On Deploying OpenLDAP

One of the things I noted about the discussions surrounding “Web 2.0” was the idea that blogs were the next weapon in guerilla marketing, following the failure of various astroturf campaigns to garner any actual support due to ease with which they were exposed. The idea is that whatever the failings of free culture, it is generally an honest discussion, so people trust it, so it obviously must be corrupted with undercover advertising and the crass profit motive.

Following this trend, a kindly PR person at Apress sent me a copy of the book, Deploying OpenLDAP, by Tom Jackiewicz, with the verbal agreement that I post a public review of it.

Like a fool, I said sure, and so am obliged to post the following review…

Firstly, here’s what Deploying OpenLDAP isn’t useful for:

  1. Getting a mixed Win/Mac/Linux environment to use OpenLDAP for authentication.
  2. Helping you integrate OpenLDAP with Samba for a domain controller.
  3. Using OpenLDAP to maintain your DNS data.
  4. Using OpenLDAP to maintain your DHCP data.
  5. Figuring out how you’re going to lay out your DIT—including the RFC way vs. the Apple way vs. the ActiveDirectory way.

All of these things are actual legitimate questions related to the actual deployment of OpenLDAP, but they are also topics the book doesn’t really cover at all, which is a shame.

Here’s what it is useful for:

  1. Understanding exactly what LDAP is.
  2. A tutorial on downloading and installing slapd.
  3. Reading man pages in paperback form.
  4. A quick-n-dirty introduction to the libldap API—oriented towards writing a Perl script to interface with some ugly legacy system.

In other words, it was mostly a set of information that you should be able to figure out for yourself by reading the existing man pages, HOWTOs, and online documentation—particularly if you’re tasked with setting up anything as involved as an LDAP directory.

#4 was about all it was useful for to me personally, and even that would’ve been redundant if I hadn’t gotten bored of reading about Perl APIs when all I wanted was a sample DIT or some policy that I could use as a model to follow when deploying a Samba/OpenLDAP PDC. When I had to reshuffle part of the DIT I wrote a little C app to do it remembering parts of that chapter, but that was about it.

In other words, it suffers from the same problem as a lot of other broad LDAP documentation: it’s too vague to actually be useful because “deploying OpenLDAP” is too broad a concept to be adequately explained in one 300 page book.

4 thoughts on “On Deploying OpenLDAP

  1. Have you come across anthing good that documents:

    > 1. Getting a mixed Win/Mac/Linux environment to use OpenLDAP for authentication.
    > 2. Helping you integrate OpenLDAP with Samba for a domain controller.

    be it OpenLDAP or Netscape DS (Sun/Fedora/Red Hat)?

  2. so,the funny thing about that web2 pr document was that it just reminded me of the late 90s rush to have a community around your website…all websites had to have some unrelatd games,a forum,some downloadable background images,and if you were really with it you set up a chat page with a java irc applet on it and free email…

    it didnt really work thankfully

  3. Ryan:

    MacOS X can be configured to auth users using the “Directory Access” utility (it’s pretty slick, and supports the RFC way, the Apple way, and the ActiveDirectory way), and setting up Samba to use OpenLDAP as a SAM backend for NT domain authentication was pretty simple–just a matter of using their schemas intelligently and keeping your users under a particular DN. We didn’t bother with the OS 9 boxen because they were being phased out anways. Linux requires libnss-ldap, of course (which is pretty well-documented, IMO). One thing that ended up biting us in the ass was putting the “ldap” entry in nsswitch.conf first on the list—it ends up making INIT go out-to-lunch in a bizzare way, which forced us to boot the PDC (not something that can be offline for a few days while you debug it) off of a LiveCD and run the services when we restarted it for a new kernel until someone else found the same problem and lazyweb caught up with the issue.

    Most useful was the official Samba3 HOWTO, and the Samba-OpenLDAP HOWTO. Of course, had I to do it over again, I’d just have setup OpenLDAP as a fake OS X server, so as my boss slowly converted the office to worshiping at his church, he could’ve used the variety OS X admin tools he touted. If you don’t have to migrate an existing domain, that’s a bonus too.


    One hopes, but it still reminds me of HR people coming to Netscape and assuming that the thing that made the programmers at Netscape willingly put in 80 hour weeks while on salary was the free pizza and Mt. Dew and winking-and-nodding at goofing off (as opposed to, e.g., everyone being competent at their job and recognizing that the work actually meant something in the fuzzy-kitty, big-picture sense), so if only every company provided free pizza and Mt. Dew and let employees occasionally goof off, everyone would want to put in 80 hour weeks while on salary.

    Really I’m just pissed at spammers, particularly those extremists who call it “marketing” and are busily promoting the idea of altogether replacing content with advertising.

Comments are closed.