About Archive Tags RSS Feed


Something, something, dark side.

22 January 2013 21:50

I want to like LDAP. Every so often I do interesting things with it, and I start to think I like it, then some software that claims to support LDAP fails to do so properly and I remember I hate it again.

I guess the problem with LDAP is that most people are scared by it, unless you reach a certain level of scale you don't need it. That makes installing it out of the blue a scary prospect, and that means that lots of toy-software applications don't even consider using it until they're mature and large.

When you bolt-on support for LDAP to an existing project you have to make compromises; do you create local entries in your system for these scary-remote-LDAP-users? Do you map group members from LDAP into your own group system? ANd so on.

To be fair to the application developers if the requirements for installation were "Install LDAP" they'd probably have a damn smaller userbase, and so we cannot blame OpenLDAP, or the other servers.

All the same it is a shame.

The very next piece of software I ever write that needs to handle logins will use LDAP and only LDAP. How hard can it be?

In happier news I re-deployed http://www.debian-administration.org/ over the weekend. It now uses the Bytemark BigV platform which rocks.

The migration was supposed to be a "Christmas Project", but took longer than expected due to the number of changes I need to make to the software, and my deployment plan. Still I'm very happy with the way things are running now, and don't expect I'll need to move or make significant changes for the next nine years. I just hope there is still interest in such things then.

ObQuote: "Would you like a treatment? " - Dollhouse



Comments on this entry

icon mikapfl at 22:05 on 22 January 2013

I have worked with LDAP as a sysadmin both administering LDAP servers and administering services which consume LDAP login information. LDAP is simply very annoying. Comparing that to my experience with an SQL database, I must conclude that LDAP is simply an utter waste of time and everybody should be using SQL databases to store their login information. Login information is mostly relational. It fits the relational model just fine. You can have views to provide every service with their small world which they need and there you go. You don't have to enter all the information like thrice into different LDAP members, which belong to different schemata, just so you get unix login /and/ mail working. You just write a small view in SQL and are done. And you get stuff like replication etc. for free. And SQL databases are documented. And have tons of features like SEPostgresql etc.
I must admit there are also some good things about LDAP: People claim it scales better than SQL, because it is designed for the task. I don't know, I never peaked neither my SQL nor my LDAP servers, not even close although I administered login information servers for more than 100 active users. And of course, more software can authenticate against LDAP than against SQL. That is acutally a good reason to use LDAP and the main one why I am still administering services authenticating against LDAP. But other than that, I see very few reasons to consider LDAP.

tl;dr I would alsways prefer an SQL database over LDAP for login information, because LDAP doesn't do its job well.

icon cstamas at 07:45 on 23 January 2013

Well I guess smart developers implement authentication as an (external) module so it is easy to use and even extend if a needed functionality is missing. For an enterprise this kind of thing is essential.


icon Pete at 22:57 on 23 January 2013

I cannot agree with most of what you're saying.
First of, I agree with mikapfl that LDAP is just plain annoying for Sysadmins. I also do not agree with the statement that LDAP and especially OpenLDAP scales well. This may be true for single server installations, but once partitioning and replication comes into play, LDAP simply becomes unreliable at best.
Second, from the point of a software developer, LDAP is not simply annoying, it is a catastrophe. Where SQL bases its relational model on sound and proven mathematical algebra, LDAP utilized no sound basis at all. To make matters worse, LDAP not only enables but requires bad code writing techniques like potato programming and the like.

My advice: the sooner software developers stop supporting LDAP the sooner it will die out and we can focus our efforts on useful and up to date.