[lpi-discuss] General comments on LPI levels

Bryan J. Smith b.j.smith at ieee.org
Sat Sep 17 10:58:14 EDT 2005 

On Fri, 2005-09-16 at 20:07 -0700, Jack Coates wrote:
> yeah, that's real cute. In my experience AD is far more real world...

In my experience, NsDS _pre-dates_ ADS and was so implemented.  ADS has
only been added because Microsoft requires ADS for _all_ 2000 services
(e.g., MS SQL, Exchange, etc...).

Secondly, Fortune 100 companies don't want 25,000+ nodes all at the
mercy of ADS.  I've seen an ADS tree go down in 2 Fortune 100 companies
and I was damn glad we had a peer NsDS setup.

Lastly, and the ultimate argument _against_ ADS, the authentication of
many platforms is not ADS compatible, a more "native" UNIX
authentication is preferred.  A Linux exam should focus on a Freedomware
solution that works for _all_ clients, not a subset of clients that are
the limitation of some proprietary vendor's solution.

In other words, ADS is either a "peer" or a "subordinate" to a true,
open certificate/directory service in most of these setups.  That's how
many 25,000+ node campuses -- both educational and Fortune 100 -- work!

Do _not_ make LPI an exam that says ... "oh, let Microsoft solve it for
you."  No!  I am completely and utterly _against_ that!

> I see a handful of OpenLDAP and NDS implementations out there,

First off, this is what I mean by not wanting to see "home users
defining LPI exams."  All you know of are OpenLDAP and Novell
eDirectory.

Since OpenLDAP wasn't a viable solution, that's why Red Hat (finally)
bought Netscape [Certificate and] Directory Server (NsDS) and is admist
releasing it GPL (some components are not yet GPL for legal issues, but
it is available for all distros now).

As far as Novell Directory Services (NDS) aka eDirectory, that is not
GPL and distribution-centric.  I'm not even talking about that.

NsDS is now a GPL solution, with full peer replication, certificate
services and ADS synchronization.  We should _not_ make LPI an exam that
markets to ADS setups.  We should market LPI as a "let Linux run your
network" type exam.

> but they're really just the isolated hold-outs.

Not true!  ADS' Kerberos implementation is a _security_nightmare_
because the KDC is on the same system doing RPC services.  A
_well_secured_ KDC is on its own server (or virtual server).

> Granted some of them are very large, but Microsoft has won this one
> with another shining example of embrace-and-extend.

I _disagree_!  There are plenty of 3rd party directory connectors and
major, _major_ NsDS installations -- especially since NsDS _predates_
ADS, and 

It's these kind of non-enterprise viewpoints that really get to me.  ;->
Don't do Microsoft's marketing for them!  It's _not_ true!

> If OpenLDAP had a decent administration UI(1) and easy hooks into
> userland programs like Thunderbird(2), it could regain some ground...

That's where NsDS _excels_!  It has a full Java administration component
and Mozilla/Thunderbird was designed for it!

> Anyway, to wander back towards topic how about LPIC-4 being "fix some 
> glaring problem like calendaring or address books" :)

NsDS takes care of the LDAP component.

OpenGroupware.ORG offers a _true_ calendaring back-end, not merely just
a "server side storage" backend like MS Exchange.  It has everything
from PalmNet (direct Palm-to-network synchronization), iCal, a feature-
rich XML-WebDav (Evolution and Outlook) and other things in an _open_
back-end.  The only problem to OpenGroupware.ORG right now is the lack
of good install and admin tools.

Again, I wish to God that Freedomware advocates would actually _learn_
the _superior_ solutions out there!  MS Exchange is a _client-side_
resolved (either Outlook or OWA-based) calendaring framework, and _not_
a true back-end scheduler.  There are far _better_ commercial solutions
than MS Excahnge.

> (1) I've tried a lot of web-based and GTK-based frontends which fail to 
> measure up, not sure if anyone's pet project is in there.

OpenGroupware.ORG is a _true_ scheduling back-end, not just another
server store with some Outlook-only connector.  That's MS Exchange and
98% of the Exchange replacements out there.  And OpenGroupware.ORG
offers a full calendering API (connectors for Evolution and Outlook),
not just iCal.

> (2) Read-only is not that tough at this point, if the administrator 
> understands LDAP well enough to choose the right schema and feed the 
> database with useful information.... unless you want secure access 
> without opening up a VPN (the very antithesis of secure, IMHO).

OpenGroupware.ORG offers a full suite of protocol options.  Not just the
iCal (FTP/HTTP) and web-based, but its own HTTP WebDav Calendaring
connection, plus direct Palm support (non-host, Palm-to-Network).


-- 
Bryan J. Smith     b.j.smith at ieee.org     http://thebs413.blogspot.com
----------------------------------------------------------------------
The best things in life are NOT free - which is why life is easiest if
you save all the bills until you can share them with the perfect woman

More information about the lpi-discuss mailing list