http://searchdatacenter.techtarget.com/feature/IT-pros-suffer-OpenLDAP-confi...
Any one been in touch with them?
Gavin Henry wrote:
http://searchdatacenter.techtarget.com/feature/IT-pros-suffer-OpenLDAP-confi...
Any one been in touch with them?
I saw some of this on twitter before, ignored it since none of the parties involved have any clue what they're talking about.
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
I saw some of this on twitter before, ignored it since none of the parties involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and even harder to understand how it works (the object based part). Took me three months first time, and I'm not an idiot.
Even today, I need to consult either my own book or the howto (or seriously skim through the man pages) to setup a new server.
And even worse if when you want to optimize the backend... There's a lot of magic there....
And with the new config backend!? I haven't even had the time or energy to go that far yet!
Turbo Fredriksson wrote:
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
I saw some of this on twitter before, ignored it since none of the parties involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and even harder to understand how it works (the object based part). Took me three months first time, and I'm not an idiot.
The object based part is *LDAP*, so that complaint is not specific to OpenLDAP.
The part about RedHat seems fairly accurate to me, it *is* true that they have their own commercial LDAP server to sell, and they have no great interest in OpenLDAP working well on their platforms.
Even today, I need to consult either my own book or the howto (or seriously skim through the man pages) to setup a new server.
And I still need to read the docs when configuring an Apache HTTP server. That's why we have manpages, there's nothing wrong about that.
And even worse if when you want to optimize the backend... There's a lot of magic there....
The LMDB backend has no tuning/optimization. That's one of the reasons it exists today.
And with the new config backend!? I haven't even had the time or energy to go that far yet!
I think you (and everyone else) are blowing this way out of proportion. Compare the example from here
http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example
to the slapd.conf example
http://www.openldap.org/doc/admin24/slapdconfig.html#Configuration%20File%20...
They aren't that different, and anyone familiar with slapd.conf and LDIF files should have no trouble mapping concepts from one to the other.
And if you aren't familiar with slapd.conf *and* LDIF then you don't know enough to be an OpenLDAP administrator in the first place, you need to do more homework. That's just life.
On 01/30/2014 09:52 AM, Turbo Fredriksson wrote:
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
I saw some of this on twitter before, ignored it since none of the parties involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and even harder to understand how it works (the object based part). Took me three months first time, and I'm not an idiot.
And that'd be true of any LDAP server, IMHO, unless you're talking about an LDAP server that makes a ton of assumptions about what schema you want, how it's going to be used, what it should support, etc. In other words, some pre-configured stuff that assumes you know nothing and want no input on how your LDAP server will run or be used.
There's a bit of a learning curve for anyone new to LDAP, just to figure out how LDAP itself works. Big deal. It's like saying DNS is hard because I don't know how DNS works and DNS server software ABC assumes I know how DNS works. :-)
And even worse if when you want to optimize the backend... There's a lot of magic there....
And with the new config backend!? I haven't even had the time or energy to go that far yet!
Getting the most out of the DB backend could be tricky and require a bit of reading up on OpenLDAP and on whatever DB backend you chose. That's largely gone away with the new back-end. You should check it out. It makes life FAR easier, IMHO, and is much, much faster than BerkeleyDB.
This'll probably make Howard 'n Quanah cringe, but I've got an LDAP server setup with a bit of custom schema so I can log postfix, sendmail, dhcp, and vpn log data into it, and some PHP scripts to then make it easy-peasy for junior admins to search it (say, to trace how an email got from point A to point B or given a message-ID produce a list of everyone who received it, or given an IP, what DHCP hostname was using it when and if they were VPN'd in, what username authenticated). Yeah, it's frankly an abuse of LDAP in general which is s'posed to be mostly read and few writes/modifies.
