LDAP -Time to Leave Home, Young Man


If you have followed my articles on LDAP, you know we began looking at objectClasses in the last installment back in March. Since that time, I haven't written much more about directory servers. I began contemplating whether or not to continue the LDAP series because things have changed. Let me explain:

When I began this series in September 2006, I wanted to convey the approach I used in Linux System Administration (LSA). As O'Reilly, our book publisher, stated:

The ingredients for this book had been scattered throughout mailing lists, forums, and discussion groups, as well as books, periodicals, and the experiences of colleagues.

In September, LDAP documentation, though some what scattered and in need of a fix, existed more than the other topics in LSA. As the lead author, I wanted LDAP included in our book. My editor thought differently.

The book addressed experienced system administrators of any operating system and seasoned Linux power users needing complete documentation to advance to sysadmins.

LDAP did not seem like a subject for the faint of heart. I felt like traditional authors and LDAP team members refused to address beginners. The series, we began last September, addressed beginners. It filled the hole I saw in the existing documentation out there.

As one of the authors of the Book of Postfix suggested, one needed a deep understanding of LDAP to build a company mail server. I wondered why. Then I remembered how I struggled with the subject myself as I began working with directories. Beginners need help. They need a decent introduction or their eyes glaze over and they conclude that LDAP isn't for them.

After consider thought about the subject of LDAP today, I believe you can pick up Gerald Carter's book, LDAP Administration and it can take you the rest of the way. Aside from that, the Fedora Directory Server documentation project now does a first class job of getting you over the LDAP hump.

Have you worked in an environment where directory services exist? Then you, more like than not, understand how LDAP makes the IT world a better place. I have worked with infrastructures where Novell's e-Directory and Identity Management System, OpenLDAP, and Active Directory existed. Currently, my employer uses Active Directory.

I do not think LDAP is an intuitive technology. You need to focus and read repetitively to grasp the subject matter. If you want to become proficient, then lower your time expectations.

I have gone from working as a system administrator to working as a full-time technical writer and system analyst. I no longer build web sites, commerce enable them, build complex networks or lead development projects. I document development processes, watch the customer service department, test products,write Sarbox documents and user manuals. It's a complete change from my previous life.

Still, I continue to study the writing craft. I read "The Elements of Style" repetitively. I have not memorized it, but I may have accomplished that in the near future. Why would I do that?

Regardless of one's discipline, he or she needs to keep after it from a theoretical through practical application. With LDAP, if you want to master it, then read about it, practice it and put it to work for you even in a home network. You'll find ways to deploy it.

I doubt that you will see much about LDAP from me in the future. I might gig you every once in a while to remind you to keep your eye on the ball, but it's time to set out on your own.

Respectively submitted



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Tom hit it write on the head

Anonymous's picture

Tom, I agree completely with you. OpenLDAP veterans all swear there is sufficient documentation, but to us "noob" junior admins, there is virtually no documentation that helps me actually build a working server. Theory does me no good if I never see it in action.

I'm the IT manager for a small company, and we do not have LDAP here. I can't see it in action. We use M$ servers. I'm in a position to replace them with linux servers, and they let me learn linux here at work. However, I'm having great difficulty getting past the rookie level.

I have been trying to learn samba+ldap for several months now, and although I have made some progress, I still can't seem to get things working right.

I own and have read the above mentioned book LDAP System Administration, which only has a few pages talking about getting samba to work. I have also read the OpenLDAP v2.3 Admin Guide, which also makes some mention, but not enough. I have also read the samba docs samba3-howto and samba3-byexample, and the samba book by R. Smith. They cover samba quite well, but do not go into enough detail integrating into ldap.

As I see it, the problem is not ldap documentation, or samba documentation, or suse documentation (the distro I'm working on). Theres plenty of theory documentation around. It's a total lack of integration documentation that teaches me how to get ldap and samba to work together, on an opensuse (or any distro) server. If you google for samba+ldap howto's, sure there are some out there for various distro's, but none of them really teach you anything. They all assume you already know how to do it, and list some sample config files, and say tweak to your liking. I bring up howto's because there are NO books (that I can find) that teach you the hows and whys for actually building an ldap server integrated with samba on a specific distribution.

For instance, I found ONE howto for opensuse 10.1 configuring samba+ldap. It is poorly written, has bad suggestions, and will not work on opensuse 10.2. There are NONE for 10.2. I found a debian script that automates everything for me. If I was a debian fan, it wouldn't really help me learn, unless I want to read every line of code. Sure I could learn it that way, but that would take an extremely long time, since I am hardly a coder yet.

As for support, the linux forums are full of people asking questions, but most answers come from other noobs asking the same questions. It doesn't help me to post a question, then get five people telling me to RTFM!

I am learning at a snails pace, and at times I wonder if I can maintain the enthusiasm to finish learning all this stuff. It is very frustrating.

Tom, you brought up a valid point that applies to more of us than you may realize. I wonder if you are in a position to help us out. Maybe somebody on your team can address some specific scenario's, such as a opensuse10.2+ldap3+samba3+mail+squid+vpn+http+mysql howto :)

I've been documenting what I've learned, and I intend to release a howto when everything works. I wish there were some veteran admins that were good at writing, and would make the effort to write one. It would probably be very easy for them to write. They would be helping probably thousands of people that are trying to learn what they know.

Until then, my addiction to coffee continues to thrive...

> I found a debian script

Anonymous's picture

> I found a debian script that automates everything for me

You can put this script for to download,


LDAP Documentation

Adam Tauno Williams's picture

I've been an LDAP administrator for a long time, since OpenLDAP version 1.2.x, which is awhile. :) And I've heard the claims about bad documentation *FOREVER*. And to be blunt, it simply isn't true. LDAP is well documented. For some reason Open Source people tend to only view HOWTOs as documentation; books about LDAP in general are consistently ignored while people go on and on about not understanding schema, partitions, terminology, etc... It is the result of a kind of blindness, not a shortage of documentation. If you take the time to learn about LDAP then things in specific services like OpenLDAP make more sense and seam more intuitive. Building a directory service is no trivial thing to taken on lightly; my employer took three years to bring everything under the umbrella of our Dit. It was certainly worth it as LDAP is a wonderfully flexible and robust technology. But skip all the HOWTOs and learn about LDAP first.

LDAP Documentation

Anonymous's picture

I think it's a matter of experience. Once you learn something, it seems logical and you wonder why someone else doesn't just get it. Documentation on LDAP? Maybe you have selective perception - like when people buy a car, suddenly they see the brand they drive everywhere.

I have experience with LDAP too - a lot of experience. But, I don't see quality in the documentation that does exist. It's sloppy, incomplete and does little more than go around in circles. To learn LDAP, you have to put your hand on the keyboard and work on it.

You just admitted it took three years for your employer to bring everything under your DIT. Well, if someone doesn't know LDAP terminology, then what's a DIT to them?

I have to side with Adelstein, who doesn't put down LDAP documentation. He just seems to say, that it's difficult for beginers to get over the hump. I agree.

I wish that the articles in

Anonymous's picture

I wish that the articles in this series had been more helpful. I read all of them, and there just isn't much to them. The OpenLDAP Administrator's Guide is very good; I learned more from spending a few minutes with it than this whole series. After a couple of weeks with the admin manual and a lot of manual data entry I had a functioning LDAP server for a LAN serving 20-some users, for both network authentication and central address book.

The data migration is the slowest part. We're cleaning it up as we go, which takes longer but we're weeding out a lot of cruft. I don't think three years for a larger shop to migrate is out of line. They probably have to integrate data from multiple sources and also do a clean-up, plus testing, and not interfering with business.

Now I have the O'Reilly book 'LDAP System Administration' and it is very helpful too.

Corrected Link

Jon Tyler's picture

For those looking for the book mentioned above (and don't know how to use "hred" links ;) here is the correct address.

Tom, thanks again for your work on this subject.

Corrected Link

Tom Adelstein's picture

Jon, thanks for pointing out the href typo. It's fixed now. Regarding your thank you, you're welcome.