[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: narrowing down profession




See, I told ya he was the best :-)

-Kara

On 6 Jun 2002, Jeff Licquia wrote:

> On Wed, 2002-06-05 at 13:30, Kara Pritchard wrote:
> > On Wed, 5 Jun 2002, Bob Castleberry wrote:
> > 
> > > After getting my first sun cert this last week I've been thinking of
> > > trying to narrow down my working fields from (knowing a reasonable chunk
> > > of) Micro$oft/Novell/Linux/Unix to (being an expert in) Linux/Unix, more
> > > specifically learning naming/directory services (nis,ldap,x.500), does
> > > anyone know of any good material on name/directory services (web, books,
> > > ect.) other than the standard oreilly books and searches on
> > > google/amazon,  I would really like some feedback on books/articles you
> > > have read or have heard to be really good, I appreciate the help, thanks
> > 
> > LUCI co-founder, Jeff Licquia, will be the best authoritative source on 
> > this topic that I know. If he's not on silug-discuss already, I've cc'd 
> > him on this message.
> 
> I'm not on the list; please CC on replies.
> 
> I got started by learning about directory services in general, and the
> problems inherent in a DS.  DS isn't just about NIS vs. LDAP/x.500;
> every server system with any concept of "multiple servers working
> together" has a DS of some sort.  The old Novell bindery and Windows
> NT/MS LanMan domains are both DSes just as much as NDS and Active
> Directory are.  DNS is a directory service too, if you think about it;
> besides generic naming services, everyone knows that "www.foo.com" is
> "the main Web server at foo.com".  See RFC 2168 for information on using
> DNS as a generic service resolver.
> 
> The next thing to learn is "why x.500 is generally better".  Most new
> DSes are at least partially based on x.500.  Part of the reason for that
> is political (all the top thinkers in directory services came over from
> the OSI networking areas), but another reason is that x.500 is really
> better.  This is especially true of the extended x.500 used by LDAP;
> "dc=foo, dc=com" is a lot more distributed and scalable than "o=Foobar
> Industries, c=us".
> 
> After that, it's a really good idea to learn LDAP and figure out how it
> ticks.  Unfortunately, here I don't have much to tell you.  One source
> for information is the book _LDAP: Programming Directory-Enabled
> Applications with the Lightweight Directory Access Protocol_, by Tim
> Howes and Mark Smith (Macmillan), but that book is more focused on
> people writing brand-new applications for LDAP.  The rest I learned
> online.
> 
> Probably the next thing you should do is play around with using a DS for
> its traditional main application: as a user/service/whatever information
> service for shared multiple machines.  For this, you'll probably want to
> unify a bunch of Linux boxes to use LDAP for user authentication, etc. 
> Read up on how PAM and glibc's nsswitch stuff works, and read the
> documentation for the LDAP PAM and nsswitch modules usually provided by
> modern distributions.  The people who wrote both of these are at
> www.padl.com; their site has lots of good docs, including the RFC for
> how to store standard POSIX-required data in LDAP (2307).
> 
> When thinking about network user databases, you should also become aware
> of the problem of secure remote user authentication.  This would be a
> good time to learn about systems like Kerberos.
> 
> Beyond that, developing with LDAP becomes more relevant.  That book I
> mentioned above becomes more useful at this level.  It's useful to learn
> how other systems use LDAP to store configuration information, so look
> for and learn about how other apps store info in LDAP.  (The Postfix
> mailer does this in a very interesting way; that might be a good place
> to start.)  By now, you will probably have learned about the sorry state
> of easy-to-use LDAP tools; if you have a thing for developing new
> software, you could try your hand at improving the situation.  (I've had
> a project in the back of my head for years to write a GTK-based clone of
> Novell's NWADMIN for LDAP, with a plugin API for extending it to new
> data types.)  The main thing is to expand your horizons; LDAP is much
> more than a glorified NIS, and you can do some amazing things with it.
> 
> Once you know LDAP, you can learn the multiple ways that Microsoft
> breaks it.  To my knowledge, only older Exchange Server products were
> truly x.500/LDAP compatible.  Active Directory is intentionally broken
> on the Kerberos side.  Their "x.500" style service they use for
> NetMeeting is broken too; the protocol for finding other people to chat
> with on NetMeeting is vaguely LDAP-like and somewhat like x.500, and
> there is actually a proxy for Linux that translates broken
> NetMeeting-x.500 into something a real LDAP server can handle.  I
> learned a lot of my cynicism about Microsoft over the sad state of DS
> interoperability, and will inevitably discuss the situation as ammo when
> people try to tell me that MS is "really serious about standards
> compliance".
> 
> This is also a good time to learn why it's not necessarily a good idea
> to migrate NT Domains to Active Directory, so you can oppose such a move
> if your IT guys haven't made the switch yet.  If you do this, be sure to
> learn about the available alternatives, such as NDS.
> 
> Something I'm delving into now is alternate directory services that are
> intended to be more dynamic.  LDAP is great for finding services, but
> poor at discovering them.  On LDAP, adding a new system involves
> manually creating a new record for it; on NT Domains, you can in many
> cases see new systems in Network Neighborhood with no configuration.  A
> new protocol, SLP, aims to cover this deficiency in traditional DSes by
> providing a scalable dynamic registration system.  As you can imagine,
> it works completely differently from LDAP, although it can cooperate
> with LDAP and DNS.
> 
> Hope that helps.
> 
> 
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
> 

-- 
Kara Pritchard                          Phone: 618-398-7360
Director of Exam Development            http://www.lpi.org/
--



-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.