I want to like LDAP. Every so often I do interesting things with it, and I start to think I like it, then some software that claims to support LDAP fails to do so properly and I remember I hate it again.
I guess the problem with LDAP is that most people are scared by it, unless you reach a certain level of scale you don't need it. That makes installing it out of the blue a scary prospect, and that means that lots of toy-software applications don't even consider using it until they're mature and large.
When you bolt-on support for LDAP to an existing project you have to make compromises; do you create local entries in your system for these scary-remote-LDAP-users? Do you map group members from LDAP into your own group system? ANd so on.
To be fair to the application developers if the requirements for installation were "Install LDAP" they'd probably have a damn smaller userbase, and so we cannot blame OpenLDAP, or the other servers.
All the same it is a shame.
The very next piece of software I ever write that needs to handle logins will use LDAP and only LDAP. How hard can it be?
In happier news I re-deployed http://www.debian-administration.org/ over the weekend. It now uses the Bytemark BigV platform which rocks.
The migration was supposed to be a "Christmas Project", but took longer than expected due to the number of changes I need to make to the software, and my deployment plan. Still I'm very happy with the way things are running now, and don't expect I'll need to move or make significant changes for the next nine years. I just hope there is still interest in such things then.
ObQuote: "Would you like a treatment? " - Dollhouse
Tags: debian-administration, ldap, misc 3 comments
I have worked with LDAP as a sysadmin both administering LDAP servers and administering services which consume LDAP login information. LDAP is simply very annoying. Comparing that to my experience with an SQL database, I must conclude that LDAP is simply an utter waste of time and everybody should be using SQL databases to store their login information. Login information is mostly relational. It fits the relational model just fine. You can have views to provide every service with their small world which they need and there you go. You don't have to enter all the information like thrice into different LDAP members, which belong to different schemata, just so you get unix login /and/ mail working. You just write a small view in SQL and are done. And you get stuff like replication etc. for free. And SQL databases are documented. And have tons of features like SEPostgresql etc.
I must admit there are also some good things about LDAP: People claim it scales better than SQL, because it is designed for the task. I don't know, I never peaked neither my SQL nor my LDAP servers, not even close although I administered login information servers for more than 100 active users. And of course, more software can authenticate against LDAP than against SQL. That is acutally a good reason to use LDAP and the main one why I am still administering services authenticating against LDAP. But other than that, I see very few reasons to consider LDAP.
tl;dr I would alsways prefer an SQL database over LDAP for login information, because LDAP doesn't do its job well.