This is going to be a rant about no-so-pleasant experience with choosing and setting up LDAP server.
Part of small project I was working on was setting up centralized user directory. Unfortunately it seems that LDAP is essentially the only option for that - I couldn't find any alternative that would be popular enough to gain any traction. The amount of users will most likely not exceed few hundreds initially - maybe few thousands in near feature, and I really don't have any custom requirements.
User directory must store users and groups and that's it. It should be simple to set up and maintain.
No custom attributes, the simplest schema possible, single organization, single server... it should be simple, right?
Before I go any further - just for comparison:
installing webserver in modern linux system takes one command and requires editing one, maybe two files. which are usually well commented, expressive and very easy to understand. Essentially every possible feature requires maximum few lines which are easy to find in documentation or in google.
LDAP servers are nowhere near this simplicity. In fact they do whatever they can to make things complicated. In order to figure out how to set up the simplest ldap server, I had to learn about:
To summarize it all, this is massive waste of time for simple project. Matching every two pieces (app1 -> ldap library -> ssl config(client) -> ssl config (server) -> ldap server -> ldap schema -> ... -> app2) requires work and debugging on every step. There is one lesson learned - ldap is not a tool and not a solution to any problem - its a framework. Very low level and one, and I'd be very happy if it had a competition.
Here are the options I tested:
1. openldap. Its simple and it works, except that debugging certificate issues is extremely hard, as it is very shy and for certain types of problems there are no log messages (other then "it doesn't work").
Configurable via ldap (I'll comment on that in a minute) or via simple config file. Available in ubuntu,
is the easiest one to install and comes with php-based web interface. Almost perfect, except for the php part, as I am not going to install it anywhere near secure information.
2. opendj and opends (one forked from the other, so its hard to tell the difference). Both insist on using java-ish key storage and keep their configuration as ldap entries. Main issue with that are:
1. Putting config into puppet/ansible/whatever requires more work.
2. You can't grep them
3. Its cluttered with ldap terminology and nowhere near simplicity and beauty of, say, nginx config.
Other issues I had with both of them:
is your friend
Part of small project I was working on was setting up centralized user directory. Unfortunately it seems that LDAP is essentially the only option for that - I couldn't find any alternative that would be popular enough to gain any traction. The amount of users will most likely not exceed few hundreds initially - maybe few thousands in near feature, and I really don't have any custom requirements.
User directory must store users and groups and that's it. It should be simple to set up and maintain.
No custom attributes, the simplest schema possible, single organization, single server... it should be simple, right?
Before I go any further - just for comparison:
installing webserver in modern linux system takes one command and requires editing one, maybe two files. which are usually well commented, expressive and very easy to understand. Essentially every possible feature requires maximum few lines which are easy to find in documentation or in google.
LDAP servers are nowhere near this simplicity. In fact they do whatever they can to make things complicated. In order to figure out how to set up the simplest ldap server, I had to learn about:
- all possible formats and ways of storing ssl keys and certificates. It doesn't matter that every issuer in the world will send me .pem file (again for comparison: every webserver I know will happily use it with no problems), any ldap server written in java will require it to be first moved to keystore, using poorly documented tools, almost undocumented process and essentially zero help if anything will go wrong (for example missing intermediate cert was causing tls to log message about ... lack of common ciphers with the client. More time wasted debugging it). Openldap was the only server that allowed me to use my certificate directly. OpenDS was able to import key during installation, but I haven't tried to do that.
- All details of ldap protocol. Its not very complicated, but all tools are so low level that there is no other way to solve your problems.
- Intimate details of ldap libraries. How to debug them, how to specify they list of certificates. how to ensure that they are in fact validating them (python-ldap3 doesn't by default, for example).
- Almost all options and capabilities of openssl and gnutls.
To summarize it all, this is massive waste of time for simple project. Matching every two pieces (app1 -> ldap library -> ssl config(client) -> ssl config (server) -> ldap server -> ldap schema -> ... -> app2) requires work and debugging on every step. There is one lesson learned - ldap is not a tool and not a solution to any problem - its a framework. Very low level and one, and I'd be very happy if it had a competition.
Here are the options I tested:
1. openldap. Its simple and it works, except that debugging certificate issues is extremely hard, as it is very shy and for certain types of problems there are no log messages (other then "it doesn't work").
Configurable via ldap (I'll comment on that in a minute) or via simple config file. Available in ubuntu,
is the easiest one to install and comes with php-based web interface. Almost perfect, except for the php part, as I am not going to install it anywhere near secure information.
2. opendj and opends (one forked from the other, so its hard to tell the difference). Both insist on using java-ish key storage and keep their configuration as ldap entries. Main issue with that are:
1. Putting config into puppet/ansible/whatever requires more work.
2. You can't grep them
3. Its cluttered with ldap terminology and nowhere near simplicity and beauty of, say, nginx config.
Other issues I had with both of them:
- They don't come with ubuntu repository. They don't provide ubuntu repository at all (or at least don't mention it on download page). Rather weird for open source server software, and definitely inconvenient. So more work to automate deployment.
- Its 2014. You can do everything online from your browser. Except for configuring ldap server, you will still need desktop java app for that. Pity if you can't run it one remote server without X.
- SVN repository instead of github. No easy way of finding/submitting patches, discovering developer activity and popularity, no one-click forking to test a fix and harder collaboration with anyone.
- The award to the best ssl utility goes to ... stunnel, for allowing me to ignore java keystore stupidity and get the job done. And its logging capabilities beat every ldap server.
- openssl s_client -showcerts -connect host:port
In general, I hate ldap. I needed simple tool for very simple and easy to standardise need,
and I've got assembler of authentication and authorisation. While it does what it should do, the cost of dealing with it is way to much to justify it. I definitely believe there is a need for something simpler,
less flexible and easier to use. With web browser, not debugger.
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete