Re: [Evolution] LDAP Frustration

[Adam Tauno Williams <awilliam whitemice org>]

Quoting Pete Biggs <pete biggs org uk>:
> > > I'm trying to set up Evolution (v3.18.5.2, as installed by Ubuntu
> > > 16.04)  to pull GAL information from our Active Directory, but it is
> > > unbelievably frustrating.
> I presume it's because the OP is trying to get information from Active
> Directory and not from an Exchange server - they are different things.
> TBH my experience of using AD as if it's a native LDAP server has never
> been very fruitful. It always seems as if MS has tweaked it to make it
> incompatible with "standard" LDAP.  But it is a few years since I tried
> it.

I have done alot with AD via LDAP.  Their LDAP is pretty good - but it  
is a very complete LDAP configuration with detailed access control  
provisions, including SSF ... very unlike most Open Source LDAP  
installs which generally play fast-n-loose with security [likely  
because setting things up well in OpenLDAP is crazy tedious - and the  
documentation is awful].  One of ADs real advantages is that it says  
this-is-how-it-works-deal-with-it.

Aside: SSF is Security Strength Factor, so what you can do on a  
connection depends NOT ONLY on who you are authenticated as but HOW  
you authenticated and HOW your connection is protected [signed,  
sealed, TLS, etc...].

If you can't start out using the ldapsearch CLI to see what works and  
what doesn't you are going to have a hard time.  Determining that via  
any kind of client is going to be a hair pulling experience.

At least make sure you have Kerberos authentication working.

However, at the end of the day LDAP makes a ***TERRIBLE*** address  
book solution.  Terrible, just terrible.   I spent countless hours  
trying to create a happy LDAP solution, documenting differences in  
schema, clients, etc...  It looks great on paper, but nobody followed  
the rules [*1], so in practice it isn't good for anything other than a  
basic read-only data source.

[*1] And least of all the Open Source community.  LDAP support in most  
Open Source projects is an i-did-not-bother-to-read-the-docs hacked-in  
train wreck.  In defense, to really do LDAP support well a project  
needs to implement a myriad of configuration parameters and  
preferences ...  which most people are going to ignore anyway - then  
proceed to post on the interwebz about how it doesn't work. :(

LDAP is not simple.  It, like XML, is an open ended standard.

If you can use Exchange or a WebDAV (CalDAV/CardDAV) solution you will  
be much better off with that.