>I’ve never got a grasp of LDAP but the gods have conspired against me recently in such a way that I can’t avoid it any more. One of my colleagues found LDAP For Rocket Scientists and I’m completely smitten. It’s written extremely well. It’s amusing, informative and makes no apologies for the fact that it’s not a HOWTO. In fact they have some very thought provoking comments about the whole HOWTO thing. e.g.

There are innumerable excellent HOWTOs scattered over the Internet which are great if you need a tactical solution to a particular problem and are happy to put up with the vaguely uncomfortable feeling that you are entirely dependent on something you don’t really understand. We didn’t want a tactical solution we wanted a strategic solution to a whole set of problems all of which all appeared to be ideally suited to LDAP but we had to understand stuff ..we needed a WHYTO.

Excellently said I think. There’s nothing worse than having a system which you have got running because you followed somebody elses instructions because the first thing that’s going to happen is that it’s not going to work and you haven’t a clue why. Last week I bit the bullet with some VPN work I needed to do and didn’t take any shortcuts. Got it all up and running and I was a happy man. Of course, the next person who tested it from a different machine told me it didn’t work. Although that doesn’t fill me with joy (it still works from the test environment) I’m not too perplexed because I understand the basics of how it all fits together. If I’d cobbled the thing together with a HOWTO I’d be stuck.

Back to LDAP. Here’s a nice little taster of the sort of thing you’ll read.

In the documentation the subject of the root is treated in one of two ways. It’s assumed to be an automagic thing that is the beyond the scope of mere mortals to understand and is treated in a ritualistic way as if it had been handed down from one generation to another and certainly no attempt is made to explain it. Conversely the other camp handles it at extreme length usually accompanied by much wailing and gnashing of teeth and incantations to the twin gods of the ITU and IETF.

or how about this, following the defintion of LDAP as being a ‘write-once-read-many-times’ service.

It is never clear in the phrase ‘write-once-read-many-times’ just how many is many?

Where is the line between sensible use of LDAP vs a classic transaction oriented relational database, for example, MySQL, PostGreSQL. If we update every second access, is this a sensible LDAP application or should it be every 1,000 or 1 million times.

The literature is a tad sparse on this topic and tends to stick with ‘slam-dunk’ LDAP applications like address books which change once in living memory.

There is no simple answer but the following notes may be useful:

and then proceeds to list some very useful notes. In short it’s a damn fine read. They’ve got a similar one for DNS as well which I’m going to have a nice long look at soon.