G. Matthew Rice wrote:
> Considering that we are approaching the 2.5 year mark for the
> 303/Security exam, we could add OpenLDAP directly to the 303 exam. By
> that, I only mean the security aspects of OpenLDAP.
OpenLDAP security involves basically three topics:
– Assigning access rights to various directory entries or attributes by
means of ACLs
– Authenticating users who want to access the directory, either via
basic authentication or SASL
– Using TLS to encrypt traffic to and from the LDAP server (possibly
including authentication)
In my opinion it is difficult to teach OpenLDAP server basics (as in LPI-202)
without covering directory ACLs, so ACLs shouldn't be omitted when we do the
move. On the other hand, the mechanics of configuring TLS for LDAP are
conspicuosly similar to those of configuring TLS for Postfix or Apache, both
of which topics are in LPI-202 already, so it would be silly to move that bit
to LPI-303 because it is so advanced.
The only vaguely tricky bit is OpenLDAP's SASL authentication, which even the
official OpenLDAP documentation explains very badly (let alone the published
OpenLDAP books I've seen). However, having a »Configuring SASL for OpenLDAP«
directive in an exam that otherwise does not cover anything related to
OpenLDAP would look weird to me.
In a nutshell, I would recommend against spreading our coverage of OpenLDAP
server basics out across a number of exams. Let's have it in LPI-202 and get
it over with there. In effect, LPI-202 would have to cover
– LDAP principles and client basics (ldapsearch &c., ldap.conf, LDIF files)
[already in]
– OpenLDAP operation basics (how to run OpenLDAP, configuration mechanisms,
databases)
– OpenLDAP security (ACLs, SASL, TLS)
There doesn't seem to be a good place to put advanced OpenLDAP stuff such as
proxy authentication or directory replication if we don't want to inflate
LPI-202 too much. So be it. We don't require spam and virus scanning in -202's
email-related objectives, either, even though, in the 21st century, these are
arguably things no mail administrator should not know about (by comparison,
proxy authentication and replication for OpenLDAP are not quite as essential).
The 30x exams could then consider these topics covered and add LDAP-related
»application« content that makes sense in their own context, i.e., the new 300
exam could presumably build on generic LDAP knowledge as it relates to
Samba4's LDAP, while a hypothetical mail server exam could dive right into
using LDAP as a backing store for addresses etc.
Anselm
--
Anselm Lingnau ... Linup Front GmbH ... Linux-, Open-Source- & Netz-Schulungen
anselm.ling...@linupfront.de, +49(0)6151-9067-103, Fax -299, www.linupfront.de
Linup Front GmbH, Postfach 100121, 64201 Darmstadt, Germany
Sitz: Weiterstadt (AG Darmstadt, HRB7705), Geschäftsführer: Oliver Michel
_______________________________________________
lpi-examdev mailing list
lpi-examdev@lpi.org
http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
