and OpenLDAP. In addition, there is a reasonable discussion of replication between OpenLDAP servers. Alas, there is almost no troubleshooting on replication, and replication does hiccup at times. (Indeed, this book contains essentially no help in troubleshooting any problems.) Another sore point: Jackiewics only provides a single paragraph on access control (i.e., OpenLDAP ACLs). That topic alone deserves its own chapter.
Because Jackiewics had specifically stated that this book's scope was quite narrow I would typically be more lenient. However, Chapter 6, "Scripting and Programming LDAP," consumes sixty pages that are immediately outside the book's scope. I would prefer to see this chapter removed entirely, and the sixty pages devoted to a chapter on troubleshooting OpenLDAP and deciphering slapd's debug log file, and perhaps another chapter on designing a scalable replication infrastructure using OpenLDAP. Unfortunately, what we get is essentially sixty pages of manpages and documentation labeled as "Scripting and Programming LDAP."
Jackiewics closes the book with Chapter 7, "Integrating at the System Level," and Chapter 8, "Integrating OpenLDAP with Applications, User Systems, and Client Tools."
Chapter 7 discusses how to replace "old technology," such as NIS and Sendmail alias files, with LDAP. Not a bad chapter, although Jackiewics continues to delve too far into man-page material. Chapter 8 provides examples of using LDAP in Apache, Pine, Samba, and various other types of clients.Overall, I would say that I left this book with little new information. People that are just now installing OpenLDAP may find the book beneficial, but I really didn't see any material that stood out. My personal belief is that this "Deploying OpenLDAP" needs to provide far more troubleshooting and example deployment scenarios and less regurgitation of manpages and HOWTOs.
You can purchase Deploying OpenLDAP from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Whenever I've looked into LDAP, all the tutorials seem to revolve around organising things into geographical locations. This just seems backward to me, and I can't believe for a second that this is how you are meant to use LDAP. Is this really the case, and if not, can anybody suggest some good learning material that doesn't set things up this way?
It was in Chapter 3, "Implementing Deployment, Operations, and Administration Strategies," that I was hoping to get some real nuggets of information. Alas, that wasn't forthcoming
What a surprise. I would have expected each of these substantial areas to have their own individual chapters on strategy.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Are there any books on this? I have no problem setting up OpenLDAP (the docs are pretty clear) but am not in a position to use it in anger because I don't have the benefit of learning from other peoples high level mistakes. Access Control is the biggest question mark for me.
I love the publisher, but I HATE this book. This book covers nothing new, and covers what has been covered ad nauseum poorly, and in such a way as to do a disservice to the reader. The book makes assertions that are completely incorrect, misleading, false, and many other very negative words. For just one highly simplistic example: Tom, LDAP is NOT a database. Gerald Carter's "LDAP System Administration" is a better intro to OpenLDAP, though not a great primer on higher-level LDAP concepts. For that, you need "Understanding and Deploying LDAP Directories": the bible of LDAP. Novell keeps lots of good docs on LDAP lying around, and if you need more on OpenLDAP, there are also some docs on my website. I REPEAT: STAY AWAY FROM THIS "book".
Visit my blog http://www.protocolostomy.com
when he enjoys touting obscur acronyms like LDAP 30 times without mentioning what it means even once.
It covers more recent RFC's that are typically not even mentioned in other references. It also covers both commercial and open source solutions to problems of scaling, standards, and interoperability. Also, this is a fast paced book and covers in just a few pages what other books fill with useless garbage and repetition.
Thanks for the frank review!
Sounds like the book could be replaced with a few google searches.
Do you have any recomendations for a Good dead tree on OpenLDAP? I'm getting ready to do a small installation and would be very interested in intermediate reference work/howto/security and trouble shooting book
...when they can't even visit Google and click on any of the first few results, which immediately explain what LDAP is.
Uh, are you expecting Slashdot to get /.'d?
If we can't see the original post, we can't see your "mirror" either.
A very cruel joke on us indeed...
Judging by the reviewer's comments it sounds like he's in a position to make a better book! And judging by the comments on this article, sounds like it's needed.
Go for it!
That'd be one hell of a 'woopsies!'
-Rick
I'd highly recommend that anyone who has to administer LDAP (that's Lightweight Directory Access Protocol, for those who don't use it. [aka NetInfo Services for the mac, or Active Directory for windows]), especially if it's on systems that have tight ACIs for admin rights to look into ldapsh, which lets you walk the tree using cd, and use vi to edit records.
Build it, and they will come^Hplain.
nis++
A Pirate and a Puritan look the same on a balance sheet.
Also, given that this isn't a great book, are there any recommendations for guides on implementing SASL + OpenLDAP out there? Again, I am specifically looking for OpenLDAP + SASL + Kerberos. And pushing even further, any good guides to using Mac OS X as a Kerberos / OpenLDAP client. (Yes, I know OS X Server does a lot of the work for you, but I'm cheap and want to set it up on my own.)
