Re: [lpi-examdev] Fwd: [lpi-discuss] OpenLDAP server coverage in LPIC2-v4
On Mon, Feb 9, 2015 at 4:05 AM, Éric Deschamps erd...@free.fr wrote: The summary of major changes describes it as: hi Eric, As Reinier mentioned, it is a lot to cover for a weighting of 4. However, if you include 210.3 LDAP client usage, you're up to 6 weights which makes it 10% of the exam. That said and don't hold me to this, but - LDIF format and changetype: do my attendee need to know every changetype as it was in 301.1? There's only 4 of them right? Covering CRUD operations and moddn. This doesn't seem to onerous yet. :) - loglevel: do my attendee need to know that loglevel 256 means stats, or do they just need to know the keyword and that you can add the values? I think that you're safe covering it as a keyword and that the values can be ORed together. If I was writing courseware, I'd point out some of the more useful values, too. - slapd.conf and or cn=config? Transition from slapd.conf to cn=config? slaptest command? Yes. Yes. And, it wouldn't hurt. slaptest isn't explicitly mentioned in the objectives but knowledge of it is useful. - which version of OpenLDAP? The ones on CentOS/RedHat6 and Debian 7? I think that's fine. - whitepages: schemas needed or more? I think that's fine, too. - Directories: LDAP concepts, history with X.500, ports, different models, URL formats, types of DIT, major attributes? You should be safe with sticking with the Key Knowledge Areas that are mentioned in the objectives. - ACL with slapacl? (in this case, we should add it to the list of utilities). Up to you. I don't think that it's mentioned in the exam content and we are trying to keep the overall coverage as light as possible. HTH, --matt -- G. Matthew Rice m...@starnix.com gpg id: EF9AAD20 ___ lpi-examdev mailing list lpi-examdev@lpi.org http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
Re: [lpi-examdev] Fwd: [lpi-discuss] OpenLDAP server coverage in LPIC2-v4
Ok, it seems clearer. I'll try to manage with that, many thanks for your answers, Reineier, Bryan and Matt! Kind Regards, Éric Le 10/02/2015 16:30, G. Matthew Rice a écrit : On Mon, Feb 9, 2015 at 4:05 AM, Éric Deschamps erd...@free.fr wrote: The summary of major changes describes it as: hi Eric, As Reinier mentioned, it is a lot to cover for a weighting of 4. However, if you include 210.3 LDAP client usage, you're up to 6 weights which makes it 10% of the exam. That said and don't hold me to this, but - LDIF format and changetype: do my attendee need to know every changetype as it was in 301.1? There's only 4 of them right? Covering CRUD operations and moddn. This doesn't seem to onerous yet. :) - loglevel: do my attendee need to know that loglevel 256 means stats, or do they just need to know the keyword and that you can add the values? I think that you're safe covering it as a keyword and that the values can be ORed together. If I was writing courseware, I'd point out some of the more useful values, too. - slapd.conf and or cn=config? Transition from slapd.conf to cn=config? slaptest command? Yes. Yes. And, it wouldn't hurt. slaptest isn't explicitly mentioned in the objectives but knowledge of it is useful. - which version of OpenLDAP? The ones on CentOS/RedHat6 and Debian 7? I think that's fine. - whitepages: schemas needed or more? I think that's fine, too. - Directories: LDAP concepts, history with X.500, ports, different models, URL formats, types of DIT, major attributes? You should be safe with sticking with the Key Knowledge Areas that are mentioned in the objectives. - ACL with slapacl? (in this case, we should add it to the list of utilities). Up to you. I don't think that it's mentioned in the exam content and we are trying to keep the overall coverage as light as possible. HTH, --matt ___ lpi-examdev mailing list lpi-examdev@lpi.org http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
Re: [lpi-examdev] Fwd: [lpi-discuss] OpenLDAP server coverage in LPIC2-v4
- which version of OpenLDAP? The ones on CentOS/RedHat6 and Debian 7? Okay, I've remained silent on this over the years. But since we're now looking to put LDAP fundamentals into LPIC-2 (which is an admirable effort I agree with), and people are already talking Red Hat Enterprise Linux, let me point out a few details. 1) Red Hat does _not_ support OpenLDAP _Server_ under Enterprise Linux 2) 389 Server (Red Hat Directory Server entitlement**) lineage continues to be extremely popular 3) 389 Server is also the basis for the increasingly popular, and Red Hat supported, IPA (IdM) So ... and keep in mind my scope is LPIC-2 -- _not_ LPIC-3 -- might I suggest (this is the portion that is 100% my opinion) ... A) LDAP fundamentals into the OpenLDAP Library/Client sections (which all distros use) B) Limit Server in LPIC-2 (again, differnt for LPIC-3) to where 389 and OpenLDAP match C) Look hard at covering popular IPA (IdM) aspects -- e.g., SSSD and Windows AD Forest Trusts After the obvious aspect that LDAP fundamentals should be covered in the OpenLDAP Library/Client sections, as all distros use them ... I want to begin by re-emphasizes ... Red Hat does _not_ support OpenLDAP Server. It ships it. It updates it. But that's largely for the OpenLDAP Client/Libraries, _not_ the Server. So if you call Red Hat with an OpenLDAP Server support ticket, you're going to be redirected towards purchasing a Red Hat Directory Server (389 Server) entitlement.** Why? One part is the sheer lineage from iPlanet and enterprise usage, including multi-master replication that has been around a long time. Red Hat looked at OpenLDAP a dozen years ago, and decided to just purchase iPlanet Directory and Certificate from AOL-Netscape instead, and open source it. The other part is the sheer support costs.