LDAP Tools - Where are they?

fixe asks: "I have spent the last few months up to my eyeballs in LDAP. While I am still hopeful of what LDAP can bring to the table I am admittedly disappointed in the tools, support and documentation surrounding the standard. I have been successful at creating and populating an LDAP directory and even authenticating against it, however I cannot find decent replacements for useradd, userdel, usermod, passwd, etc. Nor have I found any decent LDAP editors or browsers (preferably console or web-based). I am hoping that the Slashdot crowd might be able to shed some light on the subject. Are there any LDAP veterans out there who can reccommend any tools? What is the best way to maintain system account synchronization with an LDAP directory? Or perhaps, is there a more attractive alternative to LDAP?"

Directories are dead in the water

[Ars-Fartsica]

Yes, there are people using LDAP, there are even people using X.500 - but more or less these technologies have not altered IT thinking in the dramatic way they were positioned. Arguably the XML-based approach of web services is more timely - its hard to make an argument of listing another protocol on an isolated port to provide a solitary service.

There also doesn't appear to be much corporate interest - Microsoft has moved its mindshare strategies to web services, leaving the only big backer of LDAP being Novell - not really a key industry player at this point.

Re:Directories are dead in the water

[DeathBunny]

>Yes, there are people using LDAP, there are even people using X.500 - but more or less these >technologies have not altered IT thinking in the dramatic way they were positioned. Arguably the >XML-based approach of web services is more timely -

XML is a file format (or metaformat), not a directory service like LDAP. The two technologies are orthogonal.

>its hard to make an argument of listing >another protocol on an isolated port to provide a >solitary service

<sarcasm> Yeah that's a great idea! Let's run everything over port 80! </sarcasm>

>There also doesn't appear to be much corporate interest - Microsoft has moved its mindshare >strategies to web services, leaving the only big backer of LDAP being Novell - not really a key >industry player at this point.

Hello?? Active Directory is LDAP based. Admittedly it's LDAP with the usual "embrace and extend" twists like proprietary Kerberos extensions and slightly non-standard schemas, but LDAP none the less.

Re:Directories are dead in the water

[AndyDeck]

I've got to disagree with your assesment that Novell is not a key industry player. Novell's eDirectory is the premier directory solution in a market that includes Active Directory, iPlanet, OpenLDAP, and others. Microsoft's attempt to cover for their weak directory solution do not in any way detract from the importance of a good directory.

And to answer the original question, eDirectory is the new name for Novell's NDS, a mature yet still evolving directory service that is fully LDAPv3 compliant. As it has been available for so long, there are MANY third-party tools and utilities available to manage it (such as Bindview or JRBUtils) in addition to Novell's own tools and utilities. Novell's eDirectory management utilities include import/export tools built in to ConsoleOne (an admittedly heavyweight Java-based management console) as well as BulkLoad, a command-line LDAP utility that uses LDIF files for command input. These utilities permit import/export of userids in LDIF format, as well as the migration of data between LDAP servers.

eDirectory is fully cross-platform, currently running on Netware, NT, 2000, Linux, Solaris, and Tru64 UNIX. It's been demonstrated at tradeshows with databases of up to one BILLION user accounts. Features of the latest version, 8.6, include persistent searches, dynamic groups, and live backup. The next release is expected to include UDDI, SOAP, and DSML 2.0 support.

Novell is practically giving eDirectory away at a list price of $2/user or less. They are actually giving it away for VARs and developers that wish to bundle eDirectory as the dedicated directory for their applications.

Oh, and if you wish to stay with open source options, look on Freshmeat.net for OpenLDAP - it includes a set of client utilities that should fit at least some of your requirements. Freshmeat should also have other LDAP clients, including browsers.

Re:Directories are dead in the water

[the_rev_matt]

How the hell does this getting modded +5 informative when it's 100% wrong? As several other people have pointed out, Active Directory (which MSFT is putting a LOT into) is LDAP. 'nuff said.

FWIW, we're running LDAP for user authentication/management for a fairly large gov't project, running on RH 6.2 on IBM hardware, websphere 3.5.

Re:Directories are dead in the water

[isomeme]

Hello?? Active Directory is LDAP based. Admittedly it's LDAP with the usual "embrace and extend" twists like proprietary Kerberos extensions and slightly non-standard schemas, but LDAP none the less.

It would be more accurate to say that (Microsoft's implementation of) LDAP is Active Directory based. LDAP is just a generic API for querying and manipulating underlying directory services. Microsoft provides an LDAP interface to AD, just as it provides other, proprietary interfaces.

Thinking of LDAP as a storage system is the path to utter confusion. LDAP is an interface spec, more like http than like a web server. Any underlying system can support LDAP queries or http connections if it provides the correct interface behavior.

Re:Directories are dead in the water

I'm thinking that "Flamebait" posted this just to see who he could rile up. We recently spoke with the product manager for Oracle Internet Directory (OID) which is Oracle's LDAP server. Their plan is that all installations of Oracle Apps will require an installation of OID (they will not support other LDAP vendors). Similarly Sun/iPlanet will be greatly improving their support for LDAP with Solaris 9. NIS has definitely outlived its usefullness and Sun will be pushing LDAP as the first new "directory" service in years. I think Sun will also be requiring their LDAP server so get ready to support 3 separate LDAP servers (Sun, Oracle, and Microsoft).

Re:Directories are dead in the water

[Gerv]

XML is a file format (or metaformat), not a directory service like LDAP. The two technologies are orthogonal.

They are related via DSML, and there's an open source suite of software that I wrote for working with directory information as XML here.

Gerv

Re:Directories are dead in the water

[jtimon]

dood, are you on crack?

windows 2K is all LDAP

I am an consultant/contractor and have spent almost this entire past year (2001) doing LDAP rollouts at large to huge sized companies.

while Novell is definitely on the LDAP wagon. Don't ignore SUN, the SUN Netscape alliance (iPlanet) has its entire suite of tools backed on LDAP. Solaris 8 has native LDAP support and I have heard rumour that there is no longer developement on NIS ans NIS+, opting for LDAP instead.

so let's review. Win2k..LDAP SUN...LDAP Novell..LDAP (admittedly Novell's future is not yet decided) I also believe recent HPUX supports LDAP natively, and if you have ever heard of this thing called Linux, then you might know that Linux has substantial LDAP support.

Re:Directories are dead in the water

[DeathBunny]

They are related via DSML [dsml.org], and there's an open source suite of software that I wrote for working with directory information as XML here [dsmltools.org].

Exactly. The links you've included (looks like good stuff by the way), definately show how LDAP and XML can be used well together.

They are mutually independant technologies. They can be used together to complement one another, but to talk about replacing XML with LDAP or LDAP with XML (as the previous poster did) is just plain silly.

Re:Directories are dead in the water

[Hector73]

There also doesn't appear to be much corporate interest - Microsoft has moved its mindshare strategies to web services, leaving the only big backer of LDAP being Novell - not really a key industry player at this point.

I've seen iPlanet directory server (its uses LDAP) used in many shops. Naturally, these shops also use the iPlanet web server. Not as big of a market share as Microsoft or Apache, but there are still thousands of corporations/institutions/agencies using it. While I will agree that directories don't get as much buzz as they used to, they are far from dead in the water.

Just use Active Directory

The OSS community doesn't yet have anything that comes close to AD's functionality or security. It also integrates well with Exchange.

RIT

[Apreche]

At the Rochester Institute of Technology (www.rit.edu) where I am a current student we have a very nice LDAP directory. It contains info on all the people here. I use it all the time when people give me their e-mail addresses in order to find their phone numbers. It's extremely handy. I don't know how they set it up or what they use, but it has a web interface.

Check out Microsoft's tools

[fawadhalim]

I know I'll get flamed like hell for writing this, but I suggest that you check out Microsoft's LDAP tools. I'm not sure about their interoperability with slapd etc, but they play along amazingly with Microsoft LDAP server.

Also, check out gq , which is a pretty nice GTK+ based LDAP client. It's still very barebone, but it's better than the commandline tools for a lot of tasks.

Re:Check out Microsoft's tools

[Craig+Davison]

In Windows, LDAP browser is a good tool. It even shows you 'hidden' password attributes that get obfuscated by the Microsoft tools.

AFAIK, it supports LDAPv2, LDAPv3 and Active Directory. It supports most all SASL mechanisms, even NTLM when necessary.

Re:Check out Microsoft's tools

[giggls]

There are people out there (including myself) which don't have a Windows Type Operating System installed.

So any Microsoft tool won't be a solution for those, as good as it ever may be.

I know what you mean.

[Rick_Clark]

I had to roll most of my own admin scripts. There is a great java based browser/editor though.

http://www-unix.mcs.anl.gov/~gawor/ldap/

It is the best thing out there as far as I can tell.

Rick

Re:I know what you mean.

[jfsather]

I also found it here: LDAP Browser/Editor.

This is one thing that I'll never figure out.
Why can't people use Google to solve these types of problems. Finding that took about 10 seconds with Google.

Re:I know what you mean.

[cloudmaster]

I almost wrote my own useradd/userdel/usermod. http://www.cloudmaster.com/~sauer/projects/fom-fil es/cache/8.html

There have been some fixes to those scripts that haven't made it to the downloadable version yet - but they were adequate for my needs at the time (a couple of years ago). Maybe a good start for someone wanting to do their own? I dunno - I was in a hurry...

Re:I know what you mean.

[smutt]

I work in a UNIX(Sun, Linux) shop where we develop a product that relies heavily on LDAP(IPlanet, OpenLdap). This tool has been extremely valuable in my work. A couple of months ago this link started floating around the office as the LDAP browser to end all LDAP browsers and I haven't looked back. Now everyone uses this tool as our standard LDAP browser. It ROX! I love the ldif features. The only downside is it's reliance on Java. But hey it's portable.

Re:I know what you mean.

I use it every day. Although it isn't open source it is very instructive how to use the JNDI/LDAP stuff in Java when decompiled with a tool like Decafe.

Re:I know what you mean.

[Quinn]

You can retrieve the data associated with a certain problem set using a search engine, but a post to a highly populated site such as /. gets you a lot of real user opinions in addition to that raw data.

Real live bleeding people are still a better source of info than databases, and a forum such as this (in which people like to strut their knowledge and experience, and post ill-thought on a whim) can be more useful even than the people input from a Usenet search.

Re:I know what you mean.

[Im2kul]

>>The only downside is it's reliance on Java

uhh, whats wrong with that?

Re:I know what you mean.

[cwells]

cough..cough..
who wrote the admin scripts????

Re:I know what you mean.

[Rick_Clark]

Actually, It's not those scripts I'm talking about. I wrote a ldap library in python to handle all the ldap functions at my current job. Plus I remember writing shell scripts to add and modify users at gator.net. Did You rewrite those? I can barely remember that far back. I hope all is going well for you.

Rick

There's NDS

[cscx]

Or perhaps, is there a more attractive alternative to LDAP?

Novell's NDS works very well. Heck, even CNN (scroll to bottom of page) uses it!

Re:There's NDS

Yes, but will Novell be in business next year?

Re:There's NDS

[JimmytheGeek]

Unfortunately, it's WAY too expensive. We were considering an upgrade from 4.11, but the license cost was massive. We thought about proceeding, and then learned that the cost was ANNUAL! Noooo thanks.

I will say that it is stupid to change vendors to worst-of-breed-but-likely-to-prevail. Look, you buy the product, use it until you can't anymore, and THEN make your lateral/backward move. NetWare 3.x is STILL supported by somebody- it's not as if Novell support is free anyway. To me, the "dead technology" argument is completely stupid.

Re:There's NDS

I don't know who you were talking to, but NetWare 6 licensing is NOT a yearly fee. You pay a one-time fee and you own it. $184 per user object in NDS, but you can get volume licensing discounts if you have a large number of users - and you do own the product with that cost, it's not a rental. Microsoft is the one doing the yearly-rental-fee licensing. And, yes, it is expensive, but they bundle in several products that, when purchased seperately, cost a lot more than the cost of NetWare.

Isn't Active Directory an LDAP implementation?

[Bistronaut]

There also doesn't appear to be much corporate interest - Microsoft has moved its mindshare strategies to web services, leaving the only big backer of LDAP being Novell - not really a key industry player at this point.

Slap me with a strongly worded post if I am incorrect, but isn't Active Directory an LDAP implementation?

Re:Isn't Active Directory an LDAP implementation?

[Ars-Fartsica]

Yes, but Microsoft isn't actively pushing LDAP into its developer tools at this point, as I mentioned, they are focusing more on web services. This of course should not imply that I think directories are bad or that LDAP is a bad standard, simply that it hasn't dramatically altered development strategy as it was positioned to.

Re:Isn't Active Directory an LDAP implementation?

[alen]

But where is the info stored? .Net supports active directory. MS expects you to migrate all of your employees from the NT registry to an active directory based LDAP database. Exchange 2000 is being sold to ASP's and LDAP is at it's heart. My company is going to MS based web services and .net too, but the ldap database will be the heart of it with all our employees and customers

Re:Isn't Active Directory an LDAP implementation?

[ScumBiker]

Don't forget M$ Siteserver 3.0, Oracle 9iAS, Novell eDirectory, and others I seem to have forgotten.

Re:Isn't Active Directory an LDAP implementation?

[Medieval]

The active directory database is stored in DNS.

Re:Isn't Active Directory an LDAP implementation?

[alen]

Uh, no. DNS is the locator service for AD, hence the need for dynamic updates and service records. If you're running AD integrated zones you store DNS data in AD. AD data is stored in .dit databases.

Re:Isn't Active Directory an LDAP implementation?

[isomeme]

Slap me with a strongly worded post if I am incorrect, but isn't Active Directory an LDAP implementation?

Yes, it is -- among other things. Remember that LDAP is just an interface spec; it says nothing about underlying representation. Just as XML may be used to report the contents of a database or the results from a calculation or any other data source, LDAP provides a generic front-end on any vaguely tree-like directory services provider. Thereore, Microsoft ADSI offers an LDAP interface along with several proprietary interfaces for use in querying and modifying the underlying directory store.

To their credit, the Microsoft ADSI LDAP implementation is remarkably standards-compliant. I developed an app which authenticated users against OpenLDAP, and extended it to support ADSI as well with minimal effort (mostly involving generalization of assumptions about directory layout, rather than interface changes per se).

Re:Isn't Active Directory an LDAP implementation?

[aminorex]

> My company is going to MS based web services and > .net too

Please do tell me the name of your company,
so that I can boycott it.

Re:Isn't Active Directory an LDAP implementation?

[thehunger]

Wait a minute.
Remember Microsoft took Kerberos and made it proprietary? They did a similar thing with LDAP.

For interoperability, LDAP directories should support the inetOrgPerson in its schema. LDAP applications typically expect this. Active Directory doesnt, and although it's not required to do this Microsoft has again created interoperability problems..

It's like when they changed DNS with their extensions. ..

Re:Isn't Active Directory an LDAP implementation?

[JeffryG138]

I saw this mentioned gently in another response, but LDAP is an access protocol for directories, it isn't _the_ directory.

Re:Isn't Active Directory an LDAP implementation?

[KeyserDK]

Oh come on, i can authenticate with kinit against an microsoft 2000 Domain controller, this is using MIT's kerberos.

That way i can see our intraweb =) (nasty IIS).

Also the samba 3.0 alpha's are using ADS with the kerberos libs... so it's not like it isnt supported anymore. It can actually join an ADS domain as a controller =)... using openldap. It's pretty cool stuff, although a bit hard making it work properly =) (You need good karma, and some hours available)

Re:Isn't Active Directory an LDAP implementation?

