Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
On 01/30/2014 09:52 AM, Turbo Fredriksson wrote:
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
> I saw some of this on twitter before, ignored it since none of the parties
> involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and
even harder to understand how it works (the object based part). Took me three
months first time, and I'm not an idiot.
And that'd be true of any LDAP server, IMHO, unless you're talking
about an LDAP server that makes a ton of assumptions about what schema
you want, how it's going to be used, what it should support, etc. In
other words, some pre-configured stuff that assumes you know nothing and
want no input on how your LDAP server will run or be used.
There's a bit of a learning curve for anyone new to LDAP, just to
figure out how LDAP itself works. Big deal. It's like saying DNS is hard
because I don't know how DNS works and DNS server software ABC assumes I
know how DNS works. :-)
And even worse if when you want to optimize the backend...
There's a lot of
magic there....
And with the new config backend!? I haven't even had the time or energy to go
that far yet!
Getting the most out of the DB backend could be tricky and require a
bit of reading up on OpenLDAP and on whatever DB backend you chose.
That's largely gone away with the new back-end. You should check it
out. It makes life FAR easier, IMHO, and is much, much faster than
BerkeleyDB.
This'll probably make Howard 'n Quanah cringe, but I've got an LDAP
server setup with a bit of custom schema so I can log postfix, sendmail,
dhcp, and vpn log data into it, and some PHP scripts to then make it
easy-peasy for junior admins to search it (say, to trace how an email
got from point A to point B or given a message-ID produce a list of
everyone who received it, or given an IP, what DHCP hostname was using
it when and if they were VPN'd in, what username authenticated). Yeah,
it's frankly an abuse of LDAP in general which is s'posed to be mostly
read and few writes/modifies.
But it works... Well... Reliably... Honestly, it all started as an
excuse to edjimicate myself on the java and perl APIs for LDAP, but it's
proven useful enough that we just kept using it. (shrug) Someday I'll
probably use it as an excuse to edjimicate myself on cassandra
(allegedly really good at dealing with lots of writes).
But honestly, the only thing that I've found tricky with OpenLDAP
(and I won't go so far as to call it "hard") was setting up ACLs. And so
what, it's no more tricky than firewall rules can be. 'Just requires
attention to details 'n reading the docs. (and maybe some of the list
archives here - grin).
Brent