Taft
Time to turn in that "geek" card? Huh? ;P LDAP is only the most happeningest approach to directories this side of the dead tree yellow pages! ;P
Laugh, it's funny!
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I'e been through the configuration and installation from source of OpenLDAP several times. It's pretty straightforward. Where I run into trouble is the schemas. It's incredibly hard to find EASY-TO-UNDERSTAND docs on schemas. I've glanced at the RFCs, but they are too atomic for my needs. The two main things that I think any beginner needs to know with LDAP are:
1. What are the existing default Classes and attributes in OpenLDAP?
2. How do you add your own custom classes and attributes?
My most recent experience was last week when I installed OpenLDAP on my workstation to try and test some things. I got as far as putting in a single username within my DC tree, but I hadn't a clue what other attributes that Class had. I guessed at trying to do:
mail:
e-mail:
inet:
internet:
None of those worked. (My main experience with LDAP is Sun's implementation in the iPlanet products where they use 'mail' as an attribute of the Person class.)
It's also been my experience that many of these books get outdated quickly, so I really don't bother reading or buying books anymore. I mostly rely on online documentation which tends to be better overall. However, there does seem to be a dearth of LDAP documentation. What to do?
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
By Carter - Its a bit thin - ideal if your member of the ldap priesthood. OK for syntax.
Send Peter Clifford Francis Macrae comdoms to 23 Bedford St, St.Neots, PE19 1AX, England
Domino is not the thing to get from IBM for LDAP. It drags along a ton of non-LDAP stuff.
From IBM, you should go for the Tivoli Directory Server.
It is a full function DB2-based directory server. Best of all, you can download it FOR FREE.
1) Has a good explanation of how to implement InetOrgPerson, including userCertificate;binary and digital certificates.
2) Explains ACL's in depth, particular to OpenLDAP.
3) Cover some of the schemas, such as java.schema for storing serialized java objects like Strings and HashMaps. I never did get a Java X509CertStore to work.
4) Tuning and performance.
5) How to migrate a DB with a basic USER table to OpenLDAP, and the advantages/disadvantages for doing so.
6) Explain SSL and kerbosos authentication.
I'd buy a book that explained half of that.
iksrazal
It also provides several manpages in case you accidentally deleted the 'man' command on your own system.
I hate that! Or the book just has the same info as a reference doc on a webpage with some names changed.
I partly blame that on the need for books to double as anchors in case you're out at sea. They need to cover everything and its brother, and since no one can write that much they end up lifting online docs. Why are there 700+ computer books out there? If it is so complex, make two books out of it. I would rather pay more money for something that is concise and presents a new perspective.
I used to look at books as an expense, ie "this book is $50!!!" Now I look at them as time savers. If I can get one thing out of a book that saves me a couple hours of poking around online then my $50 was well spent.
BTW link returns a 404 ?the /.ers strike again?
Do i need to login? - it's the reason I hate all IBM websites.
I'd love to do it myself in openldap - after all its only text files put through a parser to a bdb
Send Peter Clifford Francis Macrae comdoms to 23 Bedford St, St.Neots, PE19 1AX, England
Be careful with this however. Because it is DB2 backed, modifying the expected object schema is a bit of a pain. Netscape's LDAP and OpenLDAP are better in this regard.
If you have no need to change the schema and are comfortable with DB2 admin issues, go ahead and look at this. It really didn't work well where I used to be (as a replacement for the old Netscape LDAP) and was being removed.
There's two primary differences between AD design and conventional LDAP directory designs.
While AD is extensible and you can use it in nearly any instance where you could use a "standard" LDAP directory, it's designed for a corporate network. The basic structure, client access, and replication topology of AD is meant to serve this end. It's less flexible, but it works really well.
AD was created in 2000, where broadband and otherwise high speed connections were quickly becoming commonplace between company offices. Because of this, AD pretty much replicates the entire database to any of the other DC's in the domain. There's not much in the way of partitioning. While this would be a nightmare in the days of 56K lines being the strongest, or dial-up, now a days it's not all that bad. And you end up with a fully functional database in each location, if you need one. In this way, it's much easier to organize AD into logical groups instead of geographical groups.
At my company, AD is designed first by IT policy-user type/Security policy, then by geographic region.
On the other hand, LDAP itself has been around for quite some time and many conventional practices involve partitioning off the database into replicas only necessary for each site. While this makes good sense for the most part, it also complicates things. Most LDAP admins would never imagine replicating the entire directory out to each site, and maybe I wouldn't either - but with Active Directory it works because it assumes faster links, and it's right, in the year 2005.
If I were to design a corporate directory with OpenLDAP, I'd probably model some of the design after a typical corporate AD setup.
- It's not the Macs I hate. It's Digg users. -
I really think the absolute VOID of good practical LDAP books is why microsoft is winning.
If ldap had any documentation for how it would be used, there would be stunning amazing products to pound the living tar out of Active Directory. Unfortunately for free software and whatever author-should-be that never decided to get rich, no one has stepped up to the plate.
There is no more pressing need. Period. At all. Directory services are absolutely vital to absolutely everyone.
I've been pissed off over this for years. I got the whole LDAP+Kerberos+PAM+every service known to man thing working but could not for the life of me figure out how to build an ldap infrastructure to manage it. Albiet I was so tired of the whole project by the time I got there I didnt have much patience (and all too many other projects).
Basically RedHat and Novell exist based on making people pay for their proprietary directory services. I realize cutting them out could be concieved of as a bad thing, but I'm sure they can adapt. On the other hand, Microsoft will finally have gained a sincere challenger.
Myren
In reality this book is meant to be for LDAP beginners and Tom does make that clear. I believe the book was actually originally written as a college text which further strengthens the point is geared for a beginner. Having a actual paperback book on man pages and scripting examples is probably one of the most lacking pieces of documentation around for LDAP. The only good docs I've found on Net::LDAP and even the php libraries are only the authors api docs. The truth is you need scripting examples to get good at managing LDAP.
obligatory link to a book on amazon:
e tail/-/0672 323168/qid=1110838872/sr=8-1/ref=sr_8_xs_ap_i1_xgl 14/002-0439029-3995207?v=glance&s=books&n=507846
Understanding and Deploying LDAP Directory services:
http://www.amazon.com/exec/obidos/tg/d
A good book.
Sorry posted before I was finished.
You can download and use it for free. Only if you want support do you have to pay. It's also included with other IBM middleware such as WebSphere.
On the linked page there's also a link to an IBM redbook that has a few initial chapters on LDAP. Again this is free for the download.
MY BAD. I somehow messed up the URL.
HERE IT IS.
One thing I really like on negative reviews is a recommendation of an alternative.
MS has for free downloading their wonderful book on LDAP: Windows_Security_and_Directory_Services_for_UNIX.z ip
(a large pdf file inside the zip)
Search for the title on MS Downloads site. This is a very good book that covers the Unix side of LDAP as well as it does their AD implementation of LDAP.
This is one area that MS got right. They started with open standards and then enhanced it for their servers, while keeping full access to Unix servers. I have no problem with this. We want LDAP mostly so we can interoperate with window servers. Without this crucial piece we would not be able to get Linux servers in the door of most of our clients.
Not necessarily. Though it's common to do this, you can organise LDAP differently. Another way a lot of companies do things is via company departments and divisions. It really all depends on what is most flexible for your company.
I guess that many books on LDAP just assume that you are part of a multinational company and use this as an example.
XML is like violence. If it doesn't solve the problem, use more.
Does anyone know of a decent/usable OSS LDAP browser that includes schema/template editing? I'm using a closed source Java LDAP browser which barely works, but haven't found anything else even comparable yet.
LRC, the best-read libertarian site on the web
Sorry to hear about this book. However:
LDAP Programming, Management, and Integration by Clayton Donley
is an excellent book on the basics of how LDAP works and how to set up LDAP services.
I have a vague understanding of what OpenLDAP is. I have a network with 150 users using central samba server as a primary domain controller. what benefits would I have with openldap that I don't have now?
Does the name Pavlov ring a bell?
I have managed a large corporate LDAP implementation which has around 120,000 people in a flat branch of the tree. I have tested this to a million and have seen real world implementation with similar numbers.
Branches of trees should be used for your replication design and security model, they were very important as search bases in X500 but much less so in a typical LDAP directory.
Consider a organisation which has people in multiple countries. It is just as efficient to run a search from the base of people and searching on country name then to set the base as countryname and search for all people (assuming countryname is indexed)
However, moving objects in LDAP is painful and complex. So with a flat tree you would simple rename the countryname attribute, in the deep tree model you would effectively have to delete and recreate the entry to move it (some servers are better than others, but all do this with less than optimal efficiency)
You can still restrict your applications access to one country, either by using a filter in the ACL or using an LDAP proxy (SUN now give one away with their very useful Directory Server)
As for replication, on some servers you can do filtered or fractional replication which can improve the effeciaency of this process by allowing only certain parts through, ofthen this is more efficient than being forced to use a replication structure by your tree (which is very hard to change once your service is established).
The sad thing from a replication point of view in that when SUN brought out DS 5+ we lost the client request and timed replication, this certainly had its uses when you wanted to push updates out at specific times. As Red Hat have the code now I hope this is one feature they retain in their offering.
If the quality is similar to any other of his Samba books, then this will become one of the best LDAP books.