But it works... Well... Reliably... Honestly, it all started as an excuse to edjimicate myself on the java and perl APIs for LDAP, but it's proven useful enough that we just kept using it. (shrug) Someday I'll probably use it as an excuse to edjimicate myself on cassandra (allegedly really good at dealing with lots of writes).
But honestly, the only thing that I've found tricky with OpenLDAP (and I won't go so far as to call it "hard") was setting up ACLs. And so what, it's no more tricky than firewall rules can be. 'Just requires attention to details 'n reading the docs. (and maybe some of the list archives here - grin).
Brent
----- Original Message -----
(snip) (long) (snip)
I am by no means an LDAP expert, but as an experienced Linux sysadmin I do have to say that I have had some very tricky issues with OpenLDAP.
One of them involved fiddling for days with difficulty changing the root password, after finally finding out that the Ubuntu docs were wrong [1]; they had cause me to create two admin users, with the passwords in plain text no less.
The other involved getting 'TLS required' on the TCP connection, which seems to be undocumented. My question on Serverfault about it [2] is getting to be quite popular. Forcing encryption would have been a lot easier if a different port for SSL wasn't deprecated.
[1] https://bugs.launchpad.net/serverguide/+bug/1094842 [2] https://serverfault.com/questions/459718/configure-openldap-with-tls-require...
Wiebe Cazemier wrote:
----- Original Message -----
(snip) (long) (snip)
I am by no means an LDAP expert, but as an experienced Linux sysadmin I do
have to say that I have had some very tricky issues with OpenLDAP.
One of them involved fiddling for days with difficulty changing the root
password, after finally finding out that the Ubuntu docs were wrong [1]; they had cause me to create two admin users, with the passwords in plain text no less.
The other involved getting 'TLS required' on the TCP connection, which seems
to be undocumented.
Nonsense. The security directive is documented in slapd.conf(5) and slapd-config(5) manpages.
My question on Serverfault about it [2] is getting to be
quite popular. Forcing encryption would have been a lot easier if a different port for SSL wasn't deprecated.
As usual when you go to unofficial support channels, all you get is garbage from unqualified self-proclaimed experts. The highest ranked answer on your question is flat wrong, and refers to Zytrax documentation, which is poorly plagiarized from outdated copies of the OpenLDAP Admin Guide and mixed with a generous helping of misinformation from their own addled brains.
[1] https://bugs.launchpad.net/serverguide/+bug/1094842 [2] https://serverfault.com/questions/459718/configure-openldap-with-tls-require...
Regardless of what you may think about the tone of postings on this list (which is ludicrous to begin with since emails by their nature are horrible at conveying tone or emotion), actual subject matter experts monitor this list and make sure that correct answers get posted and that BS is censured. That is the purpose of this forum.
If you want to be coddled, feel free to look elsewhere. If you want real answers, this is the place.
----- Original Message -----
From: "Howard Chu" hyc@symas.com To: "Wiebe Cazemier" wiebe@halfgaar.net, "Brent Bice" bbice@sgi.com Cc: openldap-technical@openldap.org Sent: Friday, 31 January, 2014 11:43:53 AM Subject: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
actual subject matter experts monitor this list and make sure that correct answers get posted and that BS is censured. That is the purpose of this forum.
If you want to be coddled, feel free to look elsewhere. If you want real answers, this is the place.
I agree that this list is the place to be for real help. However, I did post that question here, to no avail. Eventually, I posted my own answer.
--On Friday, January 31, 2014 12:24 PM +0100 Wiebe Cazemier wiebe@halfgaar.net wrote:
I agree that this list is the place to be for real help. However, I did post that question here, to no avail. Eventually, I posted my own answer.
Hi Wiebe,
Not an excuse, but I did see that your unanswered question was posted on December 24th. In much of the world, most people are offline and not reading email during that time. I for example was on vacation during that time, otherwise I would have pointed you at olcSecurity.
--Quanah
--
Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Regardless of what you may think about the tone of postings on this list (which is ludicrous to begin with since emails by their nature are horrible at conveying tone or emotion), actual subject matter experts monitor this list and make sure that correct answers get posted and that BS is censured. That is the purpose of this forum.
If you want to be coddled, feel free to look elsewhere. If you want real answers, this is the place.
Just to drop an alternative viewpoint into this frenzy of openldap bashing ;), we've been using openldap for well over a decade and been extremely happy with it. There've been a few bugs along the way, nothing is perfect, but overall it's been extremely reliable. Obviously the documentation isn't exactly bedtime story reading, but I've always found the admin guide and the man pages clear and accurate, and any time I've needed clarification or assistance I've always found helpful replies on this list.
So, thanks much to all of the openldap developers and experts who have provided an enterprise quality software package and support forum at no cost for us to use.
Sorry, I didn't read the original mailing list...I too wanted to send to the board and not you individually. My apologies.
-----Original Message----- From: Borresen, John - 0442 - MITLL Sent: Thursday, January 30, 2014 1:16 PM To: 'Turbo Fredriksson'; Howard Chu Subject: RE: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
I have experience with OpenLDAP, 389-Directory-Server, OpenDJ, OpenDS, RedHat's Directory Studio. I am not an LDAP expert by any means (as can be seen by my help posts -- that was supposed to be funny). While I get aggravated by the difficulty in installing OpenLDAP, the miniscule documentation, and the differing, and often conflicting, documents found via a google search I always recommend OpenLDAP over the other products. The OpenLDAP Admin Guide, for a product that has been out for a very long time, as far as a how-to-guide, is lacking a lot and seems incomplete -- many areas are simply blank. The bouncing back and forth between the slapd.conf (old) and the slapd.d (new) methodologies is very aggravating and not helpful (to me).
I understand that there is not just one way to install OpenLDAP...the options are pretty mind-boggling -- and can't all be put in an Admin Guide, the manual as more than a dictionary could be so much more. With this test environment I've been building over that 2 or 3 months, it's been broken down and restarted, from scratch, at least once a month. The original environment (the current production) took me about a year to get up and running.
We use the Apache Directory Studio as a front-end GUI to view the dbase, mostly. Most modifications are via the CLI tools.
Don't get me wrong, even for my "bashing" of OpenLDAP above, it is the first one that I would recommend. I look at the bright side...each time the slate has to be cleaned and restarted the more I learn.
Dave Borresen
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Turbo Fredriksson Sent: Thursday, January 30, 2014 11:53 AM To: Howard Chu Subject: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
I saw some of this on twitter before, ignored it since none of the parties involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and even harder to understand how it works (the object based part). Took me three months first time, and I'm not an idiot.
Even today, I need to consult either my own book or the howto (or seriously skim through the man pages) to setup a new server.
And even worse if when you want to optimize the backend... There's a lot of magic there....
And with the new config backend!? I haven't even had the time or energy to go that far yet! -- I love deadlines. I love the whooshing noise they make as they go by. - Douglas Adams
I'm with John & Turbo, and I guess with the article author. Openldap is hard to configure. It is also, in my limited experience, pretty solid, once you get it working the way you want.
Part of the problem is definitely just groking LDAP itself. And I haven't ever tried to configure any of the competition, except I guess AD, so I can't compare to the others directly.
I have so far always been able to bend openldap to my will, usually with help from the people on this mailing list. But I've been at this *nix stuff for more than 20 years, and it has never been easy.
Someone compared configuring openldap to configuring apache. Apache is hardly the model of easy-to-configure software. However, the documentation is much better and the examples are much, much more usable.
The openldap Administrator's guide and man pages are incomplete and occasionally incorrect/outdated. For example, yesterday I found bad syntax in the "map" examples at the bottom of the slapo-rwm man page (i do intend to report a bug on that one).
Error messages are pretty bad. For example, an unreadable private key file causes this error in the syslog: "main: TLS init def ctx failed: -1". Of course, this and the associated startup failure is a big improvement, version 2.4.23 failed the initialization silently, and just logged "TLS Negotiation failed" when you tried to connect.
Another example - slaptest gives the following when I test a config file that has the old, bad rwm syntax:
[root@cnsutil0 openldap]# ../../sbin/slaptest -f test slaptest: config.c:198: config_check_vals: Assertion `c->argc == 2' failed. Aborted
The administrator's guide talks about stacking overlays, but doesn't mention that gee, sometimes that doesn't work real well (ITS 5941, rwm + translucent = crash). That issue is from 2010, with no apparent solution.
Just so we are clear --- I would not have posted these complaints (at least, not without solutions) if it weren't for this thread. My intent is not to bitch about the quality of the software or the documentation. I am getting much more than I am paying for, and I notably have not raised my hand to rewrite the documentation or fix any bugs in the code. However, to deny these things is to put one's head in the sand.
regards danno
Borresen, John - 0442 - MITLL wrote:
Sorry, I didn't read the original mailing list...I too wanted to send to the board and not you individually. My apologies.
-----Original Message----- From: Borresen, John - 0442 - MITLL Sent: Thursday, January 30, 2014 1:16 PM To: 'Turbo Fredriksson'; Howard Chu Subject: RE: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
I have experience with OpenLDAP, 389-Directory-Server, OpenDJ, OpenDS, RedHat's Directory Studio. I am not an LDAP expert by any means (as can be seen by my help posts -- that was supposed to be funny). While I get aggravated by the difficulty in installing OpenLDAP, the miniscule documentation, and the differing, and often conflicting, documents found via a google search I always recommend OpenLDAP over the other products. The OpenLDAP Admin Guide, for a product that has been out for a very long time, as far as a how-to-guide, is lacking a lot and seems incomplete -- many areas are simply blank. The bouncing back and forth between the slapd.conf (old) and the slapd.d (new) methodologies is very aggravating and not helpful (to me).
I understand that there is not just one way to install OpenLDAP...the options are pretty mind-boggling -- and can't all be put in an Admin Guide, the manual as more than a dictionary could be so much more. With this test environment I've been building over that 2 or 3 months, it's been broken down and restarted, from scratch, at least once a month. The original environment (the current production) took me about a year to get up and running.
We use the Apache Directory Studio as a front-end GUI to view the dbase, mostly. Most modifications are via the CLI tools.
Don't get me wrong, even for my "bashing" of OpenLDAP above, it is the first one that I would recommend. I look at the bright side...each time the slate has to be cleaned and restarted the more I learn.
Dave Borresen
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Turbo Fredriksson Sent: Thursday, January 30, 2014 11:53 AM To: Howard Chu Subject: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
I saw some of this on twitter before, ignored it since none of the parties involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and even harder to understand how it works (the object based part). Took me three months first time, and I'm not an idiot.
Even today, I need to consult either my own book or the howto (or seriously skim through the man pages) to setup a new server.
And even worse if when you want to optimize the backend... There's a lot of magic there....
And with the new config backend!? I haven't even had the time or energy to go that far yet!
I love deadlines. I love the whooshing noise they make as they go by.
- Douglas Adams
Hi
Basically what Jon and Turbo and Dan have said. I have been on and off this mailing list for nearly 10 years and my first choice for ldap server has always been openldap, but to be honest gone are the days when I want to read code to find out what its doing. Take that to read the unit tests as well.
I have also found the list to be rather abrasive to people who's first job is not ldap who come here to ask questions.
Alex
From: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Dan Pritts Sent: Friday, 31 January 2014 9:20 AM To: Borresen, John - 0442 - MITLL Cc: Howard Chu; openldap-technical@openldap.org Subject: Re: FW: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
I'm with John & Turbo, and I guess with the article author. Openldap is hard to configure. It is also, in my limited experience, pretty solid, once you get it working the way you want.
Part of the problem is definitely just groking LDAP itself. And I haven't ever tried to configure any of the competition, except I guess AD, so I can't compare to the others directly.
I have so far always been able to bend openldap to my will, usually with help from the people on this mailing list. But I've been at this *nix stuff for more than 20 years, and it has never been easy.
Someone compared configuring openldap to configuring apache. Apache is hardly the model of easy-to-configure software. However, the documentation is much better and the examples are much, much more usable.
The openldap Administrator's guide and man pages are incomplete and occasionally incorrect/outdated. For example, yesterday I found bad syntax in the "map" examples at the bottom of the slapo-rwm man page (i do intend to report a bug on that one).
Error messages are pretty bad. For example, an unreadable private key file causes this error in the syslog: "main: TLS init def ctx failed: -1". Of course, this and the associated startup failure is a big improvement, version 2.4.23 failed the initialization silently, and just logged "TLS Negotiation failed" when you tried to connect.
Another example - slaptest gives the following when I test a config file that has the old, bad rwm syntax:
[root@cnsutil0 openldap]# ../../sbin/slaptest -f test slaptest: config.c:198: config_check_vals: Assertion `c->argc == 2' failed. Aborted
The administrator's guide talks about stacking overlays, but doesn't mention that gee, sometimes that doesn't work real well (ITS 5941, rwm + translucent = crash). That issue is from 2010, with no apparent solution.
Just so we are clear --- I would not have posted these complaints (at least, not without solutions) if it weren't for this thread. My intent is not to bitch about the quality of the software or the documentation. I am getting much more than I am paying for, and I notably have not raised my hand to rewrite the documentation or fix any bugs in the code. However, to deny these things is to put one's head in the sand.
regards danno
Borresen, John - 0442 - MITLL wrote:
Sorry, I didn't read the original mailing list...I too wanted to send to the board and not you individually. My apologies.
-----Original Message-----
From: Borresen, John - 0442 - MITLL
Sent: Thursday, January 30, 2014 1:16 PM
To: 'Turbo Fredriksson'; Howard Chu
Subject: RE: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
I have experience with OpenLDAP, 389-Directory-Server, OpenDJ, OpenDS, RedHat's Directory Studio. I am not an LDAP expert by any means (as can be seen by my help posts -- that was supposed to be funny). While I get aggravated by the difficulty in installing OpenLDAP, the miniscule documentation, and the differing, and often conflicting, documents found via a google search I always recommend OpenLDAP over the other products. The OpenLDAP Admin Guide, for a product that has been out for a very long time, as far as a how-to-guide, is lacking a lot and seems incomplete -- many areas are simply blank. The bouncing back and forth between the slapd.conf (old) and the slapd.d (new) methodologies is very aggravating and not helpful (to me).
I understand that there is not just one way to install OpenLDAP...the options are pretty mind-boggling -- and can't all be put in an Admin Guide, the manual as more than a dictionary could be so much more. With this test environment I've been building over that 2 or 3 months, it's been broken down and restarted, from scratch, at least once a month. The original environment (the current production) took me about a year to get up and running.
We use the Apache Directory Studio as a front-end GUI to view the dbase, mostly. Most modifications are via the CLI tools.
Don't get me wrong, even for my "bashing" of OpenLDAP above, it is the first one that I would recommend. I look at the bright side...each time the slate has to be cleaned and restarted the more I learn.
Dave Borresen
-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.orgmailto:openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Turbo Fredriksson
Sent: Thursday, January 30, 2014 11:53 AM
To: Howard Chu
Subject: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
I saw some of this on twitter before, ignored it since none of the parties involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and even harder to understand how it works (the object based part). Took me three months first time, and I'm not an idiot.
Even today, I need to consult either my own book or the howto (or seriously skim through the man pages) to setup a new server.
And even worse if when you want to optimize the backend... There's a lot of magic there....
And with the new config backend!? I haven't even had the time or energy to go that far yet!
--
I love deadlines. I love the whooshing noise they make as they go by.
- Douglas Adams
-- Dan Pritts ICPSR Computing & Network Services University of Michigan
OpenLDAP: "Brains not included." On Jan 30, 2014 3:45 PM, "Borresen, John - 0442 - MITLL" < John.Borresen@ll.mit.edu> wrote:
Sorry, I didn't read the original mailing list...I too wanted to send to the board and not you individually. My apologies.
-----Original Message----- From: Borresen, John - 0442 - MITLL Sent: Thursday, January 30, 2014 1:16 PM To: 'Turbo Fredriksson'; Howard Chu Subject: RE: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
I have experience with OpenLDAP, 389-Directory-Server, OpenDJ, OpenDS, RedHat's Directory Studio. I am not an LDAP expert by any means (as can be seen by my help posts -- that was supposed to be funny). While I get aggravated by the difficulty in installing OpenLDAP, the miniscule documentation, and the differing, and often conflicting, documents found via a google search I always recommend OpenLDAP over the other products. The OpenLDAP Admin Guide, for a product that has been out for a very long time, as far as a how-to-guide, is lacking a lot and seems incomplete -- many areas are simply blank. The bouncing back and forth between the slapd.conf (old) and the slapd.d (new) methodologies is very aggravating and not helpful (to me).
I understand that there is not just one way to install OpenLDAP...the options are pretty mind-boggling -- and can't all be put in an Admin Guide, the manual as more than a dictionary could be so much more. With this test environment I've been building over that 2 or 3 months, it's been broken down and restarted, from scratch, at least once a month. The original environment (the current production) took me about a year to get up and running.
We use the Apache Directory Studio as a front-end GUI to view the dbase, mostly. Most modifications are via the CLI tools.
Don't get me wrong, even for my "bashing" of OpenLDAP above, it is the first one that I would recommend. I look at the bright side...each time the slate has to be cleaned and restarted the more I learn.
Dave Borresen
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto: openldap-technical-bounces@OpenLDAP.org] On Behalf Of Turbo Fredriksson Sent: Thursday, January 30, 2014 11:53 AM To: Howard Chu Subject: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
I saw some of this on twitter before, ignored it since none of the
parties involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and even harder to understand how it works (the object based part). Took me three months first time, and I'm not an idiot.
Even today, I need to consult either my own book or the howto (or seriously skim through the man pages) to setup a new server.
And even worse if when you want to optimize the backend... There's a lot of magic there....
And with the new config backend!? I haven't even had the time or energy to go that far yet! -- I love deadlines. I love the whooshing noise they make as they go by.
- Douglas Adams
"A. P. Garcia" a.phillip.garcia@gmail.com schrieb am 30.01.2014 um 23:36 in
Nachricht CAFCBnZv=-EXAQAeiCkSEaDwzBikDywXgoe230TVUEBPViS=8Yg@mail.gmail.com:
Windows: Brains not needed.
OpenLDAP: "Brains not included." On Jan 30, 2014 3:45 PM, "Borresen, John - 0442 - MITLL" < John.Borresen@ll.mit.edu> wrote:
Sorry, I didn't read the original mailing list...I too wanted to send to the board and not you individually. My apologies.
-----Original Message----- From: Borresen, John - 0442 - MITLL Sent: Thursday, January 30, 2014 1:16 PM To: 'Turbo Fredriksson'; Howard Chu Subject: RE: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
I have experience with OpenLDAP, 389-Directory-Server, OpenDJ, OpenDS, RedHat's Directory Studio. I am not an LDAP expert by any means (as can be seen by my help posts -- that was supposed to be funny). While I get aggravated by the difficulty in installing OpenLDAP, the miniscule documentation, and the differing, and often conflicting, documents found via a google search I always recommend OpenLDAP over the other products. The OpenLDAP Admin Guide, for a product that has been out for a very long time, as far as a how-to-guide, is lacking a lot and seems incomplete -- many areas are simply blank. The bouncing back and forth between the slapd.conf (old) and the slapd.d (new) methodologies is very aggravating and not helpful (to me).
I understand that there is not just one way to install OpenLDAP...the options are pretty mind-boggling -- and can't all be put in an Admin Guide, the manual as more than a dictionary could be so much more. With this test environment I've been building over that 2 or 3 months, it's been broken down and restarted, from scratch, at least once a month. The original environment (the current production) took me about a year to get up and running.
We use the Apache Directory Studio as a front-end GUI to view the dbase, mostly. Most modifications are via the CLI tools.
Don't get me wrong, even for my "bashing" of OpenLDAP above, it is the first one that I would recommend. I look at the bright side...each time the slate has to be cleaned and restarted the more I learn.
Dave Borresen
-----Original Message----- From: openldap-technical-bounces@OpenLDAP.org [mailto: openldap-technical-bounces@OpenLDAP.org] On Behalf Of Turbo Fredriksson Sent: Thursday, January 30, 2014 11:53 AM To: Howard Chu Subject: Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
I saw some of this on twitter before, ignored it since none of the
parties involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and even harder to understand how it works (the object based part). Took me three months first time, and I'm not an idiot.
Even today, I need to consult either my own book or the howto (or seriously skim through the man pages) to setup a new server.
And even worse if when you want to optimize the backend... There's a lot of magic there....
And with the new config backend!? I haven't even had the time or energy to go that far yet! -- I love deadlines. I love the whooshing noise they make as they go by.
- Douglas Adams
We have run openldap for some years, and it runs very well, but it's a fair comment for openldap to include a simple installation script, to get a server installed for the new B. That would encourage evaluation and adoption.
OpenDJ has one, it asks for base, port, hostname, if ssl is required, etc., and optionally includes a bunch of randomly generated data for testing or proof of concept type applications. If ssl is requested, it just generates a self signed certificate and installs it. Some people have pretty straightforward ldap requirements.
People who do this sort of birds eye or top down review, aren't going to spend more than an hour or two, even if they try, which it seems this one didn't. This article seems to me to be no more than a re-hash of other people's experiences with openldap, and they did not install themselves. But the ideas re-hashed
I can download a copy of OpenDJ, run the setup script and at the end of the install the server is running and configured. It has a dynamic configuration backend, but it has a command line interface for day to day usage. And the config.ldif can be hand edited if you do something unexpected like sexy up the listening port, which stops the server from starting.
I don't mean to make this a sales spiel, but my point is, there should be some notion of new B friendliness. Also i know plenty of busy computer operators who look after many different bit of software, and are not interested in the details of the server, they want to start / stop, diagnose problems, and move on to something else. Time is an issue.
I don't think as much of the idea of a configuration tui/gui for openldap though, as you'd always be tweaking the interface to batch the config backend. But i think a optimal solution of a dynamic config backend is to go in this ease of maintenance direction, otherwise you are just sweeping the rats under the rug.
I dont see how the RHEL package issues can be fixed, other than :
#!/bin/sh echo "This package is too old, download xxxx and run the auto-build-rhel.sh script!"
There is no such script, AFAIK but it would be nice. Install required packages & libraries, warn about library conflicts, etc.,
Cheers Brett
On Fri, Jan 31, 2014 at 2:35 AM, Howard Chu hyc@symas.com wrote:
Gavin Henry wrote:
http://searchdatacenter.techtarget.com/feature/IT-pros-suffer-OpenLDAP- configuration-headaches
Any one been in touch with them?
I saw some of this on twitter before, ignored it since none of the parties involved have any clue what they're talking about.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
This is ridiculous! OpenLDAP is much more user-friendly than others alternatives, and mainly when compared against proprietary alternatives. I've experiences in Oracle Internet Directory and CA Directory and I can say for sure, OpenLDAP is much better in every single aspect.
Thanks,
Matheus Morais.
On Thu, Jan 30, 2014 at 2:07 PM, Gavin Henry ghenry@suretec.co.uk wrote:
http://searchdatacenter.techtarget.com/feature/IT-pros-suffer-OpenLDAP-confi...
Any one been in touch with them?
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk
OpenPGP (GPG/PGP) Public Key: 0x8CFBA8E6 - Import from hkp:// subkeys.pgp.net or http://www.suretecgroup.com/0x8CFBA8E6.gpg
On Thu, Jan 30, 2014 at 11:07 AM, Gavin Henry ghenry@suretec.co.uk wrote:
http://searchdatacenter.techtarget.com/feature/IT-pros-suffer-OpenLDAP-confi...
Any one been in touch with them?
The article seem to imply the so-called pros, experts, and gurus can only handle clickety-click interfaces; anything that require editing text files make them suffer. And the other quotes the writer used to back up his claim state that is better than ApacheDS, it is too hard (from a "web enthusiast" who is using a Mac, which has a decent interface to run Apple's implementation of ldap/kerberos).
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk
OpenPGP (GPG/PGP) Public Key: 0x8CFBA8E6 - Import from hkp://subkeys.pgp.net or http://www.suretecgroup.com/0x8CFBA8E6.gpg
On Thu, 30 Jan 2014 16:07:08 +0000 Gavin Henry ghenry@suretec.co.uk wrote
http://searchdatacenter.techtarget.com/feature/IT-pros-suffer-OpenLDAP-confi... uration-headaches
Yet another example why you should not waste your time reading the blogosphere or "following" these morons on twitter.
Ciao, Michael.
It's a sadly a bit true.
I like OpenLDAP a lot.... but if you don't need the *fastest* LDAP server, something as OpenDJ from Forgerock is a lot easier to configure.
But is a problem with LDAP in general. If you only use it for authentication/authorization, it's complex to get everything 100% right. (on the other side, it's very flexible.) That's the reason why Red Hat created it's FreeIPA product, isn't it (and a lot of sysadmins create users using configuration management tools) Some other (big) companies only have central SSH hosts and from those hosts use root.
AD is an exception with LDAP complexity well hidden away. But if you see the results .... there is a lot to say about the directory designs I have seen ;-)
On Thu, Jan 30, 2014 at 5:07 PM, Gavin Henry ghenry@suretec.co.uk wrote:
http://searchdatacenter.techtarget.com/feature/IT-pros-suffer-OpenLDAP-confi...
Any one been in touch with them?
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry@suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk
OpenPGP (GPG/PGP) Public Key: 0x8CFBA8E6 - Import from hkp:// subkeys.pgp.net or http://www.suretecgroup.com/0x8CFBA8E6.gpg
2014-02-03 Pieter Baele pieter.baele@gmail.com:
It's a sadly a bit true.
I like OpenLDAP a lot.... but if you don't need the *fastest* LDAP server, something as OpenDJ from Forgerock is a lot easier to configure.
I tried to use aliases (as defined in rfc 4512/2.6) with OpenDJ, but it is not implemented. So if anyone like to switch, you should take care. I can confirm, that the configuration seems at first a little easier with OpenDJ and ACLs working well, but thats not the only thing to make a choice ;-)
Kindly regards
Meike
openldap-technical@openldap.org
-
A. P. Garcia -
Alex Samad - Yieldbroker -
Borresen, John - 0442 - MITLL -
Brent Bice -
Brett @Google -
Dan Pritts -
Gavin Henry -
Howard Chu -
Mauricio Tavares -
Meike Stone -
Michael Ströder -
Paul B. Henson -
Pieter Baele -
Quanah Gibson-Mount -
Turbo Fredriksson -
Ulrich Windl -
Wiebe Cazemier -
xsun