[lpi-discuss] General comments on LPI levels

Bryan J. Smith b.j.smith at ieee.org
Sun Sep 18 17:21:27 EDT 2005

On Sun, 2005-09-18 at 14:08 -0400, Etienne Goyer wrote:
> Like it or not, OpenLDAP is bundled with pretty much every distribution
> *today*, and currently power most directory running on Linux.

I never said we shouldn't include something on OpenLDAP.
I just said that it's not the _only_ option.
Now that Red Hat is GPL'ing the former NsDS product, I'm sure it will
quickly gather adoption.

> Discussing which DSA to test in LPI is totally pointless anyway.  This
> test is not about enterprise directory service, it's about Linux.  A
> working knowledge of LDAP and how to configure PAM and nsswitch LDAP is
> what should be tested.

As several mentioned, LPIC-3 is _definitely_ a target for network
authentication, directory, file and naming services.  And setting up a
system as a client for those services _might_ be a lower-level

Even Microsoft includes ADS in the MCSA track.
Sun also includes client setup as part of the SCSA.

> Totally OT, but I doubt the wisdom of that.  Fixing the shortcoming of
> OpenLDAP would have costed much less than 20M$ in manpower.

Very poor assumption.  A lot of RHEL customers (myself included) were
hoping Red Hat would buy NsDS from AOL-Netscape.

Understand Red Hat announced it was moving forth on a lot of
"enterprise" initiatives.  Their initial work was putting a _lot_ of
people on OpenLDAP.  They finally decided that it was cheaper and faster
to purchase it outright from AOL-Netscape, and get going now

OpenLDAP has a lot of shortcomings -- shortcoming that NsDS has never
had.  This includes a standard certificate service, peer replication and
peer synchronization with ADS.  Things that are severely lacking in
OpenLDAP solutions.

> Right now, Linux <-> ADS is one of the most sought-after skill for Linux
> integrator.

And why is that?  Maybe it's because companies are having trouble with
their ADS back-end.  And if you'd stop to educate them on a peer
directory service that would _remove_ the "reliability" issue from the
back-end for non-Windows platforms, you might even be more "sought-

Sometimes the "most sought-after" skills are the ones your client
doesn't recognize.  I've gone into pitches and provided proposals where
the client didn't realize _all_ their options.  Especially the swiss
cheese holes in an ADS back-end that left a lot of their enterprise out
as orphan leaves.

So far, NsDS is the *ABSOLUTE*BEST* way to do it!

I've seen Samba over-quoted like it's the "ultimate directory service"
and it is _not_ a directory service.  Samba is a Windows client
solution, with only a minor capability for UNIX clients.  In fact, part
of the problem why Open Source integrations _fail_ is because people
over-pitch Samba.

And part of that reason is because they do _not_ understand that
enterprise services aren't an "unified directory" service -- but a set
of services that are complementary.  Even ADS is that way itself.

> Face it, Windows rule the world.

On the desktop?  Yes.
On the server?  No!  No!  NO!  They do _not_!
Stop asserting this as fact!  It is _not_ true at all!

> We can't pretend it does not exist.

I _never_ said that.  But to you, it's the _only_ thing it seems -- or
the only thing that matters.  I will _strongly_disagree_ with you as a
professional who regularly runs into other Linux professionals like
yourself, who has not actually rolled out anything but ADS.

Do _not_ assume you are _not_ talking to a _current_ MCSA/MCSE with
several specialties (including "Security", which is a joke, don't get me
started).  I've worked on trees at Fortune 20 companies.

Lastly, I tire of these debates, because _you_ are providing Microsoft
with "free marketing" because you are not aware of what many enterprises
do.  What you assert is simply _not_ true!  And it is enfuriating to

Now I'm sure you're going to label me as a "jerk" and "mean spirited"
now, just like so many people do.  But I'm sorry, when someone doesn't
see any other options -- I just have to put my foot down, even if I'm
the only guy doing it.  And I don't mind being the sole minority on such
a position either.

> On the other hand, I do not understand all the ruffus about the subject.

Because you are focusing on an assumed _lie_ because of the popular
media that caters to Microsoft, and believe only Novell offers another
option, and OpenLDAP is the only other solution out there -- which you,
among others, dismissed for various reasons -- reasons that do _not_
plague NsDS, and haven't in years prior.  That is largely why Red Hat
finally just acquired NsDS for _all_ distros to use, under the GPL.

A Linux Professional examination should focus on Linux solutions at a
level that is _at_least_ the "peer" level with proprietary solutions.
Just because you believe that ADS is the _only_ solution is merely _not_
true for a -- even if minority -- number of enterprise architects like

In the next round of objectives -- even if Level-3, although client-side
things for Level-1/2 -- the objectives should focus on the real
availability of GPL network authentication, directory, file and
authentication services that are now becoming available.  It can be
generic enough to apply to several at the foundation, but we have to
account for the availability of NsDS now.

And not just provide Microsoft with free marketing where our exam favors
their directory service.

> From the Linux side of thing (most likely, what LPI would test), the
> DSA is pretty much irrevellant.  Except for a kink or two, configuring
> Linux to authenticate against ADS or OpenLDAP (or NsDS, or NDS) is
> practically the same thing.

Depends on what you are testing on and how.
But no, they _are_ very different in many cases.
Winbindd is _not_ quite as "native."

Most people will want to take the proposed LPIC-3 Samba exam, it can go

A native Linux LPIC-3 network authentication, directory, file and name
server exam can be its own as well.

As far as the lower level objectives, they should be limited to PAM,
NSSwitch and basic client configuration files.  These are _not_ the
realm of ADS for the most part.

Bryan J. Smith     b.j.smith at ieee.org     http://thebs413.blogspot.com
The best things in life are NOT free - which is why life is easiest if
you save all the bills until you can share them with the perfect woman

More information about the lpi-discuss mailing list