** Secondly, since this is LPIC-2 -- I'm not talking LPIC-3 (which can be OpenLDAP Server deep) -- I would really focus on where 389 Server and OpenLDAP match. This includes the basic IETF 2307 POSIX schema and other concepts that are crucial, basic concepts for admins, even AD admins (e.g., even AD admins should know what IdM for UNIX is for in AD). The more we proliferate this commonality at LPIC-2, the better off we are as a Linux adminbase. Lastly, SSSD is mentioned in LPIC-2 v3. Now it's time to expand on it. I haven't met a single distro userbase in any enterprise that didn't love SSSD once they took the time to learn it, and never wanted to deal with any legacy *_ldap or *_krb modules again. Slowly but surely more and more distros are building it correctly, along with the IPA Client (Red Hat Enterprise IdM**), even if the IPA Server is difficult to build on anything but a Fedora-lineage (although not due to lack of Upstream desire). We're also at the point that the features in SSSD, like multi-domain support, along with how IPA's Windows AD Forests Trusts work, and how it will solve real issues for real, multi-domain AD Enterprises with the (external) Trust model -- including to Samba Servers in an IPA domain for access by external AD principals (instead of being inside an AD Forest that is only designed for Windows) -- that it's probably not a bad detail to look at in LPIC-2. IPA (IdM) is the reason why Red Hat's RH423 (Directory Server) class long became its least taken class, and RH413 (Server Hardening) finally replaced it, along with retiring the first, post-RHCE class ever created, RHS333 (Systems Security). **There's also a reason why Red Hat _includes_ IPA (IdM) support with RHEL, while 389 Server (RHDS) is a separate, low 5-figures (list price) entitlement (with unlimited records though -- so a lot cheaper than CAL solutions), even though IPA encompasses more than 389. I.e., it costs a lot of money to provide users support on general LDAP/Kerberos/Certificate knowledge, including flexible schema, while IPA (IdM) is a canned solution that doesn't require sysadmins to understand LDAP, Kerberos, DNS, Certificate, etc... internals (also the reason why RHS333 was nix'd with RH423). If that sounds like AD for POSIX, it is.** -- bjs **P.S. Keep in mind that Windows systems don't do POSIX attributes, and Linux systems don't do Windows attributes (they can enumerate/translate a few -- don't confuse otherwise), and to centrally manage such, they must be different attributes. Which is why the external AD Trust model is leveraged, because even Windows admins don't all always agree on what Windows attributes should be used either. Part of the problem with trying to use Linux systems inside of an AD domain, let alone a full AD Forest. Better to emulate an external one that has very fixed, negotiated communication, where schema and object enumeration is separate and maintained externally. ;) -- Bryan J Smith - http://www.linkedin.com/in/bjsmith ___ lpi-examdev mailing list lpi-examdev@lpi.org http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
Re: [lpi-examdev] Fwd: [lpi-discuss] OpenLDAP server coverage in LPIC2-v4
Bonjour Éric, Yes this is really too much of a topic for LPIC-2. As a matter of fact we have a three day course that just scratches the surface of these 4 bullet points... I just let attendees use the PADL tools to load the passwd file into OpenLDAP with a carefully designed lab. They must read the intermediate output of the PADL tools and correct a few duplicate entries in the services LDIF file. I hope this is enough to pass the exam. I most certainly does not cover every aspect of this weight 4 topic. (lab still uses old OpenLDAP config file! to simplify matters as much as possible) As usual with LPI there are low weight topics that require an enormous amount of preparation. What can we do about it. Kind Regards, Reinier Kleipool Open Source Academy On 09-02-15 10:05, Éric Deschamps wrote: Hello, Tried without luck lpi-discuss, anyone to help me on LPI-examdev ? Regards, Éric Message transféré Sujet : [lpi-discuss] OpenLDAP server coverage in LPIC2-v4 Date : Tue, 03 Feb 2015 11:54:59 +0100 De : Éric Deschamps erd...@free.fr Répondre à : erd...@free.fr, General discussion relating to LPI. lpi-disc...@lpi.org Pour : General discussion relating to LPI. lpi-disc...@lpi.org Hello, Trying to update my LPIC-2 courses, i feel pretty frustrated with the 210.4 - OpenLDAP Server Configuration topic. The summary of major changes describes it as: 210.4 Configuring an OpenLDAP server (weight: 4) A combination of Topic 301: Concepts, Architecture and Design, 303.2 Access Control Lists in LDAP, 303.6 OpenLDAP Daemon Configuration, and 304.3 Whitepages. http://wiki.lpi.org/wiki/LPIC2AndLPIC3SummaryVersion3To4#202_Change_Summary This can be a huge work, either on course prep and on training, and as you know, we might not have the time to cover every part, depending on attendee skills. So, to be clear, how much knowledge is asked for: - LDIF format and changetype: do my attendee need to know every changetype as it was in 301.1? - loglevel: do my attendee need to know that loglevel 256 means stats, or do they just need to know the keyword and that you can add the values? - slapd.conf and or cn=config? Transition from slapd.conf to cn=config? slaptest command? - which version of OpenLDAP? The ones on CentOS/RedHat6 and Debian 7? - whitepages: schemas needed or more? - Directories: LDAP concepts, history with X.500, ports, different models, URL formats, types of DIT, major attributes? - ACL with slapacl? (in this case, we should add it to the list of utilities). How other trainers are dealing with this topic? Regards, Éric ___ lpi-discuss mailing list lpi-disc...@lpi.org http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-discuss ___ lpi-examdev mailing list lpi-examdev@lpi.org http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev ___ lpi-examdev mailing list lpi-examdev@lpi.org http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev