Blog Blog Blog Blog Blog.
So at work, I’m filling in an LDAP directory so we can statically map all our computers to IP addresses when we move everything to a new subnet—part of our 5-Year Plan to give everything it’s own hostname, which will go a long way towards offering some slickness for remote management and such. Unfortunately, our firewall guy has decided to drop out of school after everything’s moved over, which really sucks—though I was worried about how we were going to hire and train someone to maintain this ugly, ugly LDAP setup after I’ve left.
See, the problem is that LDAP (like all hierarchical directories) is a broken way to organize information. Information, like everything else, is rarely strictly hierarchical. Often the user may wish to sort their data into different categorizations. So if you keep all your photos in ~/Images, how do you remember that a photo in there the inspiration for a paper you wrote and stored in ~/Documents/School/BlahBlahBlah 475. You can add notes to the files, or create symlinks, or whatever, but those are all hacks, and things like Storage go a long way towards realizing this fundamental problem with hierarchical storage systems.
Basically, there may be broad hierarhic tendencies within information, but at some level of detail, particularly the level which LDAP operates at, it makes next to zero sense. For example, it’d be nice to keep all the information about a particular computer in one place. It’d be nice to have MAC address, IP address, warranty information, serial number, etc. all grouped together. Unfortunately the only way to do that in LDAP is to create whole tree for each item, and then add the extra stuff which uses different objectClasses to sub-items, often with overlapping information. Needless to say, that sucks, since you’ve got the same info with different keys, in multiple places. It’s also extremely aggrivating to know that I could do the same thing in a non-suck fashion with redland, apache, using XML-RPC and RDF fragments, if only DHCP, DNS, PAM, and NSS supported it.
So rather than having (as an LDAP directory tree, thanks to ugly objectClass nonsense):
dc=yoursite,dc=org ou=Hosts dc=somehost.yoursite.org (DNS, has IP address, MX, and hostname aliases) cn=somehost.yoursite.org (DHCP & /etc/hosts, has HW Address, IP address, and hostname aliases)
you’d just have a series of:
<somehost.yoursite.org> <#ipaddress> <0.0.0.0> <somehost.yoursite.org> <#ip6address> <::> <somehost.yoursite.org> <#macaddress> <00:00:00:00:00:00:00:00> <somehost.yoursite.org> <#hostalias> <yoursite.org> <somehost.yoursite.org> <#mxrecord> <mail.yoursite.org>
statements, then do a query on a particular subject, predicate, or object (as you can do with LDAP). It doesn’t suck, and it more properly represents the fact that information is not hierarchical, it is networked. Using RDF/XML, you even have a standardized format for “links” using (IIRC) “rdf:data”—though the server would probably want to dereference these by default.
But it’s also possible I just don’t understand/appreciate LDAP. As my boss noted, it was every sysadmin’s dream to keep all the info you need in one network-accessible place, too bad LDAP makes it a nightmare.