Re: Openldap version (proxy cache)

[Owen DeLong <owen@delong.com>]

> I see the situation you're looking at a bit differently... A lot of
> people seem to assume that because the software was bundled on their OS
> distro, it's both (a) suitable and (b) ready for use. They assume that
> they can just switch it on without investing anything into its operation.
> Just like people tend to misinterpret the "Free" in "Free Software." The
> fact is that any tool requires an investment on the part of the user. An
> investment of time to learn how to use it, time to set it up, and time to
> maintain its regular operation. There is seldom any real substitute for
> this investment; a distro packager may mitigate some of the setup time,
> but the end user still must cover the learning and the maintenance.
> Frequently a cost/benefit analysis will show that it's better to invest
> money into applying someone else's time to the situation, rather than
> spending your own (irreplaceable) time. At this point a lot of people
> stumble, again because they expect all of this to work "for free." And
> *that* simply is not the case in the real world.


Well... Those people are mistaken, obviously.  However, there is the 
question
of how much investment should be required to get basic functionality.  The
reality is that if we can't make OpenLDAP and PAM_LDAP with LDAP/S and 
Kerberos
at least as easy to set up as Active Directory (blech), we're going to have
trouble making progress towards a larger percentage of the installed base.

I hate Microsoft.  I despise their entire approach to the world.  However, I
can take someone who knows virtually nothing about directories, kerberos,
SSL, cryptography, or software dependencies, hand them a book and a Windows
install CD, and, they can get 3 or 4 machines up in an Active Directory
domain with address book and single-sign-on centralized authentication
in a few hours.

OTOH, as an experienced UNIX admin with some familiarity and knowledge
about directories in general, and, substantial knowledge of PAM, 
Cryptography,
some familiarity with SASL, and some Kerberos experience, it took several
days of research, multiple books, many web searches, several emails, and
a fair amount of guess work to get to the point where I had a fairly minimal
LDAP configuration working the way I wanted it to with PAM, NSS_LDAP,
and Apache for a relatively small userbase on a single machine.

Imagine how completely intimidating (and insurmountable) this would be to
the average first-time LDAP administrator?

I'm not unrealistic about "free" software, and, I'm not opposed to putting
a certain amount of time and effort into it.  However, when I've got what
seems like a working binary in my distro, I have to see some real advantage
to going out and grabbing source and trying to build my own before I will
take it on.

(Admittedly, I'm running the 2.2.23 version at this point, and, it did 
actually
compile relatively quickly once I figured out the right magic incantation 
for
configure, but, even that took some doing).

OpenLDAP is one of the most difficult, confusing, poorly documented (this 
applies
to LDAP in general, actually), and generally cryptic open source packages 
I've
ever dealt with.  Even with the copious debugging output it is capable of 
generating,
I find it lacks many of the things I want to know about why things are going
wrong (have you ever tried to debug an ACL based on dynamic groups or sets?)
and isn't overly clear about the things it does tell you.

Again, I expect all of this will get better with time, but, in the meantime,
there's a definite time/value tradeoff in running a binary distro vs. 
building
from source.  In most cases, in my experience, building from source isn't 
worth
it unless you want a hobby.

Owen


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFCIu4An5zKWQ/iqj0RAp70AKCI6Wi9khE4vZxrCzLoAgQQCZtK0wCgi/5s
YqKKrB7zC7n2HWBzd7ic4rM=tegm
-----END PGP SIGNATURE-----