[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?

Turbo Fredriksson wrote:
[Sorry Howard for sending it to you personally. It was meant for the list.
  I sent a copy to the list as well. I hope you don't mind if I send this reply
  to the list. I've included every word, so not to take something out of

No problem, after I saw your reply on the list I figured out that was your original intent.

And even worse if when you want to optimize the backend... There's a lot of
magic there....

The LMDB backend has no tuning/optimization. That's one of the reasons it exists today.

Yeah, but isn't it quite slow with lmdb? I haven't tested that in years, so
I don't know. One wouldn't run it in production though?

You are (unfortunately) confusing the very new back-mdb with the very old, long obsolete, years-ago-deleted, back-ldbm. OpenLDAP back-mdb is quite simply the fastest LDAP engine in the world, by a huge margin over all other directory software in existence.

And with the new config backend!? I haven't even had the time or energy to go
that far yet!

I think you (and everyone else) are blowing this way out of proportion. Compare the example from here

I know how it works and I don't really have that much problem with it, it's just
so much more difficult to setup (initially) and then maintain than a simple
text file.

It's way better, but it IS also more complicated (than just fire up an editor,
modify the part you want and then issue a service restart - can't be much
simpler than that)...

I don't even fire up an editor, I just issue an ldapmodify - no service restart needed either, no interruption of service to clients. There's nothing smoother and more transparent than that.

And if you aren't familiar with slapd.conf *and* LDIF then you don't know enough to be an LDAP administrator in the first place, you need to do more homework. That's just life.

I couldn't agree more! I've taken over more than my fair share of badly setup
and maintained OpenLDAP servers to get really pissed at all the ones not having
a clue what they're doing.

It's not just making a config file/backend to allow the server to start, it's
more planning on how the database should look like (where to put what and
what object classes to use and allow), setting up access control etc, etc. The
actually planing of the database (the content) is the most important part, and
it require quite a lot of reading and testing before it's understood properly to
be able to be used to any extent.

But then there's the integration to the rest of the system (pam login and what
not), Kerberos, SASL, etc, etc...

My point wasn't to argue about the validity of how the OpenLDAP server and it's
config file/backend work etc. I fully agree and have no problems with it.

My point was that the website isn't WRONG - it IS hard! Maybe it SHOULD be hard?
The whole concept of an LDAP server is a difficult subject, and shouldn't be
taken lightly.

Perhaps. Vendors like RedHat make it worse than necessary though, forcing the use of Mozilla NSS which is still not ready for primetime, despite having existed for 20+ years. People made enough mistakes configuring TLS support when all you needed was to drop a few PEM files into place. With RedHat requiring the use of MozNSS they make the setup even more opaque and crash-prone. That's not OpenLDAP's fault, that's all RedHat.

Unfortunately, it seems that way to many beginners that have been installing
a distribution at home is starting to work as a Linux tech/admin thinking that
just because the've run it at their workstation at home for a couple of months
makes them good enough to work in a professional environment.

I see that in a lot of OpenSource project I'm part of. Complete noobs want to
use something complicated that require quite a lot of homework. And then comes
complaining when things go south! Or even worse, they bad mouth the project or
the technology!

(Open)LDAP is one of those many things that require a lot more from the admin
than say ... installing a mail server locally...

On Debian GNU/Linux that's practically automatic. Just answer a couple of
questions, and it works...

It's sad that the website in question (and from what one could take from this -
that people 'out there') actually thinks that this should be easy. But it's not
(technically) wrong...

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/