Ldap, Pam, Nss, Samba

Craig White craigwhite at azapple.com
Fri Mar 21 13:39:04 UTC 2008 

On Fri, 2008-03-21 at 03:09 -0400, Ric Moore wrote:
> On Thu, 2008-03-20 at 21:45 -0700, Craig White wrote:
 
> > If you want the one-vision, GUI based, rigidly designed, fill in some
> > blanks, check off some boxes LDAP, Microsoft Active Directory is the
> > ticket. But you will bang your head against the wall once you try to
> > customize it.
> 
> I would prefer that one-vision GUI based, rigidly designed, fill in some
> blanks, check off some boxes LDAP, to just get it to work, with room to
> try hand editing a *working* system later, all in Open Source. How 'bout
> those apples?? <cackles> If the M$ idiots can do it, are you saying that
> our propeller heads can't?? Say it ain't so! 
----
They exist but only as a turnkey type setup like the smbldap setup
within k12ltsp.

Here's the problem...the LDAP solution provided fits only their purpose,
in the end, you still haven't learned a thing about LDAP and heaven
forbid you need to extend LDAP for other uses or maintain OpenLDAP
because it breaks, you haven't a clue on how to fix it. OpenLDAP uses
berkley db and it's not a friendly system for repair without knowledge.

Add to that, the fact that their are so many options, SASL, Kerberos,
SSL Certificates for server and for clients presents a really complex
set of choices. Fedora Directory Server which I linked earlier does
simplify some of this stuff and that is probably the only open source
hope you have for trying to use an LDAP authentication setup that you
don't have to learn the nuts and bolts but that's still quite a ways
away from being what you are looking for.

'to just get it to work' doesn't mean anything...what you want it to do
is different from what I want it to do and thus everyone's definition of
'just work' is entirely different. 
----
> > 
> > The really simple answer...learn LDAP. The simple book and method to
> > learn LDAP...
> > LDAP System Administration by Gerald Carter. Book is now getting old,
> > long in the tooth, uses ldbm instead of bdb but the book makes it really
> > obvious how to use LDAP and once you learn that, customizing it for what
> > you want to accomplish is simple.
> 
> Thank God we don't take that approach to all the other major apps. Half
> this group would be without email or a network to pipe it through. I
> studied sendmail for a solid week in a real paid-for classroom setting.
> But, I'd STILL prefer a gui anyday of the week as, without regular use,
> the knowledge has completely escaped me. Gone. Phfffft! Up in smoke.
> Departed. Gone to the hereafter and the rest of that Dead Parrot
> routine. 
> 
> I *could* go back and re-learn how to script HTML with vi, but I'm lazy
> as heck and much prefer to use an WYSIWYG HTML editor. Same thing. At
> any rate, I've buckled down hard, on three occasions, from scratch, and
> could not manage to get it to work. And, I'm admitting to it, open to
> the dread of potential public shame and ridicule. I set up the scripts
> and somewhere in the setting up of the mysql entries it burps and
> refuses to work. Just maybe the howtos were a little bit outa date? 
> 
> So, I'd also have to learn all of the mysteries of MSQL in order to get
> past that as well? I used to run dbaseII from command line in CP/M. I
> hated that too! <grins hugely> I just want for our mailing list of 1,300
> entries to be accessible to the web to just a couple of users. I just
> never imagined it would be so difficult. I've done the hard
> part ...typing all of that membership stuff in. OK, I'll try it one more
> time, but it won't be tonight! <sighs> Ric
----
Your rant is typical of those who rant about LDAP. They don't understand
it, how it works, how to make it work and don't want to invest the time
to learn it.

The solution is simple...buy the book I suggested and invest 3 hours -
that's all it takes, and you will understand LDAP and see the
pointlessness of your rant.

Craig

More information about the fedora-list mailing list