Re: narrowing down profession

["Bob T. Kat" <bobkat79@charter.net>]

Thought I'd slide this over here since your not in silug

I have been dealing with directory services for quite some time by means
of netware 3.x (bindery)/4.x/5.x and nt 3.51/4/2k. oh and also dns
administration.  Accept as I mentioned I'm now focusing down to the
world of unix/linux. So I do understand the concepts of DS and name
services (although I will check out that rfc on dns).  I hadn't thought
about researching Kerberos as being part of this, thanks. I currently
use ddns with dhcp to do all of my name automatic name resolution (on
non-static systems, it does tie in well with my slave 2k server), how
does this compare with something like SLP?  I'll hop on a search engine
and check that out.  

You did throw me with something though. I have always been under the
impression that LDAP was a smaller subset of the x.500 (being that it
was developed to access an x.500 server from a weak client) and was
missing a lot of the server replication and redundancy features of a
full x.500 directory server. When you said that LDAP uses extended x.500
would that be in relation to schema and the way it handles information
or are there other extensions?  This has been a dilemma for me in trying
to figure out why everyone would want to use LDAP servers when you (as I
understood it) get more power and benefits from running a full x.500 and
can still access it with an LDAP client. 

Thanks again for the website and rfc's I appreciate any info

Bob T. Kat

"You live and learn. At any rate, you live."
  - Douglas Adams -
ps. Thanks kara, you were right ;)

-----Original Message-----
From: silug-discuss-owner@silug.org
[mailto:silug-discuss-owner@silug.org] On Behalf Of Jeff Licquia
Sent: Thursday, June 06, 2002 1:57 AM
To: silug-discuss@silug.org
Subject: Re: narrowing down profession

On Wed, 2002-06-05 at 13:30, Kara Pritchard wrote:
> On Wed, 5 Jun 2002, Bob Castleberry wrote:
> 
> > After getting my first sun cert this last week I've been thinking of
> > trying to narrow down my working fields from (knowing a reasonable
chunk
> > of) Micro$oft/Novell/Linux/Unix to (being an expert in) Linux/Unix,
more
> > specifically learning naming/directory services (nis,ldap,x.500),
does
> > anyone know of any good material on name/directory services (web,
books,
> > ect.) other than the standard oreilly books and searches on
> > google/amazon,  I would really like some feedback on books/articles
you
> > have read or have heard to be really good, I appreciate the help,
thanks
> 
> LUCI co-founder, Jeff Licquia, will be the best authoritative source
on 
> this topic that I know. If he's not on silug-discuss already, I've
cc'd 
> him on this message.

I'm not on the list; please CC on replies.

I got started by learning about directory services in general, and the
problems inherent in a DS.  DS isn't just about NIS vs. LDAP/x.500;
every server system with any concept of "multiple servers working
together" has a DS of some sort.  The old Novell bindery and Windows
NT/MS LanMan domains are both DSes just as much as NDS and Active
Directory are.  DNS is a directory service too, if you think about it;
besides generic naming services, everyone knows that "www.foo.com" is
"the main Web server at foo.com".  See RFC 2168 for information on using
DNS as a generic service resolver.

The next thing to learn is "why x.500 is generally better".  Most new
DSes are at least partially based on x.500.  Part of the reason for that
is political (all the top thinkers in directory services came over from
the OSI networking areas), but another reason is that x.500 is really
better.  This is especially true of the extended x.500 used by LDAP;
"dc=foo, dc=com" is a lot more distributed and scalable than "o=Foobar
Industries, c=us".

After that, it's a really good idea to learn LDAP and figure out how it
ticks.  Unfortunately, here I don't have much to tell you.  One source
for information is the book _LDAP: Programming Directory-Enabled
Applications with the Lightweight Directory Access Protocol_, by Tim
Howes and Mark Smith (Macmillan), but that book is more focused on
people writing brand-new applications for LDAP.  The rest I learned
online.

Probably the next thing you should do is play around with using a DS for
its traditional main application: as a user/service/whatever information
service for shared multiple machines.  For this, you'll probably want to
unify a bunch of Linux boxes to use LDAP for user authentication, etc. 
Read up on how PAM and glibc's nsswitch stuff works, and read the
documentation for the LDAP PAM and nsswitch modules usually provided by
modern distributions.  The people who wrote both of these are at
www.padl.com; their site has lots of good docs, including the RFC for
how to store standard POSIX-required data in LDAP (2307).

When thinking about network user databases, you should also become aware
of the problem of secure remote user authentication.  This would be a
good time to learn about systems like Kerberos.

Beyond that, developing with LDAP becomes more relevant.  That book I
mentioned above becomes more useful at this level.  It's useful to learn
how other systems use LDAP to store configuration information, so look
for and learn about how other apps store info in LDAP.  (The Postfix
mailer does this in a very interesting way; that might be a good place
to start.)  By now, you will probably have learned about the sorry state
of easy-to-use LDAP tools; if you have a thing for developing new
software, you could try your hand at improving the situation.  (I've had
a project in the back of my head for years to write a GTK-based clone of
Novell's NWADMIN for LDAP, with a plugin API for extending it to new
data types.)  The main thing is to expand your horizons; LDAP is much
more than a glorified NIS, and you can do some amazing things with it.

Once you know LDAP, you can learn the multiple ways that Microsoft
breaks it.  To my knowledge, only older Exchange Server products were
truly x.500/LDAP compatible.  Active Directory is intentionally broken
on the Kerberos side.  Their "x.500" style service they use for
NetMeeting is broken too; the protocol for finding other people to chat
with on NetMeeting is vaguely LDAP-like and somewhat like x.500, and
there is actually a proxy for Linux that translates broken
NetMeeting-x.500 into something a real LDAP server can handle.  I
learned a lot of my cynicism about Microsoft over the sad state of DS
interoperability, and will inevitably discuss the situation as ammo when
people try to tell me that MS is "really serious about standards
compliance".

This is also a good time to learn why it's not necessarily a good idea
to migrate NT Domains to Active Directory, so you can oppose such a move
if your IT guys haven't made the switch yet.  If you do this, be sure to
learn about the available alternatives, such as NDS.

Something I'm delving into now is alternate directory services that are
intended to be more dynamic.  LDAP is great for finding services, but
poor at discovering them.  On LDAP, adding a new system involves
manually creating a new record for it; on NT Domains, you can in many
cases see new systems in Network Neighborhood with no configuration.  A
new protocol, SLP, aims to cover this deficiency in traditional DSes by
providing a scalable dynamic registration system.  As you can imagine,
it works completely differently from LDAP, although it can cooperate
with LDAP and DNS.

Hope that helps.


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.


-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.