[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?

[Sorry Howard for sending it to you personally. It was meant for the list.
 I sent a copy to the list as well. I hope you don't mind if I send this reply
 to the list. I've included every word, so not to take something out of

On Jan 30, 2014, at 6:17 PM, Howard Chu wrote:

>> Personally, I think it's spot on. It IS hard to configure an LDAP server, and
>> even harder to understand how it works (the object based part). Took me three
>> months first time, and I'm not an idiot.
> The object based part is *LDAP*, so that complaint is not specific to OpenLDAP.


But setting up something like Active Directory is something my aunt can/could
do. It probably won't scale to thousands (or maybe not even hundreds :) of
users, but it can be done with reasonable ease.

> The part about RedHat seems fairly accurate to me, it *is* true that they have their own commercial LDAP server to sell, and they have no great interest in OpenLDAP working well on their platforms.
>> Even today, I need to consult either my own book or the howto (or seriously
>> skim through the man pages) to setup a new server.
> And I still need to read the docs when configuring an Apache HTTP server. That's why we have manpages, there's nothing wrong about that.

Same here. Not my point (see the part at the bottom)...

>> And even worse if when you want to optimize the backend... There's a lot of
>> magic there....
> The LMDB backend has no tuning/optimization. That's one of the reasons it exists today.

Yeah, but isn't it quite slow with lmdb? I haven't tested that in years, so
I don't know. One wouldn't run it in production though?

>> And with the new config backend!? I haven't even had the time or energy to go
>> that far yet!
> I think you (and everyone else) are blowing this way out of proportion. Compare the example from here

I know how it works and I don't really have that much problem with it, it's just
so much more difficult to setup (initially) and then maintain than a simple
text file.

It's way better, but it IS also more complicated (than just fire up an editor,
modify the part you want and then issue a service restart - can't be much
simpler than that)...

> http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example
> to the slapd.conf example
> http://www.openldap.org/doc/admin24/slapdconfig.html#Configuration%20File%20Example
> They aren't that different, and anyone familiar with slapd.conf and LDIF files should have no trouble mapping concepts from one to the other.
> And if you aren't familiar with slapd.conf *and* LDIF then you don't know enough to be an LDAP administrator in the first place, you need to do more homework. That's just life.

I couldn't agree more! I've taken over more than my fair share of badly setup
and maintained OpenLDAP servers to get really pissed at all the ones not having
a clue what they're doing.

It's not just making a config file/backend to allow the server to start, it's
more planning on how the database should look like (where to put what and
what object classes to use and allow), setting up access control etc, etc. The
actually planing of the database (the content) is the most important part, and
it require quite a lot of reading and testing before it's understood properly to
be able to be used to any extent.

But then there's the integration to the rest of the system (pam login and what
not), Kerberos, SASL, etc, etc...

My point wasn't to argue about the validity of how the OpenLDAP server and it's
config file/backend work etc. I fully agree and have no problems with it.

My point was that the website isn't WRONG - it IS hard! Maybe it SHOULD be hard?
The whole concept of an LDAP server is a difficult subject, and shouldn't be
taken lightly.

Unfortunately, it seems that way to many beginners that have been installing
a distribution at home is starting to work as a Linux tech/admin thinking that
just because the've run it at their workstation at home for a couple of months
makes them good enough to work in a professional environment.

I see that in a lot of OpenSource project I'm part of. Complete noobs want to
use something complicated that require quite a lot of homework. And then comes
complaining when things go south! Or even worse, they bad mouth the project or
the technology!

(Open)LDAP is one of those many things that require a lot more from the admin
than say ... installing a mail server locally...

On Debian GNU/Linux that's practically automatic. Just answer a couple of
questions, and it works...

It's sad that the website in question (and from what one could take from this -
that people 'out there') actually thinks that this should be easy. But it's not
(technically) wrong...
There are no dumb questions,
unless a customer is asking them.
- Unknown