On Wed, Nov 4, 2009 at 4:44 PM, Craig White <craigwhite at azapple.com> wrote: > On Wed, 2009-11-04 at 15:25 -0600, Les Mikesell wrote: >> Craig White wrote: >> > At that point, using OpenLDAP or CentOS-DS or Fedora-DS is more or less >> > a matter of implementation details and utility. None of them are better >> > than the other for most purposes and even things like the consoles in >> > Fedora-DS aren't going to make it any easier for you to use LDAP if you >> > don't understand how it works. In short, there really aren't decent >> > shortcuts to using LDAP if you don't care to actually understand how and >> > why it works. >> >> I think the standards bodies have failed us badly on this front. People >> don't want to understand LDAP any more than they want to understand the >> bits in a TCP packet header. They just want systems to interoperate. > ---- > I suppose I don't understand what you are saying. Are you saying that > some of the LDAP servers are not compliant with RFC's for LDAP? Which > ones? how? > > As for people not wanting to understand LDAP, that's their choice and I > wish them luck. If you want a pre-configured LDAP that's always the same > for every installation, check out Active Directory. It doesn't get any > easier to implement LDAP on Active Directory if you don't understand it. > > Craig In my extremely limited experience with LDAP, it seem that the problem is not "LDAP" itself, but how to structure it. Most howtos walk you through installing whatever software, and then say "OK, now you have LDAP!" The problem is that LDAP is useless without a structure and data inside of it. You are usually left with a blank canvas after the install is complete. It's a very daunting task to start sticking things in there without any guidance on the best way to structure it, especially since this is supposed you be the be-all end-all directory of everything and anything you do wrong now you need to live with for your entire life. One argument is that everyone has different requirements, but there's got to be some kind of reasonable default that could be used for setting up something like distributed password auth. As you mention, Active Directory does this, and maybe a structure like that is a reasonable default to recommend/include for people who don't need to fully architect a directory structure for a global company.