[satsuke]

Microsoft AD is an LDAP service of a sort - the main problem is that it will only respond using LDAP V 1.0 formatted request. Which is clear text challenge / password pairs. It does not do authentication via LDAP over any encrypted protocol except when talking to a Microsoft OS client.

Re:Isn't Active Directory an LDAP implementation?

[Master_Ruthless]

SiteServer is a dead product.

Re:Isn't Active Directory an LDAP implementation?

IIRC, LDAP = Lightweight Directory Access Protocol

Re:Isn't Active Directory an LDAP implementation?

[abartlet]

Incorrect. Microsoft's LDAP server supports SASL binds - in particular it supports GSSAPI. This is the feature Samba 3.0 (currently in alpha) is using to authenticate to an AD installation.

Its actually quite sane - and the problems we have had in developing with it have not be AD, its been the unix client tools making assumptions about a functioning DNS (hint: it doesn't exist on MS networks).

But with a few config file tweaks its perfectly practical to kinit to your AD KDC and use that for a secure authenticaion! (In the end Tridge rewrote our own mini implemenation of the required peices to work around the buggy SASL libs).

Andrew Bartlett,
Samba Team

Re:Isn't Active Directory an LDAP implementation?

Nope! Active Directory isn't stored in DHCP. As the man said, most of it is stored in .DIT databases. Some of it (DHCP lease state ect.) Is sprayed into the local machine's registry. Please... when you don't know, don't post.

Re:Isn't Active Directory an LDAP implementation?

[dannannan]

MS's active directory schema does support inetOrgPerson. Just do a schema add.

If you don't feel like adding it yourself, installing Exchange 6.5 will do the schema update for you to add inetOrgPerson, once it is released.

D

Re:Isn't Active Directory an LDAP implementation?

[dannannan]

Even better, the Whistler AD already includes inetOrgPerson for you. :-)

Re:Isn't Active Directory an LDAP implementation?

[thehunger]

Here are some major real-world problems with AD:

• It's Windows-only. It does nothing for Windows NT, 9x, Linux, Solaris workstations.
• When you install it, it disables all disk caching on the server to prevent corruption, affecting overall server performance by 50%
• It requires changes to your DNS infrastructure and can crash existing DNS servers
• Groups aren't scalable, supporting max 5000 users
• You cannot grant rights at the OU level
• You can't rename domains or merge trees
• There's no remote management. No web based management.
• For AD repairs, you have to be physically present at the server, reboot it into a special repair mode, log in with the non-AD credentials you used when you installed the server (if you remember them!), try to repair, and then reboot and bring the server up in normal mode. If the problem still isn't fixed, you must repeat the process. Talk about downtime!
• AD doesn't have true inheritance, which means that granting a Password Admin type user rights to reset every user's password can take forever.
• Similarly, granting rights to a file system also takes forever because OU's cannot be granted rights to files and directories
• AD is -very- resource intensive. Simple operations can take hours, and the database grows almost exponentially. Granting rights to a user to administer e-mail addresses for 5000 users will grow the database by 13 megs!

Re:Isn't Active Directory an LDAP implementation?

Active directory is an X.500 Compatible directory structure, dependent on DNS. The database is stored in .dit files on the server and is replicated inter- and intra- site by SMTP and RPC, respectively. DNS is the name service for the directory. It is not the directory.

Active Directory is related to LDAP in that you can use LDAP to access the active directory.

LDAP is to Active Directory as HTTP is to Apache; a method of access.

ISPMan

This application is nice.. They don't have much if any of a community behind it though.

http://ispman.sourceforge.net/

Re:ISPMan

There are at least seventy firms known to be using it.

Well check this out

A vaporware?
LinPlanet

my preferred LDAP browser

[Doktor+Memory]

Unfortunatly, the best LDAP browser/editor I've found so far is neither web- nor console-based, but is a Windows program. LDAPBrowser 2.0, from the nice folks at Softerra, has been invaluable in helping me figure out how to make a bunch of openldap-based client programs talk to an MS Active Directory LDAP server. It's free-as-in-beer, and they have a number of other cool ldap toys available as well.

You would think that wrapping a gtk+ interface around ldapsearch would be a straightforward and no-brainer proposition, but you would apparently be wrong.

Re:my preferred LDAP browser

[downwa]

For a gtk+ GUI LDAP brwoser, gq (http://biot.com/gq/) would probably be what you want.

For a command-line add/modify/delete utility, here's one I created:

http://pushan.integritysi.com/down/ldapuser

Re:my preferred LDAP browser

[Wizard+of+OS]

I definately agree with this: i've tested LDAPBrowser (and a beta-version of LDAPAdministrator) on several different LDAP machines, including:

• Netscape Directory Server 4.1x
  
• iPlanet Directory Server 5.0
  
• OpenLDAP
  
• Microsoft SiteServer Commerce Edition 3
  

Only the last one had some issues, but unfortunately I wasn't able to help the kind Softerra people (who were very responsive during the beta-test) out with it because I've changed jobs since.

For those wanting to administrate an LDAP server (eg: adding/removing/editting entries), I would definately advise LDAPAdministrator

Windos tools

[alen]

I'm in the process of helping deploy active directory. MS Windows comes with some LDAP tools that aren't too bad. I'm still in the learning stage so I can't frame a good opinion, but first impressions are OK. But like everything Windows if you want to get into the guts of the OS you'll have to dig around for the info. MS prefers you use their MMC based admin tools which don't give you much control.

AD

[ViceClown]

Yeah, it's called Active Directory. It's well documented and it's easy as hell to use. This isn't meant to be flaim bait - it's just the way it is. I havne't found too many good LDAP tools either. Working with Active Directory, however, is a breeze. Just my $0.02

Re:AD

[H310iSe]

have you ever worked w/ Novell? i mean, when I first started looking at AD in w2k I said, oh, cool, they've finally got a directory service. right click, tabs, no problem. but the further I get into the w2k directory the more murky and entangled it gets. w2k directory is *not* a breeze if you're doing anything more than administering your home network, it, like other ms stuff, is more rube goldberg than anything.

OK Novell isn't a breeze either but they were doing it when MS thought windows 3.1 for workgroups was a server archetecture - it's ... smoother.

oh and documented? don't make me laugh. half thier documentation is marketing materials and the other half is incomplete. Please don't mod this up for being anti-microsoft (i still work w/ ms every day, hell, i'm writing this off w2k server w/ ie), I just had to say that the w2k ad is way more wack than this poster seems to think.

Re:AD

[ViceClown]

Ahh touche. I appreciate your thoughts, I really do. I guess Im just thinking along the lines of setup and initial use. I think a win2k server is pretty easy to setup and then you just basically click a button to start setting up a domain controller or active directory which USUALLY goes smoothly. I am by no means a M$ bandwagoner but I like stuff that's easy to use. A friend of mine is trying to grip with AD now that has company is rolling it out to their domains (100,100 users) Guess we'll see how that goes. Anyway, thanks for the reply. Cheers! - JP

not that many good ones, so roll your own

[Garfunkel]

The java one that comes with iPlanet's server is okay, but not great. I never really found one that worked all that well. I did spend a week or so writing one for myself in PHP, but it was pretty specific to the situation and isn't useful to anybody else. I pretty much came to the conclusion that it was best to roll your own as it really didn't take that much time, and then you got to customize it exactly how you wanted to.
-jay

IBM LDAP Client

[dgenr8]

Go looking for the IBM SecureWay Directory Management Tool (DMT). It's a Java LDAP client that lets you edit the directory manually.

Active Directory

[flanker]

M$ is betting quite a bit on LDAP with AD, touting it as the number one reason for enterprises to move off of NT to 2000 server platforms. Unfortunately upgrading is such a complicated operation very few larger organizations are moving to it as fast as M$ would like. They have integrated all sorts of things into the standard directory service and it can be very confusing trying to figure out exactly what it is.

FWIW, Novell's NDS has been the only enterprise-class directory service since the mid-90's and AD is a play into this arena.

Of course, this is all moot since this is Slashdot and of course you aren't interested in technology from the Dark Empire (tm).

Re:Active Directory

[medcalf]

FWIW, Novell's NDS has been the only enterprise-class directory service since the mid-90's and AD is a play into this arena.

Nope. iPlanet was there before AD (as Netscape) and is far ahead of AD in stability and scalability, as well as performance. I have not used NDS enough to comment intelligently about it. AD is LDAP, but in a quite broken way - much as Win2K supports DNS and DHCP, but in broken ways.

-jeff

Re:Active Directory

I would have to say that since DHCP is a microsoft technology, then anyway that microsoft implements it is the "RightWay(TM)". Any other implementations are incomplete at best or incorrect at worst.

What the hell are you talking about? 30 seconds searching the RFCs shows them to be the work of various universities, SGI, and a few other companies.

http://www.dhcp.org/rfcs.html

Score Whore? Nah, just a troll.

Re:Active Directory

[L0rdJedi]

Huh?! DHCP is a Microsoft technology?! I think this was in place before Microsoft started using it.

Re:Active Directory

[a9db0]

I've used NDS extensively in a couple of organizations and found it to be reasonably flexible and as reliable as a dead cat. NDS handles thousands of users, replicates across hundreds of servers, and has given me no grief. It's solid. It's reliable. It just doesn't have the mind-share it deserves.

Re:Active Directory

[kelzer]

I think the original statement, that NDS is the only enterprise class directory, is true.

While I don't doubt that iPlanet is superior to AD, it doesn't even come close to having the reliability and scalability of NDS. Read this article, which mentions some of the well-known problems with iPlanet replication. iPlanet may be fine when you've got it on a single server, but once you distribute the directory, NDS is superior. I wouldn't bet my enterprise on iPlanet's replication.

NDS is also available on a lot more platforms than iPlanet, including Linux.

Re:Active Directory

[rkhalloran]

MS' embrace-and-extinguish strategy is actually a disadvantage here. Since their extensions to 'vanilla' LDAP are specific to them, it's harder to integrate other systems' directories, which makes it harder for Redmond to get traction in the typical mixed-platform Big Company. Other LDAP services (OpenLDAP, Novell, iPlanet/Sun) are pretty much interoperable, and the toolset for integration is that much bigger as a result.

Re:Active Directory

[H310iSe]

speaking of "broken way" did y'all know that DNS and DHCP services (as implemented by ICS) are incompat. on the same server? Typical, MS can't even get their technologies to work with eachother.

OK as to the subject at hand I think wsh (presuming you can run wscript) has ADSI functionality that includes adding and deleting users, etc. - if you use ADSI for Novell, however, you need both the Novell and the Microsoft implementations of ADSI (cause neither really quite works on their own, at least that's how it was 2 yrs ago). If you want to use ADSI to access another LDAP provider lord knows what else you'll need. So much for common interfaces and standards...

As a non-programmer who has to program (ergo I use WSH), I find ADSI for LDAP to be a very easy, nice, cheerful way to access the directory.

Re:Active Directory

[TheKMachine]

speaking of "broken way" did y'all know that DNS and DHCP services (as implemented by ICS) are incompat. on the same server? Typical, MS can't even get their technologies to work with eachother.

WTF are you talking about? I have been setting-up servers with DNS and DHCP for years now and it all works like a charm.

Re:Active Directory

DHCP as it is implemented by ICS (internet connection sharing creates a dhcp ... something, directory? database?)

I only know this b/c it was screwing up our domain replication and therefore screwing up our exchange server - when we pulled ICS it was resolved. There's a MS KB article on this but frankely I've been scheduling backup routines all day and don't have the energy to look it up.

You're right, of course, you can run DHCP and DNS and, well, anyway, this is all off-topic ... I shoulda been more clear

*seeks beer*

Re:Active Directory

[medcalf]

Speak not of what you do not know. Not only is iPlanet replication quite solid, it does run on (some versions of) Linux.

Re:Active Directory

[Score+Whore]

I think you are wrong. That was not in place before microsoft started using it. Seeing as how the publication date of that document it 1997, and MS was using dhcp in 1995...

Re:Active Directory

[L0rdJedi]

I realized that as I was referencing the document. However, as you can see from posts higher than mine, the document was drafted well before 1995. The document (and standard) just happen to be finalized in 1997.

Not a big industry player?

[Wolfger]

Daimler Chrysler is using Novell/LDAP. Sounds like big industry to me...

Re:Not a big industry player?

[CounterZer0]

Guess what powers Yahoo? Novell eDirectory (LDAP). Novell doesn't do much marketing, and they admittedly haven't been 'gaining' much market share, but they have some die hard fans, and some of those fans are BIG business. It's because LDAP makes a network so much easier to run. eDirectory provides a convient way to manage EVERYTHING on your network. And it supports multiple platforms!

Re:Not a big industry player?

http://www.cnn.com also uses novells edirectory,
check the main page.

Re:Not a big industry player?

[kramerj]

Walmart uses Novell's NDS and eDirectory extensively... Its funny, they have thousands of servers running NDS, and about 200 running AD, but there are more MS guys to run the AD servers than there are for ALL the NDS servers.. amazing eh? Thats proof enough for me.. (ps, and most of these guys know what the f*** they are doing, unlike most mcse's or whatnot's...)

LDAP Admin Tools

[nvrrobx]

There are a few LDAP administrator projects listed on Freshmeat:

http://freshmeat.net/projects/sldapa/
http://freshmeat.net/projects/directoryadmin/

Re:LDAP Admin Tools

[mbf]

Also on freshmeat:

http://freshmeat.net/projects/ldapexplorer/

It's a package in debian testing/unstable as well.

There's a gnome client called GQ LDAP Client which is a bit shaky, but works well once set up correctly.

A little shell/perl scripting should get you all the useradd tools you need. I've dome just that for a simple ldap-backed postfix/courier pop/imap mail server.

I intend to extend the tools for use in an ldap-authenticated samba PDC as well giving a one-stop non-MS infrastructure.

mbf.

JAVA LDAP BROWSER

[Wolfier]

Is what we are using.

To get it:

Go to google, search for "ldap browser" and click "I'm feeling lucky".

Enjoy.

My Favorite tools

[Daeslin]

Of course, the standard commandline classics (ldapsearch, ldapmodify, etc.) that come with any of the major vendors stuff (Netscape's SDK, Novell's eDirectory).

Also, I REALLY like the java LDAP Browser for GUI use (available from http://www.iit.edu/~gawojar/ldap)

As far as account creation tools, there's some nice trends among the big user provisioning corporate grade systems (i.e. Access360) to manage accounts in LDAP.

I'd stay away from Active Directory since it doesn't follow all of the standards. eDirectory's only big annoyance is that it's LDAP is actually a mapping on top of their old stuff, so sometimes that adds complexity. But for a long time they had the only multi-mastered replication setup. iPlanent now has that and MS/AD kinda does (but they have crappy granularity on their objects in case of collisions).

Re:My Favorite tools

[renakuzar]

That is a great tool. Other tools can be found: http://www.iplanet.com/products/solaris_extensions /home_solaris.html Also check out the iPlanet resource kit for very useful tools http://www.iplanet.com/downloads/developer/0068.ht ml and for open source tools check out (search on LDAP) http://sourceforge.net/ Also good to know are http://www.opengroup.org/directory/ http://www.ldapzone.com/ http://perl-ldap.sourceforge.net/ http://www.ietf.org/html.charters/ldapext-charter. html

Re:There's NDS DAMN STRAIGHT!

[Havokmon]

YEs, goto Novell for the best directory, and the best LDAP software available.

You can use Novell's eGuide as a good user admin utility VIA ldap. I've never tried it with a generic LDAP directory, but it should work well.

IMHO, if you're going to do anything that requires a large directory, look at NDS. You'll get your basic LDAP services and a lot more, including replication.

Move up to a Novell Netware 6 server, and get load balancing / automatic failover with it!

Ever play a video file off your server, then down the server, and have the video pick up where it left off?

It just fucking rocks.

libnss-ldap

[coyote-san]

Have you looked at libnss-ldap? Install that, set up your /etc/nsswitch.conf file to refer to ldap in addition to your other resources, and all well-behaved programs (re: that use the NSS routines in glibc instead of attempting to modify /etc/whatever directly) should update the LDAP records.

Perl?

Why not just whip up a few quick and dirty perl scripts to take care of simple things like adding and removing users?

Re:Perl?

[SpaceLifeForm]

That may be fine for you and others, but is that really user-friendly for a clerical type person having to do repetitive maintenance all day long?

Anything but OpenLDAP

[Pegasus]

I dont know about commercial LDAP offers, but openldap led me to the conclusion to NOT use ldap anywhere. I still have it installed in three locations and am actively working in porting it to mysql or unix flatfiles, because it's so unreliable. nss library from padl.com for some reason doesnt always closes its connections, so you hit 1024 file descriptors limit within a week or so. yes, you can compile with -DFD_SETSIZE, but this only gives you more time until restart is needed. Second, replication never worked reliably, so trying to avoid fd problem with more replicas only casued more pain and sleepless nights rebuilding and reindexing databases (125k user entries, it takes 7 hours on 4way xeon). And if only the slapd itself would work! It stops responding every now and then, for no reason. OK, i can catch these with a trivial script ... but recently, i got more and more examples where connection is accepted, but result never comes ... so ldapsearch just sits there without answer, huh. I've also seen examples where some slapd threads would occupy one or more cpu in the box, slowing things down noticeably.

So, whatever you do, AVOID OpenLDAP.

Re:Anything but OpenLDAP

[RollingThunder]

Hmm... we've got OpenLDAP in some test systems, and we haven't seen anything like that (but it's not under any load either).

Are there any other free (in either sense) LDAP servers, though? All the others appear to be closed and/or $$$.

Re:Anything but OpenLDAP

[whynot]

Some advice for rebuilding your LDAP-DB: Rebuild your directory on a RAMDISK, speeds things up by factor 5 for us. We are rebuilding our db on a daily basis. It has about 300k entrys and is 500MB in size and takes less than 60min to rebuild.

OpenLDAP dies a lot over here too. Replication works quite well for us, the only "problem" ist that slurd opens lots of processes for every replication target - our main ldap-machine is running about 750 processes at all times.

Don't even dare to try any 2.XX version of openldap - they have a lot of features you probably don't need and are even more buggy.

Re:Anything but OpenLDAP

[hysterik]

Okay, so what other GPL (or other open license) alternatives are there, that you might suggest? My experience with OpenLDAP has been quite positive. Granted I haven't successfully been able to upgrade to the newer 2.x = versions due to something I still haven't figured out. However, I am using 1.2.10 with good success. There is an issue with the replication, which can be "fixed" by referring to any slave nodes by IP instead of hostname. Everything seems to run very well. Although, we only have about 1000 entries, which may explain it.

Re:Anything but OpenLDAP

[sheldon]

Ahh, and so goes the struggle of Open Source.

It all works fine on someone's home machine, because it's never under any load. Try to put it into a moderate production environment, though, and it all falls down go boom.

I used to hear similar comments about open source NIS implementations 3-4 years back.

So you either start load testing it yourself, understand why it's broken and fix it. Or go with a commercial product that has already been through this process.

Re:Anything but OpenLDAP

We at the University of Texas have been using OpenLDAP for years and are very pleased. We're running 1.X for a 70K entries public white pages service that handles ~100K queries a day without a hickup. There are a number of other private 1.X services ~100K entries, but not heavly used. We also have 2.X running a private photo directory with ~120K entries holding ~500K photos for IDs and photo course rosters (~7GB id2entry.dbb -- kinda stresses various Linux utilities).

We populate the directories live, but some complexities with our own record keeping requires a bulk reload weekly -- so the daemons are restarted at least once a week.

Re:Anything but OpenLDAP

[Linux_ho]

Hmmm. It works great for us, course we only have about 2K users, but it's being heavily used for authentication of IMAP users, SAMBA authentication, RADIUS for dial-in users, plus sendmail routing, mail500 listserve lookups, and our mail clients are using it as a directory, of course.

Re:Anything but OpenLDAP

[soloport]

This should *really* be modded as flame-bait!

We've been using OpenLDAP for several years, at several data centers, heavy loads (e.g. remember Sept. 11? nimda?), etc. What are you talking about?

Easy to blame the application; Tough to blame the installer, I'm sure. RTFM?

Re:Anything but OpenLDAP

[cloudmaster]

I'll second this. I set up an openLDAP-based machine that handles some 10K users' email (authenticating and getting acocunt info from LDAP using padl's stuff), and it has no such problems (it's been up for a couple of years now, aside from scheduled reboots for new kernels once in a while). RTFM is kinda required if you're setting up a big system.

Re:Anything but OpenLDAP

I use OpenLDAP with qmail (Qmail with LDAP on www.lifewithqmail.org) and it is up and running for several months without maintenance. Together with a web frontend in PHP for Qmail/LDAP it is a killer ...

Re:Anything but OpenLDAP

[ink]

Yeah, I hate having to restart Apache all the time. Damn those open source programmers! :)

Re:Anything but OpenLDAP

[abigor]

OpenLDAP works great when configured correctly, even under heavy load.

As for the "home machines" comment...well, you must be trolling:

FreeBSD
Linux
BIND
Sendmail
JBoss

...etc.

Yes, all of these "fall down go boom" under heavy load, unlike their closed counterparts...oh, wait a second.

Basically, you're assuming that all open source projects are little home things that, in order to make them "real", need to be adopted by commercial interests and "fixed". That's just silly.

Re:Anything but OpenLDAP

[smutt]

My organization chose OpenLDAP after doing extensive testing with IPlanet and DC Directory. We measure the size of our deployments in the 10's of thousands of users. I'm talking big honking SUN boxes with fiber channel, Gig-E and SAN's. I've found OpenLDAP(configured properly) stable and easily scalable. It's not the easiest thing in the world to setup, but at least it behaves deterministically and scales.

Re:Anything but OpenLDAP

[nostriluu]

I don't agree with this at all. There is plenty of reliable open source software and plenty of finicky non open source software. Making this kind of generalization is very harmful. Just think for a second of linux (the kernel, not the graphical environments :>), bsd, mysql, postgresql, apache, etc, etc, etc. All chugging away without a problem. I will agree open source products tend to be harder to configure and perhaps maintain properly, but you usually get extra flexibility in exchange for the additional burden, not to mention being able to debug or improve software more easily. And not to mention not supporting entities who think it's appropriate to "hide" their "secret" software rather than realizing that being the first or the best is more important than being childish and greedy.

Re:Anything but OpenLDAP

[rasjani]

Tell them sister!

I had same kind of problems with this webserver called apache. It ran just smootly from dsl line and 133MHz pentium with 32mb of memory but shit happens, i installed it bunch of netra t1's and all hell broke loose. Totally crappy uptime of allmost few years and i have to restart the goddamn processes every frigin week while im updating the configurations! Can you belive that! Drives me crazy!!

Same thing with one fileserver on same company. Installed samba to allow our people to add their critical files to network and automatically back those up. Horrible. Just Plain horrible. Im loosing my mind with those frigin opensource projects!

Re:Anything but OpenLDAP

[Pegasus]

Reading this makes me wonder ... If it really works for you, could you write about it down and post it on some web page?

Re:Anything but OpenLDAP

[Pegasus]

Ok, so what's the magic to make it work? Could you write your expiriences to some web page?

Re:Anything but OpenLDAP

[Pegasus]

> This should *really* be modded as flame-bait!

Agree :) I'm just in a mood ...

> Easy to blame the application; Tough to blame the installer, I'm sure. RTFM?

Now explain this: i mentioned we have openldap in three different setups; these were all set up by three different expirienced sysadmins; hardly that all three would make same mistakes to cause poor performance, no?
And i'd sure want to RTFM if there were some usefull FM avaialble at all. Would you contribute some, if it really works for you?

Re:Anything but OpenLDAP

[soellman]

well I feel I should put in my two cents.. I've been using OpenLDAP and nssldap for almost a year now to do all my logins (rfc 2307 nis-style schema). this works for local logins, and also "domain" logins from macosx workstations (thanks marcel, for writing lookupmanager). I've also extended the schema to support a simple ldap-based mailing list manager that I wrote.

Granted I run a light network. But never during this time have I encountered any stability problems. Have you followed the development and looked at bugfix releases?

Re:Anything but OpenLDAP

[sheldon]

"Basically, you're assuming that all open source projects are little home things that, in order to make them "real", need to be adopted by commercial interests and "fixed". That's just silly."

No I'm saying that any time you post a query about most open source projects not working for you because of load issues, the response is "It works fine on my little home network."

Listen, load and stress testing an application takes a fair amount of resources. It takes money to buy the test hardware and execute tests and such. This isn't something most people can do on their little home networks, so it takes corporate investment to make it happen.

How many people do you know who have a dozen servers and 200 desktops sitting in a room just waiting around for someone to setup and run some tests?

Companies like Compaq, IBM, Microsoft, and so forth have these resources. If Compaq and IBM view OpenLDAP(or whatever) to be critical, perhaps they will make their testing labs available to the open source developers.

Otherwise you are relying upon testing in production, which is not the way to win friends.

Re:Anything but OpenLDAP

[zulux]

So you either start load testing it yourself, understand why it's broken and fix it. Or go with a commercial product that has already been through this process.


A Samba server that I installed for a client has an uptime of around 500 days - it has never crashed. The reason I installed Samba: the NT server it replaced would crash about once a week.

It looks like the open source Samba is better than the comercial NT.

There are other examples:

OpenSSH has less secutity holes than SSH
IPF is better than XP's 'firewall'
LaTex is better than.. well anything
MIT Kerberos is better than MS Kerberos

So your blanket statment that comercial is nesessarly better than OpenSource is false. Enjoy.

Re:Anything but OpenLDAP

[JerkBoB]

My organization chose OpenLDAP after doing extensive testing with IPlanet and DC Directory.

Can you post any details as to why your org came to this decision? Also, OpenLDAP 1.x or 2.x?

Thanks!

Re:Anything but OpenLDAP

[soloport]

> And i'd sure want to RTFM if there were some usefull FM avaialble at all. Would you contribute some, if it really works for you?

Er, I see your point... Perhaps "I'm just in a mood...", too.

Rough week. Sorry :-)

GTK based LDAP browser

[TheViffer]

I use GQ for browsing around in an LDAP. It is a great start on a fully functional LDAP client tool, but still, many options still need to be implemented.

Uhh.... what's LDAP?

[Stiletto]

Anyone care to tell us what LDAP is and who uses it? Or at least what does the acronym stand for?

Re:Uhh.... what's LDAP?

look here

Re:Uhh.... what's LDAP?

[SweetCyanide]

Lightweight Directory Access Protocol

Acronym lookup dictionay for your reference:
http://www.ucc.ie/info/net/acronyms/acro.html

Re:Uhh.... what's LDAP?

[NerdSlayer]

from the first result off of google:

http://www.openldap.org/faq/data/cache/3.html

Re:Uhh.... what's LDAP?

[Jahf]

LDAP == Lightweight Directory Access Protocol (I think, that's from memory).

LDAP was originally intended to be a more flexible and less resource intensive implementation of Directories (phone books are a good example but not the only one) a'la the older X.500 protocol.

LDAP has been embraced by alot of companies like Microsoft and Sun (my employer) as a core server technology to form the "glue" between distributed services.

One of the most common uses is to maintain remote password authentication databases. Similar in concept to RADIUS or NIS, but in a more standard implementation without all of the overhead.

For instance, Sun is moving it's internal network to LDAP authentication (originally it was unconnected, later they used NIS, both older systems are still in use at Sun right now). It allows an employee to use the same password for many different resources on the internal network while having a single place to update that password.

Re:Uhh.... what's LDAP?

[Kazin]

Oh come on people, learn to look things up for yourselves. If you can't help yourself, why should we help you?

Just out of curiosity, I put "LDAP" into google, and the 2nd result defines what the acronym means, I'm sure most of them will give you a clue what it really does.

Re:Uhh.... what's LDAP?

[crowke]

RFC 2251:
Lightweight Directory Access Protocol (v3)

This protocol is specifically targeted at management applications and browser applications that provide read/write interactive access to directories.

Re:Uhh.... what's LDAP?

[Jahf]

I left out mention of Microsoft's usage, which is actually pretty massive. Microsoft is moving from it's older SMB "domain" authentication scheme to what they are calling "Active Directory Services".

ADS is based on LDAP, but as with many Microsoft uses, has been "extended" a bit past the standard such that it doesn't easily interface with other LDAP servers.

This started mid-way into the Windows 2000 product and is the default way to build a network with Win2K Advanced Server and Windows XP Server. This means that Microsoft is probably the largest current implementation of LDAP (though most MCSEs probably have no clue how powerful this can be and often will use the older SMB Domains since they are more familiar with it).

Re:Uhh.... what's LDAP?

[Spackler]

Anyone care to tell us what LDAP is and who uses it? Or at least what does the acronym stand for?

Lightweight Directory Access Protocol
It is really a database to store small chunks of related information. Nice and fast.

http://developer.netscape.com/docs/manuals/dirsd k/ jsdk30/ldap.htm

Spackler

PS: Google is your friend. Use it, and you will always know the answer to everything.

Re:Uhh.... what's LDAP?

[Tim+C]

LDAP stands for Lightweight Directory Access Protocol, and is basically a method of representing information in a tree-like structure.

For example, to represent the fact that I work for a company (let's call them Foo Inc) in the UK, you could write the following:

c=UK,ou=Foo Inc,cn=Tim Campbell

That identifies the object "Tim Campbell" in the organisational unit "Foo Inc" in the country "UK" (Sorry for any inaccuracaies and the general crapness of the example, it's been a long time since I messed with any LDAP stuff)

The only thing that I've used that uses LDAP is SiteServer, which uses it for the Personalisation and Membership service (which is why it's been such a long time :-) ).

Cheers,

Tim

Re:Uhh.... what's LDAP?

Lightweight Directory Access Protocol.

I've only used it as part of Microsoft Site Server for authentication and storing/tracking user attributes. Basically, you can reference the active user, and assign "standard" attributes such as First Name, Postal Code, etc. as well as define values for each attribute. Site Server was a royal pain in the butt to get going, but once it was working, it was pretty easy. The most absurd thing about Microsoft's support is that they DON'T SUPPORT moving an LDAP database (or what they call their Personalization and Membership database) to a different machine! No, I'm not kidding!

Re:Uhh.... what's LDAP?

[Brendan+Byrd]

Why don't you look it up on Dictionary.com or a search engine?

(Why do people insist on asking questions, when it's easier to figure it out for themselves?)

Re:Uhh.... what's LDAP?

[electroniceric]

If LDAP can do all this, why the brouhahahaha about .Net.My.Hailstorm.Services?

Could someone just build a huge public LDAP-over-Freenet, and everyone and their pet hamster could be authenticated? My tone is sarcastic, but I'm mostly serious. Why .Net? If the stuff that someone posted about Novell is correct, aren't they really the right people to build an authentication database?

Will LDAP form a part of .Net or someone else's distributed web authentication scheme (in the unlikely event that Microsoft doesn't win all the prizes)?

Re:Uhh.... what's LDAP?

[Znork]

Novell doesnt have the desktop clout to ram it down everyone and their grandmothers throat wether they want it or not.

Sure, Novell would have the tech to do it, but hell, this is the IT industry, which isnt about technology. It's about Microsoft taxing you for 30% of your income for the rest of your life. Nothing else.

Re:Uhh.... what's LDAP?

[maX_]

that would be:

in Netware terms:
Distinguished Typefull name:
cn=Tim_Campbell.ou=foo_inc.o=uk (or c=uk, if you use country codes)
distinguished name:
.Tim_campbell.foo_inc.uk

in ldapspeak: cn=Tim_Campbell,ou=foo_inc,o=uk (or again, C= )
(for those who don't know..)
O= Organization C= Country
OU= Organizational Unit
CN= Common Name

Hope that helps.....

maX_

Java based browser/editor

[SweetCyanide]

I like Jarek Gawor's Java based editor:
http://www.iit.edu/~gawojar/ldap/index.html

Re:Java based browser/editor

[PacketMaster]

Yeah, I use this to adminitrate my Linux network that uses pam_ldap to authenticate users corporate-wide. It's a terrific tool.

What about "Directory Administrator"?

[DocSnyder]

Directory Administrator is a GUI (GTK+) frontend for user administration within a LDAP directory. It still requires some knowledge about a LDAP hierarchy, but it helps a lot.

My advice is to create two user hierarchies: one for administrative non-human accounts (e. g. root, mail, www) and one for real users. Same thing for groups. This way you can manage your real-user accounts with some kind of GUI frontend and even re-use the objects in an addressbook like Evolution Contacts without risking a security hole.

This has been a huge problem for us as well

[Casshan]

I am with a admin group trying to integrate a couple hundred UNIX and Windows machines into a single login using an Active Directory server, which provides us with Kerberos authentication, and an LDAP directory. (This was mandated to us "from above") The kerberos authentication of course was easy, however there is hardly ANY information about actually using LDAP in a production environment.. we are trying to use the active directory LDAP server to provide the POSIX gecos and home directory information for the UNIX clients... however the default Active Directory schema does not include RFC2307

Probably the most frustrating part is if you go on google and look for help, you see people mentioning that this works, but never any specifics. I assume you are just using pam_ldap to grab a password crypt from an LDAP server (which is a secure as giving everyone read permissions on your shadow file).

I think the best solution is to use an LDAP server to host all the user information that is normally in /etc/passwd. This is possible in Linux and Solaris using the nss_ldap module which lets you add an "ldap" entry to your network switch file, and use ldap instead of /etc/passwd. It seems the best solution is Kerberos for authentication and LDAP for everything else, which Active Directory can provide, in a mixed-OS environment even.. but has anyone been able to successfully run nss_ldap against an AD LDAP server? (without using services for UNIX or other kludges) LDAP seems to be an integration nirvanna.. but without proper documentation I am afraid it will never see broader use..

Re:This has been a huge problem for us as well

[maitas]

Yor biggest problem is the idea of using Active Directory.
I've integrated myself several Windows, Linux and Solaris boxes under iPlanet Directory Server (which by the way, is free up to 200.000 directory entries).
The problem arise when you try to use Microsoft propietary LDAP (aka Active Directory). Just throw Active Direcotry away. Download for free Solaris 8 for Intel, download the latest LDAP Directory Server for Solaris Intel from iPlanet home page, and you will get plenty of docs from within iPlanet's site, and even Sun site. You can even call your Sun SE and get him to find all the documentation needed to integrate a Windows, Linux Solaris enviroment.
Realllllyyyyy ease!!

Re:This has been a huge problem for us as well

[Trepalium]

I believe you will need to use the Kerberos PAM modules as well for Active Directory. Microsoft's MSDN also has source code for adding/removing users from AD, and changing passwords via Kerberos. I've never tried it myself, but it's supposed to work.

Re:This has been a huge problem for us as well

[sheldon]

Hmm, it's pretty easy to add fields to the Active Directory schema. There's also AD editing tools that will let you modify them at low level.

Failing that AD/LDAP is pretty easy to script using ADSI interfaces.

I've never done what you are looking at, but it doesn't seem like it should be that difficult.

Re:This has been a huge problem for us as well

[dillon_rinker]

I've never done what you are looking at, but it doesn't seem like it should be that difficult.

You have a very promising career in technical management.

Re:This has been a huge problem for us as well

[martinde]

Have you seen this?

Re:This has been a huge problem for us as well

There is no such thing as an LDAP server.

LDAP is a protocol for accessing data in a directory. You must be running a directory service on your server before you can use LDAP to access it.

The advantage of LDAP is that, in theory, you can use LDAP to access any directory that support LDAP.

For example, I can use Novell's CLIB to direcatly get at the NDS, or I use the LDAP interface. If I use LDAP in my app, in theory it should work with other vendors directories also.

LDAP is NOT a directory service!

Re:This has been a huge problem for us as well

[sheldon]

Haha. No I'm saying that the LDAP default install in AD lacking certain fields doesn't appear to be a challenge because they can be easily added.

ever hear of Freshmeat?

[Kazin]

I implemented LDAP at a dot-bomb company I worked for in late 2000, and had NO PROBLEM finding tools. I was using a nice Gtk user manager, and had my mail server (and all the mail clients) looking up users in the LDAP server. All the tools I used I found on Freshmeat. Maybe try searching the web?

Re:ever hear of Freshmeat?

Well that's fantastic. Except you failed to mention even ONE of all the tools you had "NO PROBLEM" finding. Why did you even bother posting you piece of shit?

Some things you can use

[crowke]

As a student I'm doing some research on LDAP usability and -programming.

If you want an all-in-one solution (Server & Gui to populate server), try the iPlanet Directory Server which is kind of free to use (downloadable at netscape.com) and has a really nice interface.

Another nice (non-free) thing is an LDAP-API for Visual Basic from SnarkSoft which allows you to quickly write applications using data from your LDAP server. I know this isn't really a LDAP-solution, but it allows you to easily develop LDAP applications.

Free Java LDAP Browser

[Thwyx]

http://www.iit.edu/~gawojar/ldap/

Openldap mailing lists

Your questions appear perrenially on the openldap mailing lists. You might want to look in the archives:

http://www.openldap.org/lists/

Personally I've used LDAPExplorer, a php based
viewer/editor. It works OK, but is not without its flaws. (Supports php 4.06 only, no longer maintained, sessions are intermittent) Since its GPL'd one could have some fun improving it.

I'm a river of knowledge to my people

[foofboy]

Use it wisely

Re:I'm a river of knowledge to my people

This GNOME based directory adminstrator is awesome! I'm amazed it's not well known.

cheers

Re:I'm a river of knowledge to my people

[jlittle]

I better explain this.

Directory Administrator is a user/group management tool for data stored in LDAP servers. Systems use nss_ldap and pam_ldap to access and authenticate against this information. Open-IT also provides packages for OpenLDAP and PADL software (nss/pam_ldap) to do this securely. You can even enable ACLs in OpenLDAP to limit exposure. Most people in this discussion are interested in user management tools, and don't want to be exposed fully to LDAP and its nomenclature.

Yeah...

[A+nonymous+Coward]

Google's your friend.

eDirectory

[CounterZer0]

eDirectory (formerly NDS) by Novell...is fully LDAP compliant, and comes with a whole bunch of tools and stuff of that nature. And it even runs on Linux / Solaris / AIX / Tru64 / Netware and NT! It's not 'open source', but it can be free as in beer for developers. So far, it's been remarkably stable and easy to use on Linux.

MacOS X Server & Netinfo Manager

The LDAP tools in MacOS X Server are quite excellent, I know some people who set it up just to provide LDAP and Kerberos for a whole network of users. Check it out.

linux/unix LDAP user tools

[Paul+Jakma]

checkout:


directory_administrator which is a GNOME LDAP user admin tool (slick enough for use by a frontline helpdesk).

there are other LDAP GUI's, KDE has one. search freshmeat.

gq a general purpose LDAP GUI tool. quite slick, comes with RH7.x.

Also, note that with RH7, the 'passwd' tool uses pam and will hence automatically work with LDAP authentication. (presuming your LDAP server is configured correctly for write access).

finally, you'll probaby want to develop your own scripts with template LDIF's for things like useradd, or find someone who's already done so. (i noticed there's a post on this thread providing a link to exactly that.) Note that for scripting, PADL's migration scripts are very informative. These are included with the OpenLDAP distribution.

Life beyond LDAP

[cheezit]

So everyone hates LDAP and the tools suck, except for Microsoft's. I have a related question:

What successful strategies have you employed for maintaining large user databases/directories in a heterogenous environment?
1. NIS/YP plus ActiveDirectory/NT Domain plus RACF/TopSecret plus ?????, along with a bunch of scripts to maintain synchronization?
2. Something else?

Re:Life beyond LDAP

[mabatche]

We are actually using a product from Novell called DirXML to do exactly this. We are syncing RACF/Notes/NDS/(soon NT Domains) and peoplesoft with our "meta directory" (It's actually just NDS but we call it a meta directory). We are pretty early on in the project, but so far things are looking good.

Search engines!

[fm6]

They're really neat! You ought to give them a try!

How Ironic!!!!

[basking2]

Yah know, I JUST got LDAP working last night and am in precisely your position. :-) I'm planning on crafting up the tools I need in Perl either to manipulate openldap a little bit more nicely or to just connect to the server and do the work directly.
Perl is cool like that. :-) Hope this helps!

LDAP?

When one is going to bandy about acronyms, its is a courtasy to use the full length term once.
example:
"when arriving at the hospital, the victin was DOA(Dead On Arrival). since he was DOA, we did the...."

widely implemented at my university

[moniker_21]

The university that I attend has deployed LDAP for use by it's some 25,000 students, faculty, volunteers, and anyone else associated with the school. As far as I can tell the university has written their own custom perl scripts for interfacing to the directory via a web browser. I have to say it works pretty damn nicely. I'm not sure what it says that they wrote their own scripts, but I suspect it was due to a lack of existing software to get the job done. I hope LDAP doesn't fall to the way side, because it's done very well for this campus.

What I found I had to do

[Kphrak]

(to the tune of "Row Row Row Your Boat"

Roll, roll, roll your own, script the night away,
Thought it had some Unix tools, but now you have to pay

I'm going through the very same thing on a Sun platform...I can assure you that it sucks. I recommend writing your own. I saw some people mention UIs, but that's no good if you want to automate things.

(BTW, if you're using a proxy account to authenticate, can you allow groups of users to access some systems and not others, or does the use of the proxy preclude all that?) Anyone who knows, feel free to email me and answer a violent argument here....the manual I've got says nothing useful concerning it ;) )

Re:What I found I had to do

I found writing my own tools to be the best choice when I rolled out LDAP to replace NIS in a fairly large environment.

The iPlanet Directory Server is not bad, but the admin server and web interface that are provided leave much to be desired.

The best, and eventually easiest, way was to create web tools using Perl.

In re system level authentication:
(Keep in mind that this is with iPlanet Directory Service, and HP-UX (utilizing the LDAP-UX client), YMMV.)
In order to restrict host access to certain machines, I utilized the "host" field for any given account. Then when you set up the client profile, you restrict the query to return only those entries that have a host field that matches a specific identifier. I then tied the identifier to groups of machines based on function(i.e. development machines, web servers, or whatever.) This way, if an account has not been specifically granted access to that permissions group, it is not visible. The proxy account does not make a difference one way or the other.

I also strongly recommend using SHA instead of crypt, and securing communications to the Directory Server.

All in all, if the deployment is planned out properly, the transition should be fairly seamless.

You're not looking hard enough

If you can't find LDAP tools, you havn't been looking hard enough. Here (http://www.dbaseiv.net/code/cpu.phtml) is a tool for doing unix style user management with an LDAP directory. Here (http://www-unix-mcs.anl.gov/~gawor/ldap/index.htm l) is a fully functional, really awesome ldap browser that I have used extensively. These are just a tiny sample of all the software for directly working with an LDAP directory. Check the OpenLDAP and IETF lists for more tools, OpenLDAP comes with quite a few as well.
If you have paid careful attention, you will notice that LDAP support has crept into hundreds and hundreds (of not thousands) of applications over the last year. The API's for doing LDAP programming yourself are also extremely well developed imho. You have options for C, PERL, C++, Python and a slew of other programming languages. Search Freshmeat or Sourceforge for LDAP and see what you come up with, I think you'll be surprised.
I don't think LDAP is dead, I think it's one of those protocols like TCP that just sneaks up on you with it's usefulness :)

try GQ

[gwillden]

It's an LDAP client for Linux. It's a nice little program for verifing your configuration. I'm not sure about editing though.

LDAP stands for...

[skia]

...Lightweight Directory Access Protocol, for those unenlightened who read /. and are frustrated by never getting acronyms expanded for them.

It is an open-standard protocol for accessing information services.

more can be found here.

Re:LDAP stands for...

[JWhitlock]

Hate to do this, but...

Mod the parent up!

I had to scan all the way down to a 1 comment to find out what LDAP was. I'm a code monkey by trade, but I was on the student paper, and the amateur journalist in me cringes when an acronym is used 9 times in a row without being defined once...

LDAP is quite useful where I am

[hysterik]

I am employed by a major aerospace company, and have been using LDAP for several years for web based authentication. This has permitted us the option of "piggy-backing" any other web servers into this authentication scheme. The tools I have used have all been written by myself in Perl, using the Net::LDAP module. I believe there is at least one other module available to use, either available from CPAN. I believe Graham Barr is the author of this module. Using this approach, you should be able to build your own custom webpages for selective browsing of LDAP shares, and management.

If you're seeking some bonafide support options, you might confer with openldap.org, or better yet iPlanet's Directory Server. The latter would cost some money, but it is an option.

Novell's been "going out of business" for years...

[itwerx]

TSIA.
The fact is there's a niche between small business (Microsoft products) and Fortune 100 (*Nix) where Novell's products reside quite comfortably.
And eDirectory is a full-featured LDAP implementation in its own right. Not to mention the free version for Linux! (Registration required).

Hey, whad'ya know, I see that /. is filtering out the quotes in the link.

Here it is again in plain text for your cut'n'pasting pleasure:
https://download.novell.com/ICSLogin/?"http://do wn load.novell.com/download.jsp?cat=NDS&pid=646&targe t=sdExpLic.jsp"

The ultimate tool.

Use Console One. It lets you manage your LDAP directory and a whole lot more. Imagine managing users, resources, printers, servers, EVEN files, all from a single Java based tool.

That's right you can do all this and a whole lot more, using Novell Netware. Even if you don't use Netware, eDirectory (included in Netware or sold separately) allows a lot of these functions from within the Java based Console One. It runs on almost any platform, available today. It even has additional modules that allow things like single signon and more. That's right, all the advantages of .NET without the bugs and security risks. And, the best part, is it has been shipping for quite a while now, unlike certain other vaporware products.

Even if it isn't free, for enterprise use, it is down right cheap!

Re:The ultimate tool.

[dublin]

Novell's ConsoleOne is probably the best thing on the market today, although iPlanet has some very good stuff, too. Actually, Microsoft's ActiveDirectory is quite a nice directory, but of course, poisoned in such a way as to pretty much ensure that if you use it at all, your master servers will be AD, and all your administration will have to be done from AD, preventing you from using open standards effectively and marginalizing truly open systems. (This is "embrace and extend" at its sleaziest.)

Also, don't forget the metadirectory approach as a valid one for trying to manage LDAP and other directories: Ganymede is the only open source project in this space that's much good, and it's starting to look fairly capable.

Still, you get what you pay for: If you're making directory services a core part of your IT strategy (not a bad idea, but realize there are other approaches now, with Java, XML, etc.), it's worth buying the real stuff from Novell or iPlanet. Unfortunately, there's been little open source work in this area: if the open source products work at all (many don't), they don't scale and lack important features.

That's too bad, because tying together things like MSWallet, .NET, and AD is one powerful way MS is going to continue to shove competitors off into the ditch. (...and a big reason why I and many others think the .GNU project is a BAD idea. Never play to your enemies strength.)

LDAP Admin Help

[medcalf]

I've been working with LDAP for the past four years as a manager, consultant, administrator, project manager and architect in various situations and for various companies and clients. My experience has been with Netscape/iPlanet, OpenLDAP and Active Directory. I've worked on very small and very large projects. LDAP has the potential to bring amazing efficiency gains to an enterprise or Internet-based organization (ISP or ASP), but it also is fairly immature.

Let me rephrase that: the protocol is mature and useful, and the servers by and large are mature and useful, but the support tools stink, as a general rule. Since it sounds like you are mostly concerned with user administration, I will stick to just that, and let other people mention tools they've found useful.

If you are using Solaris, AIX or Macintosh, using LDAP for accounts is pretty trivial, since the OS supports it directly - you'll need to have the POSIX user schema loaded, and point the OS's naming service to LDAP instead of its local database. Win2K/XP kind of force you to use Active Directory, so you are also taken care of there. In all of these cases, accounts other than the system superuser will be in LDAP, and so therefore synchronization is not a problem.

useradd, userdel, usermod and passwd are all replaced by ldapmodify, or you can use the tools included with some servers (the iPlanet console being a good example of how to do this right). Right now, there doesn't seem to be any substitute for thoroughly learning ldapsearch and ldapmodify, Perl and Net::LDAP. You can use ldapsearch and ldapmodify for quick actions (adding, modifying or deleting a single user, or changing a password) and Perl and Net::LDAP for more complex operations (or for putting together a CGI for common functions like changing a user's password).

I find I end up writing built-to-purpose Perl tools just about everywhere I go. In some cases, this is because of differences in admin policy at different sites, or differences in schema. In others, the issue is more contractual (whomever is paying me gets ownership of the code I write, so I have to rewrite from a clean sheet at the next site).

The good news is, it is fairly quick and painless to write replacements for useradd, usermod, userdel and passwd which can be run from the command line or as a CGI, and you only have to write them once for your site, if you write them well in the first place.

-jeff

From a purely simplistic view, LDAP is pointless

[Drake42]

I understand that LDAP is supposed to be used for
all kinds of great contact / location / description information, but how is it used in reality? It is used as a really difficult to use properties file. Judging the way most people use LDAP that I've seen, they would have been better off with a sql database. At least with SQL the queries are readable. (o=, c=, wtf= is a pain).

The way I feel about it is that the LDAP 'problem' does exist and is solvable, but the right protocol/implementation does not yet exist. Until something much more friendly and useful comes along, I am firmly off the LDAP bandwagon.

So if you're looking for a good tool to solve your LDAP problems, I suggest Oracle, PostgreSQL or MySQL. :]

LDAP and its place today

[merlin_jim]

I'm an e-commerce consultant, and I've been surprised in the last 2 years or so the vast number of LDAP-based installations I've seen in all sorts of e-business.

Though not heavily deployed in the enterprise, ESPECIALLY *nix, basically due to the very issues you mention (few admin tools, high complexity), it is heavily used on the web and in Microsoft-centric environments. Active Directory almost follows the LDAPv3 protocols (two non-standard areas are both related to schema implementation. The variations are well documented and do not drastically effect applications)

My admin tool of choice? Sad to say, it is the AD administrator. Second admin tool of choice? Microsoft Site Server 3.0, Commerce Edition's Membership Directory Manager MMC snap-in. Both are Microsoft Management Console snap-ins, but if you can get around that they work alright. The MSS3CE version is even fully LDAPv3 compliant, so you can use it with other directories, too. It also comes with a web interface you can use.

As far as non-MS tools? Haven't seen a one worth it's salt, though a couple of my co-workers recommend talking to the NetIQ folks if that's your bend...

Re:LDAP and its place today

[(trb001)]

Site Server is pretty great as far as I can tell. It looks like IIS, as a matter of fact installing the MMC stuff let's you control your IIS web servers under the same tool as your LDAP servers, create membership directories, assign them, etc.

Caveat...read the MSKB, especially article Q235132. There's a limitation defaulted in the LDAP directories that specifies only 500 rows returned. Why they did this, I don't know, but our (stupid) DBAs kept trying to figure out why we had only 500 users when they were SURE that we had many more than that. There isn't great documentation on this problem, but it's a simple fix.

--trb

Re:LDAP and its place today

[jpugh]

You are not an ecomm consultant if you are deploying it on MS. Sorry charlie, but AD is a proprietary implementation that is not LDAP v3 compliant and is based on MS Access.

Re:LDAP and its place today

[bbaez4]

E-commerce is in a totally different world than the rest of the corporate business. AD (MS LDAP) is not widely deployed in the large corporate/ government/educational institutions. U of M developed LDAP in 1995 for accessing X.500. Since then it has been widely deployed in large institutions. There are a large amount of tools available, which is in another post. MS is new to the LDAP arena. Although we deployed MS 2000 with AD, there are no plans for AD to expand any further than the Windows side. We deployed OpenLDAP for our mission critical *NIX servers. Remember, *NIX was created from the ground up to be networked 30 years ago while Windows was patched to be networked 8 years ago.

Re:LDAP and its place today

[merlin_jim]

Ummm... just because MS is bad in some people's eyes doesn't mean you can't do serious work on it. WTF do you mean I'm not an ecomm consultant just because I selected a MS environment as being best fit for some of my clients? Though I can't reveal individual clients that I worked on that use this sort of configuration, many big e-commerce sites are based on exactly this kind of environment, for example radioshack.com, dell.com, and starbucks.com.

As far as AD being not LDAP v 3 compliant, I believe I already mentioned that. Also, it is a misnomer to say that AD is based on Access. Microsoft axed the Access data engine a few years ago, maybe you've heard? It is far more accurate to say that Access is based on SQL Server and that AD is also based on SQL Server.

LDAP Tools

[dir-wizard]

Unfortunately the ldap tools out there are pretty poor. I've been working with LDAP for about 6 years and my tool of choice is Perl with perl-ldap. It's the perfect fit for advanced operations. All of our software is written using this platform.

Re:There's NDS DAMN STRAIGHT!

[jafac]

Technically it's great - but from a realistic point of view, I would forget about it. It's obvious that Microsoft has NDS targeted for termination. And nobody seems interested in stopping them. No sense in investing in what's obviously going to be dead technology. Unfortunately.

Re:Hey Rubin cock sucker.

These sort of directories usually have an opt-out option. Back when I was at VT I opted out of their LDAP. BTW, it's got people's school and home address at VT... fucking scary.

Re:There's NDS DAMN STRAIGHT!

Microsoft can target all they want, but Novell is finally getting into gear and fighting back. A recent Microsoft FUD fest (they mailed out bald-faced lies regarding Novell's future products to a number of people) resulted in a lawsuit by Novell. Novell won it, Microsoft has been forced to issue a retraction and pay a big chunck of change.
Novell has even done some marketing. Granted, it's still Novell marketing, and can't compare to the experience, budget, or sleaziness of Microsoft marketing, but it is better than nothing.

Not to mention that they do have a clearly superiour product. Microsoft can target it all they want, but as along as their competition can do things that Microsoft can't, even the Microsoft marketing machine can't roll them over.

Re:libnss-ldap (SSL on Woody?)

[JerkBoB]

Has anyone gotten libnss-ldap (and/or libpam-ldap) to use SSL on Woody? I spent several days trying different things to get it to use either straight SSL on 636 or STARTTLS, but to no avail. I know that I need to recompile it, but even though other ssl-ized things compile fine, neither of those libraries work. They work fine without, but when I add any ssl config directives they just hang.

I've given up for now on trying to get it to work and am using pam_krb5 for authentication, but I'd rather use pam->ldap->kerberos for simplicity on the client side.

Re:Hey Rubin cock sucker.

Same thing with my school, you can opt out of everthing exepct your name and e-mail. What's the use then!? And after you opt out, you have to fill extra forms when registering for classes, cause the fucking ldap was tied to the school registration system.

Just saw this on a mailing list:

[Teancom]

Weird, as this came in just yesterday on kde-pim:

Carillon Information Security Inc. would like to announce the release of
KDirAdm version 0.1

K DIRectory ADMinistrator is a tool for use by Directory Administrators to
manage their LDAP based directory. Using the K Desktop Environment (KDE) and
OpenLDAP toolsets, this application currently has all of the basic
functionality required to browse, add, and delete directory entries. As this
is an initial BETA release, the capability to modify existing entries, as
well as the ability to handle binary directory objects is currently missing.
This is planned for the next release, along with improved password entry
handling and possibly LDAP over SSL support.

KDirAdm is open source software released under the GNU Public License. As
such we encourage anyone to help us in the development of this software.
Specific jobs that need doing at the moment are improving the documentation,
the artwork, and of course, any LDAP wizards that want to help out will be
greatly appreciated.

The homepage for KDirAdm is at:

http://www.carillonis.com/kdiradm

where both source and Debian packages may be obtained.

Comments, suggestions, wishlist items and patches may be sent to
ppatterson@carillonis.com

So, it's "pre-beta" but has that ever stopped a true free software geek before? ;-)

easy answer..

In my ass.

Novell has some pretty cool LDAP tools!

[thehunger]

Novell's eDirectory is the fastest, most scalable & reliable LDAP directory around, runs on NetWare, Windows, Solaris, Linux, Tru64 Unix and AiX, and comes with some pretty cool LDAP tools.

ConsoleOne is a graphical, cross platform GUI tool that allows you to do pretty much every thing. Add, Delete, Create, Modify, Search, Extend the schema, etc.

There's also the ICE (Import, Convert, Export) tool which allows you to import, convert and export data from LDIF or other LDAP servers. ICE is available in a GUI and command line version.

eDirectory is also managable through a browser, and if you use their DirXML product you can basically take any data from any system and expose it through LDAP.

Novell's eDirectory is redistributable for developers. If you do development work, check all their goodies at their development site. You'll find LDAP class libraries, tools etc.

The evaluation copy of eDirectory can be found here and includes the tools mentioned.

Re:Novell has some pretty cool LDAP tools!

Novell's eDirectory is the fastest, most scalable & reliable

No it's not

Re:Novell has some pretty cool LDAP tools!

[ogren]

Novell's eDirectory is the fastest, most scalable & reliable LDAP directory around, runs on NetWare, Windows, Solaris, Linux, Tru64 Unix and AiX, and comes with some pretty cool LDAP tools.

What crack have you been smoking? Novell's LDAP benchmarks are horrible.

Re:Novell has some pretty cool LDAP tools!

[jpugh]

It's not?
By who's benchmarks? Mindcraft? and who paid for that test? Oh...that's right it was Microsoft.

Oh yea...and MS has the most secure OS, too.

Re:Novell has some pretty cool LDAP tools!

[daveb]

tis no / tis so

have you people got any actual references or reviews?

My experience is that edirectory is the best LDAP thing out there - but I'd be interested in some reviews or comparisons that are a little more than "its great/its shit"

Re:Novell has some pretty cool LDAP tools!

[maX_]

just as an FYI: Novell has an LDAP catalog process that can be configured to run at set intervals, makes NDS/LDAP querries much faster. It's not configured by default, but only takes a few minutes to configure.

Re:Novell has some pretty cool LDAP tools!

[Don+Keehotay]

Novell also sponsors an LDAP-specific resource page:. It has downloadable tools, SDKs, FAQs, forums etc.

University directories

[bwhaley]

University directories, such as those located at Colorado State and CU Boulder, are extremely well organized. The vCard option at CSU is very nice and I know that both of these directories can be plugged in to your favorite mail client and serve as an address book. Are there any University sysadmins reading this who can post more info?

Re:University directories

Well I am not a University Sysadmin, but I am working with a group trying to figure out how to get MacOS X deployed on campus and authenticated against out University User Directory using the LDAP protocol and kerberos for secure passwords. It has proved pretty interesting. FWIW here is a link that explains the system used, and how it is integrated with AD (for windows2000 boxes) at the University of Michigan.

http://www.umich.edu/~lannos/win2000/w2k-ad.html

Crud... I'm about to release one !

[DangerTenor]

Keep your eyes on www.geminisecurity.com for a few weeks. I've got a Windoze based LDAP viewer/editor that I think is pretty darn good under development. The viewer will be free, the editor will be pay. If this had only been posted a little while later!!

Why use LDAP?

[lessthan0]

What are you trying to do with an LDAP directory?

If your main goal is to centrally manage a network, I think you will find LDAP still a little undercooked.

I did a lot of research on LDAP thinking it was going to make directory management of a Linux network easier. It offers better security than NIS, and can scale a little better, but I don't think it can manage netgroups yet, which is a big deal if you use NFS a lot. For now, I think NIS is the best open source solution for Linux. NIS+ server code for Linux doesn't exist yet, but the client code does, although I haven't tested it.

As you found out, building the directory only solves one part of the management problem. You also have to have the client piece integrated for authentication (PAM) and in the C library for applications to use it for lookups. Again, I'd stick with NIS for now.

Re:Why use LDAP?

[Tony+Hoyle]

I went the same way. I struggled with LDAP for weeks and eventually went back to NIS which does exactly what I need. The LDAP tools suck rocks at the moment... I virtually gave up trying to get samba to integrate with it (I actually ended up replacing 'passwd' with a shell script that modifed 3 different versions of the password!), and as far as getting Win2k to login through it forget it (it's hardcoded to active directory, basically).

I'm sure it's really good if you're trying to manage 50,000 users and a masochistic enough to like constantly editing ldif files but otherwise steer clear.

Re:Why use LDAP?

[dublin]

I think NIS is the best open source solution for Linux. NIS+ server code for Linux doesn't exist yet, but the client code does...

NIS+ is a truly elegant architecture, in many ways, what AD should have been. It's far superior to AD, LDAP, or any other X.500-derived directory - that ISO/OSI brain damage is just too deep to let X.500's ilk be easily used in the real world.

Unfortuantely, Sun really botched its attempt to get NIS+ accepted, for several very good reasons:
1) Although the directory itself was incredibly impressive, and worked very well, there were NO administrative tools usable by mere mortals. I was a "Network Ambassador" at Sun at the time NIS+ was attempting to make inroads, and I can tell you that even amongst that elite group, not 1 in 50 was capable of setting up and properly administering NIS+ in a configuration suitable for enterprise use. Some things were just impossible, like recovering from a lost root key: You just had to rebuild everything from scratch. Secure, but hardly practical. This inordiante complexity may well be why there's still no Linux NIS+ server (besides the fact that one would be pointless now...)

2) There was no good migration plan from NIS to NIS+, and no way to keep the two in sync: it was pretty much an all-or-nothing scenario, at least for the Unix boxes. Not surprisingly, lacking Microsoft's arm-twisting ability, all but a handful of Sun's customers chose to pass NIS+ by, no matter how good it was.

3) Sun tried hard, but didn't make adopting NIS+ sweet enough for IBM and HP, who at one time had "committed" to putting NIS+ into their Unix OSes. Unfortunately, the combination of NIS+ being perceived as "Sun's" and its underwhelming adoption even solid Sun accounts (due to reason #1 above) led to its not being considered a serious contender.

4) If you really know what you're doing, it's possible to build a hierarchical multi-domain name/directory service using NIS, although I only know of one company (a Fortune 20 former employer) that's ever actually put this in production enterprise-wide. All the capabilities are there, it's just that very few people bother to figure out how NIS really works. We eventually wound up replacing regular NIS with a security-enhanced superset NIS (and appropriately modified utilities) of our own design, where all appropriate changes at a higher level filtered down to the lower domains, and each domain only had to administer its own portion of the namespace.

Sad, but I'd say NIS+ is pretty much completely irrelevant now.

Microsoft and AD have won this battle so far, but it may once again be the unlikely knight Samba that will save the day and turn the tide. We'll see.

P.S.: Side note to comment 1 above: This is just one in a long line of times Sun has developed extremely impressive core architectures and failed in the marketplace. (NIS+, SunNet Manager, Jini, Jiro, and even Java itself, to some degree...) The fallacious assumption is that the elegant core is all that's required, and that dealing with pesky details like administration, management, or writing apps that take advantage of the elegant plumbing can be left as an excercise for the customer, not something worthy of Sun's time and attention. When will they learn?!

LDAP, Tools, Servers et al

[JABOFH]

I've finished the process of migrating a fairly large ISP/Telco (1.5M users) to LDAP a couple of months ago. I've been at it for over a year, and
from my own experience I can tell you that:

1 - The best available tools are definitely the command-line that come with most servers.

2 - OpenLDAP sucks big time in large scale environments. It's replication is anything but reliable

3 - GQ is a very, very nice browser for LDAP. But I wouldn't use it for administration.

4 - You can assemble a whole range of ISP services (mail, ftp, http, whatever) based on an LDAP tree. Even if you can't find a _insert favorite daemon here_ supporting LDAP, you can always use...

5 - PAM/NSS LDAP. It just rocks. If you configure it properly, anything using PAM/NSS will use/update your tree accordingly. This includes unix tools like "passwd", "useradd", or "finger", or services like QPopper and OpenSSH.

6 - The best way to automate some processes is to create our own tools. Net::LDAP is very easy to use, and does anything you can think of (in terms of LDAP ops)

Dunno what you've got, but here's what RIT has...

[Misch]

RIT has a mildly nice system... here. Basically, you can look people up on campus by e-mail address. Individual users can change their own listing. I know little about the actual implementation though.

A few tools

[Ludoo]

maybe there are some duplicates with the above posts
Object Identifiers

• • [OIDs Registry]

Schema Browsers

• • [Softerra LDAP Browser]
  • [Java LDAP browser/editor]

Language Libraries

• • [LDAP client API for Python]

Exchange Schema

• • [Directory Schema Contents]

Site Server

[(trb001)]

For those of you who, like me, got forced into adminning an already running LDAP, please sympathize with this comment and don't spout "Use a *nix LDAP implementation." We're using MS Site Server with a SQL Server database. It's not elegant, nor is it particularly straightforward, but after getting past the (steep) learning curve, I've gotten pretty handy with our LDAP system.

Our biggest problem was migration...ie, we have 'this' tree, we want 'that' tree in the next release. 'That' tree has a 50% different organization with groups/users added/removed, so what we ended up doing was writing a big ol' VB script that migrated between the two. I hate VB, but being a script (read: Perl) person it's nice to have a non-GUI interface to do automated migrations with. VB contains all the necessary objects with which to create/modify LDAP structures.

Our project's back end is all java on Unix boxes, and since we needed to authenticate against the MS LDAP, we used the Java LDAP API distributed by Netscape. I've noticed a few glitches, one involving padding strings longer than 128 chars with garbage, but otherwise it's relatively fast and easy.

Lastly, for simple browsing/adminning, MS Site Server's tools are pretty handy. Again, not the best interface (and read MSKB article# Q235132!! We were bit in the ass for months until I found this out...) but it's a GUI and you can do everything you need to.

Not a glowing recommendation, but considering it's a MS product and I've got scripts automating everything, Site Server really isn't a horrible product choice for Windows.

--trb

Re:Hey Rubin cock sucker.

Man, I didnt realize all my info was on some stupid directory till someone I didn't like found me. My university put my info on the LDAP without even asking me. Everthing is there, even (sex: Male/Female), Age, damn. Nationality, race... Stupid? You ask. They wont remove it. Says it would be there till 4 months after Graduation.

Re:There's NDS DAMN STRAIGHT!

[moof1138]

Jeez, I hate abuse of the term FUD, but that is the most blatant FUD I have seen in a while.

Novell might not be as big a player as they were in the past, but there are a lot of sites that are using Novell and are not planning on dropping support.
In the K-12 arena Netware has a very strong hold that is not likely to slip, despite MS's efforts at 'charity,' and most Netware admins I know do not see Active Directory as being anywhere near as well designed as NDS. Make your decisions based on technical merit, cost, or other actual crietria, but don't make them based on the notion that you may as well go with MS even if it is more expensive and lower quality because, "well, you know, MS is the only one that will be left in a few years" - that's a self fulfilling prophecy. With that attitude we may as well stop working on Linux, *BSDs, office applications, web servers, compilers, and well, software.

You don't attend IETF meetings do you?

Microsoft has moved its mindshare strategies to web services, leaving the only big backer of LDAP

Yet, at the IETF meetings, the various LDAP efforts all have Microsoft employees on the committes. Novell is noticable by the absence of Novell people.

What about user tools?

[Brendan+Byrd]

I keep hearing all of these announcements about LDAP-generic tools, but I don't think anybody is answering his questions. He's talking about USER-SPECIFIC tools, which is rather lacking. Granted, there are many different schemas for users, but it's more or less only a couple of standard schemas (that come with OpenLDAP).

There's not that many good user management tools for LDAP. I don't feel like typing it in on raw mode with GQ, when a lot of it is duplicate information (to make sure it gets caught with the different schema names).

LDAP server speed?

[demon]

I've been trying the same, and have run into the same lack of tools for managing an LDAP server as an authentication backend. However, I've also noticed that using OpenLDAP v2 is a _whole lot_ slower than a NIS authentication system. This just isn't really acceptable. I've tried looking for a performance-tuning guide for OpenLDAP's slapd daemon, without success. Anyobdy know of any such guide, or have experience getting better performance out of slapd?

what is needed is...

something like phpMyAdmin, but for LDAP.

phpMyLDAP / phpMyDirectory?

the LDAP browser works..

check it out at http://www.iit.edu/~gawojar/ldap/

Re:Novell's been "going out of business" for years

[druxton]

FWIW, Novell also offers free downloads of LDAP libraries for C and Java although you might have to register for their Developer program.

Access from: developer.novell.com

ldif2html try this

[Quebec]

http://pages.infinit.net/aaricia/ldif2html.c

I wrote this in hurry one morning...

Could be what you're looking for

Could be not.

Microsoft Kerberos and Open Source losers

Remember Microsoft took Kerberos and made it proprietary?

So, you take a leaky public domain protocol.

Then you invest huge amounts of money in improving it.

Suddenly you're not supposed to recoup your investments and prevent your competitors from benefitting from your work?!

Tell me, have you ever visited the planet Earth?

LDAP tools? Open Source tools are here!

[jlittle]

As the host of open-it.org, are entire focus is solving this problem. Many people are actively working on integration with ActiveDirectory, and other tie ins, and people loosely associated with Open-IT are working in various projects that help resolve this (Samba-TNG supports ldap backends).

As for management, we now host Directory Administrator,a great GTK front end to user management, I have also created a simply useradd program for creating users in ldap (its called addluser).

We are currently working on a new release of Directory Administrator with a new backend which will allow CLI, GUI, and Web clients to be built on it. Further, if you love WebObjects, Apple just released 5.1, which has a JNDI adaptor, allowing quick Web Apps to be built against LDAP directory servers using Java.

Is the documentation not up to snuff at Open-IT, then help out! We have some basic howtos, and I package pam_ldap, nss_ldap, openldap, and other great things to get you going.

Back to work...

Re:LDAP tools? Open Source tools are here!

[deusx]

Checked out Directory Administrator. My biggest beef with it is that it seems to be hardcoded to manage posixUser and posixGroup objects, which we don't use at all. So it looks pretty but doesn't let me Administrate my Directory, as the title would suggest :)

Re:From a purely simplistic view, LDAP is pointles

[f00zbll]

LDAP is a pain, but there are some nice features of LDAP that save time. If the requirement really is just a contact list or something simple with a fixed schema, then LDAP might be a choice. Some LDAP servers have built in matching so that a search for say "john d williams" will also return "john david williams". I don't remember which ones support it, but if the project requires building synonyms and abbreviation matching, LDAP can save time. It all depends on the intended use.

Ganymede, an LDAP manager / alternative

[jonabbey]

Well, I'll post a pointer to Ganymede, which is not specifically for LDAP, but which could probably be useful in a lot of environments.

Ganymede is at once simpler than LDAP, in that it doesn't support the kind of hierarchical objects that LDAP and x.500 support, and in that it doesn't actually speak LDAP, and more complex, in that it has a sophisticated transactions model and can handle complex concurrent operations while maintaining namespace and referential integrity.

Ganymede is useful if you want to have a smallish (less than 50,000 users, say) 'flat' directory, but for which you want to allow detailed permisison delegation and fine-grained concurrency. If you have a very large NIS domain and you want to allow scores of users and admins to be changing their passwords and account information concurrently, Ganymede will work wonders for you.

We actually use Ganymede for just about everything here, up to and including our DNS, although we don't have our DNS support code 'productized' yet. We do master our LDAP directory from Ganymede data, in order to support applications which can use an LDAP server for an address book (such as Outlook and Netscape Messenger). If you were to combine Ganymede with something like Thomas Reith's ldapdiff utility, you could combine Ganymede's sophisticated administration services with LDAP for distribution.

Generic LDAP Tools

[Hackysack]

I used to work alot with LDAP, my job function has changed since then so I'm not as upto date as I'd like to be.

I ran up against the same problem, using LDAP for a dropin replacement for most authentication systems (PAM, etc) isn't very practical since there are almost NO tools available for management.

The problem is the lack of defined specifications for what objects in LDAP have what attributes. CompanyA might want certain things in a user object, CompanyB might want other elements there.

It's good and bad. The scalability and flexibility is that there are few specifications, the downside is that there are no tools because of this.

I ended up writing a web based admin application in perl which did add/delete/update. I can't post it since it's not mine to post. It's not hard to write however.

Net::LDAP, DBI:LDAP, and LDAP::API are all good perl modules for manipulating OO databases via LDAP. I used LDAP::API, since it was the only one available at the time.

Re:From a purely simplistic view, LDAP is pointles

LDAP is supposed to be a general directory that is, effectively, a database. In the IBM implementation the backend is a database (DB2). The directory information is stored in it. It is used in various ways as described in earlier replies

LDAP and JNDI

[pixelfreak]

Java provides access to LDAP by using JNDI and a LDAP provider. The great thing about JNDI is that it will also support DNS and other Remote Object standards like RMI and COS. I believe the Java LDAP tool mentioned earlier uses JNDI to provide access to LDAP services.

JNDI homepage

I'm finding the biggest stumbling block for LDAP is.... how to organized things! Are there any good resources for designing a LDAP database?

OT: Troll?!

[uradu]

What the heck's wafting through the ether around here? Moderations are getting ludicrous. While you might not value this guy's opinion, he hardly linked to goatsex or anything. Some other posts in this thread also got modded Offtopic and Flamebait while being perfectly servicable posts.

-

LDAP tool

there is a great tool that I use here at work for browsing. LDAPExplorer, you can download the trial at download.com. The company that made it also has a web solution, but it costs money.

iPlanet is tops

I've used iPlanet (formerly Netscape) LDAP directory and tools for many years and they are damn hard to beat in my opinion.

*sigh*

[kikta]

First, yes I know that this is probably a troll. However, on the off chance that it isn't, I have these questions for the AC.

1) If the public protocol is leaky, why not develop their own, totally different & competing protocol?

2) If they did care about the public domain issues and improvement, why not submit their improvements to the standards body to have their "improvements" included?

3) Failing or separate from this, why not license out their "improvements" to other software vendors? They would still make money, right?

I think the truth is that while it is possible that MS may have made a few small improvements (doubtful, but possible), their real goal is to ensnare new customers and to dig existing ones even deeper. If you still disagree, I would appreciate hearing any lucid arguments.

Re:JAVA JNDI/LDAP BROWSER

[KenSeymour]

Are you talking about the Sun JNDI browser.
I ran this recently and it has an LDAP through JNDI browsing capability.
I remember being able to search through global groups, for example, and other lists.

I had to download the JNDI 1.2.1 stuff, and all the various JNDI plugins (including the LDAP one).

I suspect it was not designed as a sysadmin tool, but one could be written with the JNDI API.

Another eDirectory user

[kelzer]

Go to the CNN website and scroll down to the bottom of the page. Look over to the right. CNN uses eDirectory to track the stories you read, and then serve you custom content (and advertising) based on your apparent interests.

Re:Another eDirectory user

[szpak]

AIM is powered by eDirectory... which means AOL is using it.

With some imagination as well as use of eDirectory (which has been demonstrated publicly to scale to 1 billion users, and in-house at Novell to 3 billion) AOL/Time-Warner, or perhaps the Liberty Alliance, could provide a credible alternative to Microsoft/.NET/Passport.

Here they are

Here and Here

Fun with LDAP

[uberchang]

Softerra's LDAP Administrator is pretty good, and they have a freeware version called LDAP Browser. The LDAP Browser/Editor is nice also.

If you are using LDAP as your addressbook, ldap-abook is a nice interface to add/delete/modify entries. Most email clients are LDAP-aware these days and it's convenient to be able to share an address book between my personal and work email accounts.

I've had to roll my own to do system accounts, however. Make ldapmodify your new best friend, or write an interface of your own - there is a lot of support for Perl or PHP LDAP functions out there. Server-side, I've used OpenLDAP and iPlanet's Directory Server, and I prefer iPlanet. iPlanet has a free non-commercial license option, is significantly faster than OpenLDAP, and has hooks to synchronize with an NT or Active Directory domain so you could do all the user administration in Windows and they would propagate over to your LDAP server.

Other fun things you can do with LDAP are:

Handle Unix authentication through pam_ldap
Hook into NIS with the NIS/LDAP gateway
Authenticate through apache with mod_auth_ldap or auth_ldap or Netegrity
Centralize your smtp routing data in LDAP for sendmail

Good luck.

iPlanet Directory Resource Kit

[medcalf]

Also, you might check out iDSRK from iPlanet. It's a set of performance testing tools, a tool for generating bulk loads, etc. Quite useful in some circumstances.

-jeff

Webmin's LDAP plugin...

[Spoing]

Webmin, my favorite tool, has an LDAP module. It looks basic, so I don't know if it would be appropriate.

Links: Webmin & Freshmeat page for LDAP module (LDAP module site is in French but easy to grok);

1. http://www.webmin.com/webmin

2. http://freshmeat.net/projects/ldap_module

LDAP Browser by Jarek Gawor

[meheler]

I've found this one to be more than sufficient. Runs on Java.

http://www.iit.edu/~gawojar/ldap
http://www.mcs.anl.gov/~gawor/ldap

Mike

Here are some nice tools....

iPlanet's Directory Server Resource Kits has a ton of cool tools, including an ldap tcl scripting shell, a kerenel/tcp tuner, perldap, all the standard utlities, performance testing and load generation tools, ldif modification scripts, core analysis tools, db analysis tools for iPlanet, iPlanet log analysers, and some security tools. Its free....

http://www.iplanet.com/downloads/developer/5089. ht ml

WebObjects

WebObjects includes a JNDI/LDAP adaptor, so you can treat it like any other database. Using this, you can quickly whip up whatever tools (web or otherwise) you need.

