[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?

On 01/30/2014 09:52 AM, Turbo Fredriksson wrote:
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:

I saw some of this on twitter before, ignored it since none of the parties
involved have any clue what they're talking about.

Personally, I think it's spot on. It IS hard to configure an LDAP server, and
even harder to understand how it works (the object based part). Took me three
months first time, and I'm not an idiot.

And that'd be true of any LDAP server, IMHO, unless you're talking about an LDAP server that makes a ton of assumptions about what schema you want, how it's going to be used, what it should support, etc. In other words, some pre-configured stuff that assumes you know nothing and want no input on how your LDAP server will run or be used.

There's a bit of a learning curve for anyone new to LDAP, just to figure out how LDAP itself works. Big deal. It's like saying DNS is hard because I don't know how DNS works and DNS server software ABC assumes I know how DNS works. :-)

And even worse if when you want to optimize the backend... There's a lot of
magic there....

And with the new config backend!? I haven't even had the time or energy to go
that far yet!

Getting the most out of the DB backend could be tricky and require a bit of reading up on OpenLDAP and on whatever DB backend you chose. That's largely gone away with the new back-end. You should check it out. It makes life FAR easier, IMHO, and is much, much faster than BerkeleyDB.

This'll probably make Howard 'n Quanah cringe, but I've got an LDAP server setup with a bit of custom schema so I can log postfix, sendmail, dhcp, and vpn log data into it, and some PHP scripts to then make it easy-peasy for junior admins to search it (say, to trace how an email got from point A to point B or given a message-ID produce a list of everyone who received it, or given an IP, what DHCP hostname was using it when and if they were VPN'd in, what username authenticated). Yeah, it's frankly an abuse of LDAP in general which is s'posed to be mostly read and few writes/modifies.

But it works... Well... Reliably... Honestly, it all started as an excuse to edjimicate myself on the java and perl APIs for LDAP, but it's proven useful enough that we just kept using it. (shrug) Someday I'll probably use it as an excuse to edjimicate myself on cassandra (allegedly really good at dealing with lots of writes).

But honestly, the only thing that I've found tricky with OpenLDAP (and I won't go so far as to call it "hard") was setting up ACLs. And so what, it's no more tricky than firewall rules can be. 'Just requires attention to details 'n reading the docs. (and maybe some of the list archives here - grin).