I'll make the same arguments I made years ago ... - Let's stop getting deep on LDAP Server ...
I think too deep of LDAP knowledge, with either 389 or OpenLDAP Server, is probably not ideal. E.g., we shouldn't be covering replication. It's too LDAP-specific. Especially with 389 Server being multi-master. - Focus on how to do things, not LDAP Server-specifics We still need to cover advanced LDAP concepts in general, including ldapmodify, etc... from the OpenLDAP client/libs that both 389 and OpenLDAP Server use. But I wouldn't get deep into 389 schema. - When in doubt, on the server, cover IPA schema IPA is still 389 underneath, and standard schema. It's just 'canned' in a way that is useful and, thanx to SSSD on the client, in a way you don't have to start hacking up LDIF, JSON or other files to configure. I.e., virtually all of the schema for SSH Public Key, Sudoers, etc... are in IPA, and ready-to-use with SSSD, instead of having to get 'into the weeds' on what schema. It's a waste to do so. Just know what IPA provides -- which is what other LDAP Servers can also provide. In fact ... - When in doubt, on the client, cover advanced SSSD configuration What we're really often talking about is mapping/use in SSSD, on the client side. IPA Server + IPA Client (Linux SSSD w/IPA module) -- like AD Server + AD Client (NT LSA w/AD SSP) -- is all canned and ready-to-use. So when not doing IPA, we're really just talking about 'tweaking' SSSD to support the same schema in another LDAP Server (just like the NT LSA w/SSPs). That's been my continuing view. No need to 'get in the weeds' with various LDAP Server implementations. Cover IPA, cover SSSD, and where the schema and support map. - bjs On Wed, Nov 21, 2018 at 8:05 AM Dirk Streubel <[email protected]> wrote: > Hi, > > i total agree with Kenneth, FreeIPA and 389 Server must be part of the 300 > Exam. Also i think it is a good thing to gave a new Name for this Part. > > So, just another though i have: there a new Exams in Mind, what about the > Name ( Number) of the Exam.For me it makes no sense to call it LPI-300 / > 303 and 304. There a LPI-1 and LPI-2. Maybe the new Name could be LPI-3.0, > LPI-3.3 or LPI 3.4 or something else. Or something different?! > > Regards from Castrop-Rauxel, > > Dirk > > > > Am 19.11.18 um 09:15 schrieb Kenneth Peiruza: > > Lpic 300, for sure. Get rid of openldap, show "LDAP"&ldap-utils + > FreeIPA+Samba4. > > That makes sense to me. So far, openldap has no direct relationship with > Samba4, it made sense for samba3, but not anymore, and as we lost the auth > integration with openldap when 301 got removed, it's there in 300 doing > little or nothing. > > IMHO a chapter or two on pentesting would make 303 way more attractive > (students always ask me to extend a bit on attack tools: enumeration, > scanning & bruteforce logins). > > Regards, > > Kenneth > > > On Nov 18, 2018 1:54 PM, Fabian Thorns <[email protected]> <[email protected]> > wrote: > > Hi there, > > sorry for starting another thread. After spending some time thinking about > your mails regarding 300 and 303, I'd like to ask for your opinion on one > specific question that seems crucial to me: Where do we want to cover > FreeIPA and SSSD? Do we see them mainly as tools to harden systems or as > tools to integrate authentication realms (either 'mixed' or 'non-mixed')? > > If we decide for the latter, we might consider moving FreeIPA from 303 to > 300, extend it there and maybe replace OpenLDAP with 389 Server (and > potentially do the same for LPIC-2 in the next revision). This seems a > reasonable use of the weights freed up by NT4 domains; and we might fill > the gap it leaves in 303 with some basic pentesting (this should be > discussed elsewhere, though). > > What do you think? > > Fabian > > -- > Fabian Thorns <[email protected]> GPG: F1426B12 > Director of Certification Development, Linux Professional Institute > > > > _______________________________________________ > lpi-examdev mailing > [email protected]http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev > > _______________________________________________ > lpi-examdev mailing list > [email protected] > http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev -- -- Bryan J Smith - http://www.linkedin.com/in/bjsmith E-mail: b.j.smith at ieee.org or me at bjsmith.me
_______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
