[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Openldap version (proxy cache)

Owen DeLong wrote:

This is the part where I think that the directory/authentication
open source packages are different from just about every open
source project I participate in.  For example, the Xastir project
resources are pretty much devoted to Xastir, but, if you're having
trouble getting OpenMotif working or ImageMagick working on your
system in order to compile Xastir, the users list is an OK place
to ask about that.  They're happy to help and usually find a
solution for the person fairly quickly.  OpenLDAP is, in most
situations, useless without at least one of the other packages
you mention above (nss_ldap, Kerberos, mod_auth_ldap, pam_ldap, etc.)
All of these packages have dependency relationships one way or the
other, yet, none of them seem to be interested in helping users
make them talk to each other.  That's sad and it reduces the
usefulness of all of the projects.

There used to be an OpenLDAP-general mailing list. Unfortunately, the less focused a list, the lower the signal to noise ratio tends to get, and the lower the quality of answers to questions. Also, as a practical matter, you solve problems by eliminating variables, not by propagating them. When someone says "I have a problem with nss_ldap, Kerberos, and OpenLDAP" the very first thing to do is to break it down into individual areas, because it's pretty much impossible to identify the problems looking at all three packages at once. Step through one package at a time, and make sure its basic functionality works in isolation before introducing the new wrinkle of making it work with package-X. In my experience, when all the individual components are configured correctly, when you slap them together "It Just Works." But if you don't walk through each package carefully, and just try to use it all at once, there's no way. Which is one reason we insist on focusing on just one piece of the puzzle on this list. Not because we have tunnel vision - many of the participants on this list are also active on the pam/nss, Kerberos, OpenSSL, Cyrus SASL etc. lists too - but because a tight focus is the most effective for actually solving problems.

Part of the problem is that using the distro tends to isolate you from
seeing the advantage of using newer source. I often run into people who
have no inkling that anything newer than 2.0.27 exists, have no notion
that www.openldap.org exists. If you simply looked at the release
announcements on the web site the advantages would be self-evident, but
it seems most people (who haven't found their way onto this mailing list)
just have no idea.

Well... I admit that it took quite a bit of searching before I found my
way onto this mailing list myself.  The FAQ-O-Matic doesn't seem to
refer you to it if you're stumped.  The majority of the web searches
I did for answers to questions about OpenLDAP turned up lots of other
mailing list archives, but, not this one.  There's nothing I found in
the HowTOs that came with the distro that referred me to this list, and,
even though I went to OpenLDAP.org, the site didn't exactly provide a
convenient way to find that there was a good source of answers here.

Frankly, this list is probably the best kept secret in OpenLDAP support.

Hm. The OpenLDAP.org home page says plainly "Support" and under that "mailing lists" so I'm not sure how that can be made any plainer. As for documents in the distros - we have no control over that. Every piece of documentation that OpenLDAP provides includes the URL of the OpenLDAP web site. Complain to your distro vendor if they're omitting key information like this. If you have suggestions on changes to the web site or the FAQ-o-Matic cover info, submit an ITS.

You are always welcome to contribute patches. Doc enhancements,
suggestions for better wording, etc. are frequently integrated into the
source base. I make a point of adding notes to the man pages / admin
guide / FAQ whenever I stumble over anything. But I'm just one person,
and I don't stumble often. It takes a lot more input from more sectors to
create documentation that serves all those sectors.

Agreed. Should I just send them to this list, or, is there a more
appropriate destination that I am as yet unaware of? I can't do much
about contributing code, I'm not really much of a developer, and, frankly,
I don't understand much of the pieces of openLDAP I've looked at (I tried
once to add some debugging statements to sets.c, and, couldn't make
the software compile afterwards). I'm working on a cookbook for
building a basic LDAP Authentication configuration on Fedora. When I
get it finished, I'll pass it along. Perhaps it will be considered worthy
of further reference or publication. Perhaps it will be another one of
those things not sufficiently narrowly focused to be considered useful,
since it talks about LDAP, Apache, mod_auth_ldap, pam_ldap, nss_ldap,
openSSL, dovecot, running a CA, and, making all of the above work with
SSL and a Self-Signed Root Certificate.

The FAQ-o-Matic is open to everyone, you can register and contribute articles there at will. For anything else, you should submit to the Issue Tracking System (ITS). (One topic per report, please.)

As I said, I'm willing to contribute what I can, but, from my perspective
as an end user, until I found this list, openLDAP was like an elite
private club as far as I could tell.

Yes, we only admit people who are interested in joining. ;)

 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support