[CentOS] user management solution needed

Brian Mathis brian.mathis at gmail.com
Wed Nov 4 23:24:35 UTC 2009

On Wed, Nov 4, 2009 at 5:16 PM, Craig White <craigwhite at azapple.com> wrote:
> On Wed, 2009-11-04 at 17:01 -0500, Brian Mathis wrote:
>> In my extremely limited experience with LDAP, it seem that the problem
>> is not "LDAP" itself, but how to structure it.  Most howtos walk you
>> through installing whatever software, and then say "OK, now you have
>> LDAP!"
>> The problem is that LDAP is useless without a structure and data
>> inside of it.  You are usually left with a blank canvas after the
>> install is complete.  It's a very daunting task to start sticking
>> things in there without any guidance on the best way to structure it,
>> especially since this is supposed you be the be-all end-all directory
>> of everything and anything you do wrong now you need to live with for
>> your entire life.
>> One argument is that everyone has different requirements, but there's
>> got to be some kind of reasonable default that could be used for
>> setting up something like distributed password auth.  As you mention,
>> Active Directory does this, and maybe a structure like that is a
>> reasonable default to recommend/include for people who don't need to
>> fully architect a directory structure for a global company.
> ----
> The structure is simple if you understand LDAP and horrifically
> confusing if you don't understand LDAP.
> If you use CentOS-DS or Fedora-DS, they are opinionated enough upon
> initial setup to give you a predefined structure so I am not sure where
> the problem lies except that you still don't understand LDAP so it is of
> little use.
> >From it's conception, LDAP was not designed to do user authentication.
> It happens to work and it can work well and each office/network has its
> own requirements. I myself have done things differently most times I
> have set it up for a company...no big deal except that I had to learn
> how it worked. It's amazing the amount of justification that people can
> come up with for not learning how technology works.
> Craig

You're getting dangerously close to saying "Everything you need to
know is in the source code", or more succinctly, "RTFM an piss off".
No one is saying that people shouldn't understand how LDAP works, but
there's a world of difference between understanding how to install
LDAP or make a query, and understanding the implications of everything
you can do with it.

Understanding LDAP has absolutely nothing to do with how to USE LDAP.
Knowing how to USE it is a people/organization problem, not a
technical one.  You need to adjust your focus to a higher level
discussion than what you are having.  This is not about the
implementation details, it's about the higher-level structure.

Additionally, the fact that you have had to do things in multiple
different ways in different offices only proves the point here.  Does
every application really need a completely custom structure?  It might
be nice for the billable hours, but my guess is that most of those
offices could probably fit within a common schema, or at least a
common schema used as a starting point for customization.

P.S. If LDAP was never designed to do user auth, it doesn't matter.
Pretty much everyone uses it that way, so get over it.

More information about the CentOS mailing list