After spending hours wrapping my head around OpenLDAP and creating a single instance of it, getting 5 test servers to authenticate against it, and seeing it work I had to stop and think to myself, “Why the hell is this so hard?”

LDAP or Lightweight Directory Access Protocol is a way to store and access data. It’s usually used for storing contact information and passwords so that you can have a single source of this information for the many services a network provides. Makes updating passwords much easier.

OpenLDAP is essentially just a database. A hierarchical key/value store with search and indexing capabilities. It seems to be engineered to be difficult on purpose, but always comes up first in Google searches, so I assume it’s the leader in it’s field.

If that’s what I need to do to figure out LDAP, fine I’ll do it, and honestly after a bit, it did get easier once I saw how the server was architected.  Then I tried to slave another backup LDAP server to it.

Bad move. I mean.. I assume it’s possible, and there’s probably lots of smart people who can set it up in seconds, or minutes or something faster than the hours I spent before I gave up trying to get it to work.

Typically in the linux world, the documentation isn’t super great. It makes perfect sense to the person who’s already familiar with the system, but a little worse for learners. And I have to admit, I didn’t hop on my neighborhood IRC channel to ask for help, or mail list.

After poking around a while I found OpenDJ. A Java based LDAP server. Keep in mind that I’m not a fan of Java’s typical memory-hogging meager performance, but I was a little desperate to find something to vindicate my strategy of using LDAP in the first place.

Surprisingly it was a pleasant experience, not unlike my surprise when first using Jenkins.

Go check out their quickstart guide!

2 Responses so far.

  1. LDAP is not an easy creature to tame. I have been administrating Sun (Oracle) Directory Server Enterprise Edition (DSEE) for several years now and still rely on some hefty notes to assist me.

    Here is a good resource for deploying DSEE for UNIX accounts.
    http://brandonhutchinson.com/wiki/Soup_To_Nuts_Sun_DSEE
    This may give you some insight for tricks with OpenLDAP.

    Since I am one of the few whackos still running Solaris, I chose DSEE over OpenLDAP for the built-in schema that supports Solaris out of the box. The lack of tools for OpenLDAP also scared me away.

    • Micah says:

      Agreed – I was really surprised at how few tools there were. OpenDJ had those, and I was able to churn out a replicated server in an hour or so.. I just still don’t trust Java..

      Thanks for the link! I’ll check it out for sure.

Leave a Reply