What LDAP have to do with Linux???

I don't get it, why the Linux logo? WTF does LDAP have to do with Linux specifically?
The poster from what I've seen didn't even mention running Linux.

Re:What LDAP have to do with Linux???

[Christopher+B.+Brown]

What would be the better logo?

Arguably it is more of a "generic Unix" thing; and actually is pretty usable on a wider set of systems than that.

It's intended to store directory information that would be useful for all sorts of things in terms of system administration on Linux and similar systems; the poster certainly did mention tools widely used on Linux like useradd , userdel, usermod, passwd.

Ldap

Plenty of good apis for ldap.
The C api is straight forward, and tcl has a nice
interface to ldap as well. That in conjunction with TK gives you 90% of the tools you need to write
some inhouse apps.

Re:Ldap

[eGuy]

Also check out the Java API for LDAP. It has been under very active development by the IETF community, and should be made into an RFC soon.

You can download Novell's implementation at developer.novell.com/ndk/jldap.htm And you can get the source code from OpenLDAP.org

Perhaps you've never done real business?

I was not trolling.

If the public protocol is leaky, why not develop their own, totally different & competing protocol?

If a theory in Physics if found incomplete, why not develop a completely different alternative theory? Because some of the earlier work is OK! It just needs some fixes.

why not submit their improvements to the standards body to have their "improvements" included?

Unless you can patent the improvements you've made, where's the profit in that?

why not license out their "improvements" to other software vendors?

Would "gaining a business advantage first" do for a reason? Patent the improvements, refuse the license until you've gained a dominant market share and then release the innovation to the others. That's how business is done.

Re:Perhaps you've never done real business?

[kikta]

Fair enough on the first two, however...

Would "gaining a business advantage first" do for a reason? Patent the improvements, refuse the license until you've gained a dominant market share and then release the innovation to the others. That's how business is done.

Microsoft has had a dominant business share for as long as I can remember. Furthermore, let me know when they license out Kerberos, Active Directory, ActiveX, ASP, DirectX, their Java extensions, .NET, or any other "improvement" or "innovation" of their for public use in Linux or FreeBSD or proprietary use in Unix or OSX. Their goal is still to lock in customers and stifle competition.

Re:Perhaps you've never done real business?

[rajones]

.NET has been submitted to ECMA for standardization, IIRC.

Re:Perhaps you've never done real business?

[kikta]

Great! What about Kerberos & Active Directory???

Oracle does LDAP too

[gentlewizard]

If you work for an Oracle shop, you can use Oracle Internet Directory LDAP, which is based on Oracle's Application Server product. Details here.

RAMDISK - excelent idea! :)

[Pegasus]

really ... i'll do that right away.

DSML and LDAP

[Gerv]

A quick plug for a useful LDAP-related tool I wrote: it's an LDAP to DSML (version 1.0) gateway, which allows you to read DSML (which is an XML-based language) out of, and write it to, any LDAP-enabled directory server.

It's not graphical, though :-)

Find it here.

Gerv

Re:Hey Rubin cock sucker.

my school is somewhat more intelligent about it (small private science school, about 30 miles east of LA)...

the ldap database is accessed with a hacked version of the old web500 gateway shit (i know because I've had to modify the code myself a few times, to fix some bugs we've found). The difference is we use access control lists, and limit information spread to one of the following choices:

• nobody
• On campus IP's
• Everybody

.
This seems satisfy just about everyone. And, of course, there's always the "dont release any information about me to anyone, ever" form any student could fill out, but nearly nobody does (it's kinda stupid to go to a school known for getting students published, and then request that the school never release information, right?)

not much corporate interest?

[FeltTip]

Uhhh, what corporations are you talking about? Every large corporation I've worked in uses one. The corporation I work in now (I won't tell you the name but we sell film in a distinctive-looking box) is heavily into LDAP, and with good reason. It's a perfect standards compliant place to store and retrieve directory information, store authentication information, etc.

best LDAP tools are cmd line - LDAP has its place

[pwc-sis.com]

Look - LDAP is not for everyone or every application. It has its place. Aside from the original intent (X.500) being email/phone book look up LDAP (directory servers) is a fantastic tool for user provisioning and identity management. To answer the question of LDAP tools, where are they? some of the best are the command line tools available on Solaris from the install. You can also download and install iplanet to get the binaries, ldapsearch, ldapmodify, ldapdelete. (Just don't use that directory if you don't want to. The binaries will work against any LDAPv3 compliant server.) Oracle also makes a good directory server, Oracle Internet Directory (also available for free download in both UNIX and intel versions). This server utilizes ldapadd (which is simply ldapmodify -a). It also includes ldapbind for testing a bind, good tool.

Where are the tools?

[FeltTip]

LDAP is so incredibly simple you don't need tools. If you need to provide a web interface to one, just write it.

If you aren't techy enough,
Cold Fusion and other application servers have excellent built-in functions to call, update, add, delete, etc., an LDAP directory.

One word: perldap

[Linux_ho]

Check out the LDAP module at CPAN. 'Course, if you don't already know Perl it will take you an hour or so to learn it, but I think you will find it to be the most flexible and powerful LDAP tool available.

You are the biggest idiot on the planet

[king_ramen]

Web services, dumb ass, are ways of PRESENTING information. They provide no actual data storage. It is entirely possilbe to run a SOAP interface on top of LDAP (as many people have done), just like you can run web services on top of SQL or legacy data.

I'll go so far as to say that is one of the most retarded statements I have ever seen on a somewhat intelligent board. EVERY SINGLE FUCKING SOFTWARE COMPANY IS HEAVILY INVESTED IN LDAP. That goes for Microsoft (Active Directory), Sun (iPlanet LDAP is now the backend for all Solaris services), Red Hat (PAM/LDAP, nss, etc.), Novell (NDS), IBM (Websphere and the whole Lotus/Domino stuff is natively LDAP), Java (JNDI services), AOL / ASPs (all customer accounts are in LDAP), Yahoo, etc. etc.

You should really know at least SOMETHING the fuck about what you are talking about before puking out any more words.

Re:You are the biggest idiot on the planet

[igbrown]

LDAP, my friend, is a protocol. As is SOAP. Neither dictates a way to STORE information. The "directory" accessed by an LDAP service can easily be an RDBMS, a flat file, or whatever. While you can chain interces like you describe above, it would get a little complex and/or redundant after a while. Anyway, I'm not sure what point you were trying to make, but I just thought it need a little clarification.

Cheers!

Re:You are the biggest idiot on the planet

[king_ramen]

Well, I give you credit for being technically correct. However, LDAP is most comonly viewed as a logical representation of structured data, with published specs for reads, writes, updates, searches, replication, authentication, authorization, etc. It is as much a data warehouse as SQL is (in the sense that the data may be in DBM / ISAM, NFS, RAMFS, ..., and not in the RDMS proper).

The point is that these types of data modelling functions do not compete with web services, and the majority of web services require such low-level tools to be in place. I bet my bottom dollar that Passpart uses LDAP in its infrastructure.

The best tool...

[brad3378]

.... is knowledge.

Try this book - Sometimes referred to as the LDAP Bible

The Secret OpenLDAP Speed Boost

[KagatoLNX]

Actually, it takes some tweaking.

There is a poorly documented (gee, surprise surprise) option to add indexes (at least for the ldbm backend). Try putting

index cn,gn,sn,uid,objectclass,o,ou pres,eq,sub

in your database definition in SlapD. Note that you will need to rebuild the DB after that. I suggest exporting it to ldif (via 'ldbmcat -n > file.ldif' with slapd offline), delete the db, then reimport (via 'ldif2ldbm -i file.ldif') and restart slapd. You will notice a *SERIOUS* speed increase during search and a *SERIOUS* speed loss during the initial import. Unless you're doing tonnes of updates, you shouldn't have any speed issues with updating it, though.

Re:The Secret OpenLDAP Speed Boost

[demon]

I just a bit ago got similar advice from a friend (a SourceForge admin). That makes it much faster. That's great - now I may actually be able to make some serious use of LDAP as an auth backend (before, I'd end up with so many waiting auth requests, my systems would choke and die before long).

Re:The Secret OpenLDAP Speed Boost

[JkaB]

Secret? Undocumented? This is what LDAP is all about. Read-over-write optimization in Directory exists by virtue of indexing.
BTW, you only need to index the attributes you use in search filters, anything else is wasted disk space and CPU cycles.

Re:From a purely simplistic view, LDAP is pointles

[smccrory]

Databases and LDAP are different technological approaches to different problems. Relational databases store flat relational information really well, but if you need heirarchical storage, then LDAP is probably a better way to go. That's why it is often used in enterprises rather than database engines to represent users and tiered attributes such as entitlements to different systems, etc. You are right that no perfect solution exists yet, but a lot of companies had great experiences with Novell's NDS (which is heirarchical and based on x.500 and is also what LDAP is based on) and they are moving towards LDAP as the core technology. This way, they can get their Netware, unix, mainframe and web apps to use the same data source for all their authentication and entitlements needs.

Try eDirectory and ConsoleOne

[kilaasi]

Novell have made a great tool for their eDirectory (formerly known as NDS) called ConsoleOne. This is java-based. eDirectory runs on Linux, Netware, Win NT/2000, Solaris, AIX, True64 and is very very fast.

Re:HOMOS - Where are they? (Slashdot)

This trolls all Windows users and sarcasm-impaired Linux users. It is brilliant. I thank you from the depths of my anonymous heart.

Working into add/del user/group tools

[rsd]

I am working in a set of tools to replace (and work with) adduser, deluser, moduser, addgroup, delgroup, modgroup and so far.

Unfortunally I had other priorities and the development is slow.

If you cannot find anyother replacements and still interested, let me know.
My e-mail address is raul_nospam_please@dias.com.br

BTW, the reason I started with it was because I couldn't find either descent tools to work with
PAM_LDAP too.

Re:From a purely simplistic view, LDAP is pointles

[DeathBunny]

LDAP and SQL are considerably different beasts for different purposes. What you propose is basically to say that screwdrivers make decent pry bars, so why ever buy a pry bar?

Here is some information comparing LDAP and SQL from the OpenLDAP FAQ:
http://www.openldap.org/faq/data/cache/378.html

And here is some from an old usenet post. It's specifically talking about why Netscape's LDAP server uses it's own database instead of a RDBMS, but it has lots of good information about how directory services and RDBMS's differ and why one does not make a good substitute for the other.
http://groups.google.com/groups?q=ldap+compariso n+ sql&selm=36AD06E4.F7362E47%40netscape.com&rnum=9

Okay I have to ask...

[sterno]

But how would nimda or september 11th effect the load on your LDAP server? I'm not denying openldap's capabilities because I've only used it in development situations so I know jack, but I just don't see the correlation.

Re:Errr...If you don't like it

[Organic_Info]

I don't see why this was marked flamebait. Its quite a reasonable comment - There are plenty and increasing numbers of people moaning "this is crap there are no tools", and fewer people who do something about it.

People are very quick to anounce there is a hole in the dam but very few who walk up to the dam and plug the hole.

No flame intended - its an observation.
.

LDAP directory browser from Novell is free

[lekkino]

If you're looking for a configurable tool to browse an LDAP directory, Novell's eGuide does it via a web browser and is free. It lets you choose how it looks and what it does to some extent. Hope it helps.

There are NO LDAP servers

LDAP is a protocol, not a service.

The LDAP protocol is used to access the DIRECTORY of your choice. There are NO LDAP SERVERS!

Light Weight Directory Access Protocol

Many directories support LDAP, but you have to be running a directory service before you can use LDAP to get at the data in the directory.

Novell's eDirectory is a great directory service, but there are other good one out there too. MS's active directory supports LDAP V3 with a couple of minor glitches.

There are lots of LDAP based tools out there. I believe there are even TCL add-ons for LDAP.

Re:From a purely simplistic view, LDAP is pointles

[Drake42]

I completely agree that it CAN be used for a great benefit, but in my experience it rarely is.

I see a similar but less epidemic problem in the mis-use of XML. At least three projects I've come into with XML being used to store 100% flat properties. With no hierarchy, and only one project searching only one database, there is no point in using LDAP except that people seem to think they're supposed to.

Certainly a protocol is not responsible for people mis-using it, but LDAP seems to lend itself to this mis-use through a lack of real clarity for beginners about what it is for and a lack of simplicity in its interface for building good examples.

Nice LDAP Admin Tool

[InfoSec]

I used to think that there were no good LDAP tools either. I then discovered GQ. I know that you said you prefer web or console, but this little X/GTK beauty is perfect for LDAP administration. I used it all of the time to add users, modify users, and to delete users.

Re:Just use Perl

The modules work fine for searing, adding, modifing, etc. I just can't seem to find versions that work with the 2.X.X series of LDAP!

Try Ganymede?

http://www.arlut.utexas.edu/gash2/
We are in the building phase at my company and this looks like a really powerful tool in the right hands, you will have to build your own schema, but for good flexibility you will want to. It supports any executable file as the backend, so you can write a perl script that updates the password on the LDAP server when it is changed, etc. Check it out

NDS just rocks.

[Stingray777]

Coming from a Netware world into a NT one is literally painful. I'm used to showing up late, and leaving early with long lunches in between. Not worrying that my servers need to be rebooted once a week because they don't work with the Tape Library driver. Netware needs to market their product. Any comparison between NT and Netware would show NT as the pathetic waste of bits that it is. They finally ARE trying to market it, check out www.whytheylie.com And be sure to watch the video clips.

Seriously, have you looking into Passport?

If you're looking for a single sign-on solution, this is the way to go. You don't have to do much of anything and best of all, it's free.

LDAP fails in implementation

[LoRider]

I have been down that path myself and have come to conclusion that LDAP sounds great when you sit around talking about it. It's the best thing in the world and would be so cool, right? Then you actually try and implement and LDAP solution and realize that LDAP isn't as cool as you thought it would be.

There is limited good documentation. There are a limited number of tools available and it's just hard to get going.

LDAP works well if you work somewhere that has the resources to devote to the LDAP implementation and maintenance. Trying to it all be yourself, just isn't a reality (unless you are an LDAP guru which I am not).

I am not saying LDAP is bad, there just aren't any turnkey solutions out there.

Re:LDAP fails in implementation

[atomicityCTO]

I have to disagree with you.

I have myself sucessfully implemented a single login website using OpenLDAP. Yeah the tools are few but there are a lot of books on LDAP. Just go to Amazon and type LDAP in the book search to see for yourself.

BTW, using Java to interface with LDAP was easy.

My 2 cents,

atomicityCTO

Best LDAP Tool

[CleverFox]

I administer OpenLDAP, NDS, and ADS directories and have found the best GUI tool to be:

http://www.iit.edu/~gawojar/ldap/

OpenLDAP worked for me

I moved a 700 workstation environment from NIS+ to OpenLDAP, and it worked just fine with around a 500 user daily load (IMAP, Samba, shell, Mac, Web auth, etc.). Consolidating the multiple MAC/UNIX/Windows user databases was a good thing. We had around 10000 total accounts. Simple read only replication never caused us a problem, other than the initial replica install, where the master was on Sparc and the slave was Intel, so an endian switch was needed, (using gdbm). The master ldap server was an old SUN ultra 5 workstation with 64MB of RAM.

I found reading the manual and using ldapmodify to be quite helpful. A little Perl didn't hurt either. In general, systems administration appeard to solve most problems we encountered. Haven't yet found a magic program able to replace a good UNIX systems administrator.

Someone mentioned the lack of NIS netgroups, I didn't miss them. Subtrees are configurable for ldap clients, and on the server side the PAM access module works quite nicely.

Read, experiment, test, implement, troubleshoot, enjoy.

then say something about it!

[Pegasus]

> OpenLDAP works great when configuredc orrectly, even under heavy load.

I can only say WOW. Now if it really works for you, would you be so kind to write it down and post it somewhere on the web for the others to see? I'd say i'm not the only one who feels the lack of such documents.

LDAP authing

[xinit_cx]

Hi, I exactly did the same stuff lately. With some friends, we're running a server that hosts some domains. Because I wanted to learn about LDAP, I thought that it would be a nice thing to put all the userinfo into an openldap tree and even authenticate to it.
The same problem I encountered: There are some ldap-browsers, but no big implementations.
Maybe our setup is a bit too specific, so I had to write my own tools (long live perl). Our setup consists of accounts, these accounts can contain multiple posixaccounts, domains, virtusers and vhosts.
I looked at some webbased apps for ISP management, but they always have a domain on the toplevel.
I managed to make a tool, but found out that the slapd from debian doesn't have TLS support, so security still is an issue for me, because users have to be able to modify parts of the tree.
But IMHO, I find ldap pretty funky, well suited for a lot of stuff and above all really scalable.

Re:From a purely simplistic view, LDAP is pointles

[wildgift_mac_com]

That is pretty simplistic.

LDAP stores contact info, but it's main purpose is to authenticate users. It's a network-wide replacement for /etc/passwd.

LDAP APIs are used to create plug-ins for different servers so that they can also be used to authenticate against the LDAP database.

The database differs from a relational SQL-style db, in that each user/record can be extended (have columns added) without modifying the entire database. In OO, I think this would be a composite object.

LDAP is the opposite of useless. It's vital. The problem, for Unix, is that LDAP exists, but the tools suck, and the default installs of unix still use /etc/passwd and don't come with LDAP plug ins for all the apps. Windows, by comparison, forces you to use their directory service, so everyone starts out being able to use a centralized directory server.

Domino, Domino, Domino!

[tmasssey]

I can't believe *no one* mentioned Lotus Domino. Domino's had a directory for *years*, and it's done LDAP since 1999!

And yes, there is a Linux version.

Tim Massey

LDAP Administration Super Tool.

[Kenny+Austin]

LAST (http://www.sysadminsith.org/software/last/) is a very nice tool and has been working out great for sub-delegating administration of our LDAP server.
Unlike any of the other web-based tools I have seen, LAST doesn't assume (too much) about the layout of your LDAP server. There has only been one thing I had to change in source for this to work perfectly with our layout.
It allows you to build templates for different entry types/objectClasses (posixAccount, qmailUser, whatever). You can control access to these templates, verify the data being written, etc.
There isn't an online demo, the documentation only covers the bare basics.. pretty much comes down to you have to know a little bit about what you are doing to use this tool (but if you don't know what are you doing trying to setup tools to administrator an LDAP server?).

Kenny
Mail me if you actually want more info or a demo (kenny@muspellsheim.net)

Re:From a purely simplistic view, LDAP is pointles

[rkhalloran]

The reference LDAP implementations use a database tuned for read-mostly access, which makes sense in context. A traditional RDBMS would not perform as well.

The ease in extending the schema 'on the fly' is also a major plus over traditional DB environments.

The protocol is fine, the implementations make sense, and the overwhelming cross-environment support makes it a winner for implementing authorization & authentication solutions.

Oh, you're looking for NetInfo

NeXT's NetInfo, now available in the BSD flavour called Darwin (hence also in Mac OS X), is an abstract Directory Services architecture which encompasses most anything, including NIS, LDAP and Unix flatfiles.

UI tools - browsers, query tools, whatnot - exist for most everyting, and XML import and export (as well as bridging imports and export to a slew of formats, including classic flatfiles) are a no-brainer.

GQ is also worth a look

[Nailer]

Its `a graphical browser for LDAP directories and schemas. Using GQ, an administrator can search through a directory and modify objects stored
in that directory'

It comes as Red Hat's standard LDAP admin tool. Get it here. Its not as good be, but neither is directory administrator the last time I looked.

JDBC driver for LDAP

[eGuy]

Novell has a JDBC driver for LDAP. It maps SQL statements to LDAP(At least those it can. Those it can't map directly to LDAP it does it's own joining of the data). Its a free download available at developer.novell.com/ndk/ldapjdbc.htm Its also 'works with LDAP 2000' certified. (From the OpenGroup) This means it should work with any LDAP compliant directory. Its useful if you have normal reporting tools that use JDBC drivers. For example StarOffice can import data from JDBC drivers with a nice GUI - This way you don't have to know about the LDAP syntaxes or anything about LDAP except that its a Data Base. They also have an ODBC driver that only works with eDirectory(NDS). Hope that helps.

OpenLDAP & LDAP Explorer

[Ipsilon]

I use OpenLDAP 2.0.14 for Linux. To edit/browse the LDAP directory I use LDAP Explorer 1.16, although the newest version is 1.17. It's web based and done in PHP 4.x:

http://igloo.its.unimelb.edu.au/LDAPExplorer/

LDAP developers resources

[Unleashed-TMY]

http://www.ldapzone.com
http://developer.novell.com
http://www.openldap.org

Just thought I'd list them!

Mj

Have you tried out tools like PS Enlist

There is an Indian company which provides
attractive tools for managing LDAP servers.
They provide tools like PS Enlist which
will let you use SQL to manage your LDAP
directory. They also have a tool called
Ensure which will let you sync data with
a database.

Their URL is http://www.persistentdata.com

Novell recent marketing: whytheylie.com

[ashitaka]

Got a brochure from Novell the other day. Lots of ad-speak with possible reasons why Microsoft is spreading certain untruths about Novell's products.

However, fold the card ala the back page of a Mad magazine and the messsage gets condensed to just three words:

"Their Products Suck"

Oh boy...

[FatSean]

I've used the DMT tool, and found it lacking. At least in v3.2.1. It has serious issues when you attempt to modify the schema. I've only used it with the SecureWay directory, and because the schema storage methods tend to differ between vendors, it may not even work with yours.

Novell

With NDS Novell provides a great directory and great tools to manage it. ConsoleOne, the main administratotive tool, is now almost entirely written in Java so it runs across many platforms and NetWare 6 provides very nice, very functional browser based management of the directory. Novell Account Management provides entry-level account management of Windows systems (NT domain emulation) and Unix (NIS / PAM). And using DirXML, NDS can be synchronized with pretty much any other data store.

Re:From a purely simplistic view, LDAP is pointles

[jpugh]

Hello? LDAP is not a directory. LDAP is a directory access protocol. GEEZ.

A directory requires a DB, but a DB cannot be a directory.

Come on...get your facts straight. There is no such thing as a LDAP directory and a RDBMS will not solve your directory problem.

List of OpenSource LDAP Tools and Software

[bbaez4]

LDAP has become a very important tool at our facility. We have a mixed Windows 2000 and *NIX environment with AD and OpenLDAP directories. Our sister corporation has one of the fastest clustered Alpha systems in the world and they used it to map the Human Genome. Our business unit was created to embark on an even greater technological and medical endeavour. The regular user community is comfortable with Windows so we give them that. However, we rely only on *NIX for anything mission critical or requiring stable computing power. We have installed OpenLDAP to take care of everything outside of Windows. The following OSs authenticate (or will) from OpenLDAP: Slackware, Redhat, TRU64, Solaris, AIX, Nortel, etc. This gives us a single user/password for the users of any of those systems. In addition, I have coded over the following software to authenticate against LDAP: IRMA 0.8 http://irma.incubus.de/ IRM 1.3.3 http://irm.schoenefeld.org/ Document Manager http://www.rot13.org/~dpavlin/docman.html The following software already takes advantage of of LDAP: Horde/IMP 2.0/3.0 http://www.horde.org QMAIL http://www.qmail.org Rolodap A very good LDAP useradd, passwd change, etc. Java tool: Java LDAP Browser V 2.8.2 http://www.iit.edu/~gawojar/ldap http://www.mcs.anl.gov/~gawor/ldap You can also use IRMA for user/group management. We initially started with IRM, but we are moving over to IRMA since it is very clean code and easy to extend. We use Netscape Communicator 4.79 Roaming profiles so that users that move between Windows and *NIX can have their bookmarks, address book, etc. readily available. Don't use the mull.schema because it has a couple of errors. I will be posting the correct schema at http://www.igranite.com in a couple of weeks (the domain doesn't point anywhere at the moment) as well as more LDAP info. You may search IMP mailing lists for the latest schema I posted. A project we would like to see started is LDAP Gina. I have no programming experience in Windows, so it would be great to have a community knowledgeable in both *NIX and Windows create an LDAP Gina. I found a NIS gina which could possibly be extended to LDAP? As many corporate orgs are probably finding out, the GNU, GPL, and Linux community are producing high caliber software and solutions for corporate use. Linux is fast becoming the center of desktop use, already solidly beating back an attempt by Windows to break into the corporate *NIX environment. Having lost the server fight, no wonder why a MS memo ordered a clobbering of Linux. Could you have ever changed the code like we did using commercial software / OSs? And we will be uploading our changes to the respective authors to make the software that much better.

Re:List of OpenSource LDAP Tools and Software

[talks_to_birds]

and

<br>

are

your

friends.

Get

to

know

them.

t_t_b

Re:From a purely simplistic view, LDAP is pointles

LDAP is supposed to help make it so you can access everything on your network (or company resources/services) without the need for a zillion accounts and passwords.

But guess what. I work for the company that makes the most popular enterprise-level ldap server and we still have several dozen different login names, different passwords and even multiple address/user-information resources (ie, not just a quick ldap lookup to get information on joe blow's phone number from office 14).

So LDAP is worth fuck if you dont' actually USE IT FOR SOMETHING.

Re:From a purely simplistic view, LDAP is pointles

[jpugh]

Please...LDAP is a ACCESS PROTOCOL. How can it be used for contact/location/description information????????
Plllleeeeaasssssseeeee. DBs are not designed for READING information fast, DBs are meant for storing information.
LDAP is meant to ACCESS that STORED information.

ldap tools

[maX_]

I've been involved in several LDAP projects around my company. Authenticating Linux boxen, home grown apps and Checkpoint firewalls.
The best LDAP tool I've found so far is.. NWAdmin (or ConsoleOne). Does everything I need, easy to navigate, etc.
Oh, only one problem with it: it requires a win32 box. And having a Netware 4.x or higher box around is also a requirement
(OR NDS for Linux, which I hear Console One works with!).

As an added benefit, the Netware box can run RADIUS server, filling all your LDAP/NDS/RADIUS needs in one!

ldap and dns

[mrsbrisby]

I wrote a DNS server that relies completely on LDAP called ldapdns. it's a live gateway, so it's ALWAYS up to date. the best thing about managing DNS over LDAP is that users can manage their own DNS and even create new subdomains!

actually, i'm quite amazed that this topic came up because a centralized directory mechanism can make administration _MUCH_ easier. i'm actually very suprised that most unixes (including linux) don't do anything better than NIS(+).

LDAP became the mechanism by which I manage my own network with greater ease: i use LDAP with NSS for user management (and allow users thereby to manage themselves). i use LDAP for DNS (of course :), i use LDAP to manage certificates, and employee information, and i also use LDAP to keep track of customers (for billing).

i've had to write a lot of my own shit to make it work (billing, and DNS - but now the DNS is gpl'd so youall can be happy with it), but alot of it DOES already exist. using NSS and PAM, you can manage users with ldap, and with vpopmail/qmailpatches you can run mail over ldap.

as for useradd/userdel/etc -- you simply don't need them. you can write a very simple shell script to ldapadd new users and delete and modify them (as i have done).

as for browsers: i happen to like GQ. but tbh, i don't do much browsing (i like robots). there's a java one floating around that works very much like Microsoft's LDAP browser (but free).

anyway, i'll spit my plug again:

LDAPDNS: FREE (GPL) LDAP-BASED DNS FOR EASIER ADMINISTRATION: ldapdns IS WHAT YOU NEED. USE IT BLAH BLAH BLAH

but really: ldap works great. it takes some balls to pull the switch (maybe someone will make it easier), but it is well worth it in the long run.

Great Tool/App Builder

[marienf]

try Calendra.
I've been to their 1-day tech course in Paris, France, and I must say I'm very impressed. Never been much of a believer in RAD tools, a hardline coder.. But this one shakes my beliefs bigtime.

OpenLDAP utils vs Net::LDAP

[jajuka]

LDAP is a large part of my job, I've written dozens of scripts for handling various LDAP chores. And whatever you do I strongly recommend that as much as possible for any scripting, use something like Net::LDAP instead of using or wraping shell scripts around any of the OpenLDAP utils. Maybe it's just a project maturity thing or something, but the OpenLDAP people seem to have an infuriating habit of changing the behaviour/output of ldapsearch which means you will end up having to tweak or rewrite every script that uses it if you ever upgrade. That said the OpenLDAP utils are quite handy to have around, no matter which implementation you're running as your actual LDAP servers.

Also if you're running iPlanet/Netscape's directory server grab their resource kit, the ilash util which can do a lot of things, has a really nice feature in that you can drop an entry into vi and edit it. ud or whatever it's called in the OpenLDAP utils can sort of do that, but only for certain hardcoded attributes, and not the ones you're likely to need either.

LDAP Software

[bbaez4]

LDAP has become a very important tool at our facility. We have a mixed Windows 2000 and *NIX environment with AD and OpenLDAP directories. Our sister corporation has one of the fastest clustered Alpha systems in the world and they used it to map the Human Genome. Our business unit was created to embark on an even greater technological and medical endeavour. The regular user community is comfortable with Windows so we give them that. However, we rely only on *NIX for anything mission critical or requiring stable computing power. We have installed OpenLDAP to take care of everything outside of Windows. The following OSs authenticate (or will) from OpenLDAP: Slackware, Redhat, TRU64, Solaris, AIX, Nortel, etc. This gives us a single user/password for the users of any of those systems. In addition, I have coded over the following software to authenticate against LDAP:

IRMA 0.8 http://irma.incubus.de/
IRM 1.3.3 http://irm.schoenefeld.org/
Document Manager http://www.rot13.org/~dpavlin/docman.html

The following software already takes advantage of of LDAP:
Horde/IMP 2.0/3.0 http://www.horde.org
QMAIL http://www.qmail.org
Rolodap

A very good LDAP useradd, passwd change, etc. Java tool:
Java LDAP Browser V 2.8.2 http://www.iit.edu/~gawojar/ldap
http://www.mcs.anl.gov/~gawor/ldap

You can also use IRMA for user/group management. We initially started with IRM, but we are moving over to IRMA since it is very clean code and easy to extend.

We use Netscape Communicator 4.79 Roaming profiles so that users that move between Windows and *NIX can have their bookmarks, address book, etc. readily available. Don't use the mull.schema because it has a couple of errors. I will be posting the correct schema at http://www.igranite.com in a couple of weeks (the domain doesn't point anywhere at the moment) as well as more LDAP info. You may search IMP mailing lists for the latest schema I posted.

A project we would like to see started is LDAP Gina. I have no programming experience in Windows, so it would be great to have a community knowledgeable in both *NIX and Windows create an LDAP Gina. I found a NIS gina which could possibly be extended to LDAP?

As many corporate orgs are probably finding out, the GNU, GPL, and Linux community are producing high caliber software and solutions for corporate use. Linux is fast becoming the center of desktop use, already solidly beating back an attempt by Windows to break into the corporate *NIX environment. Having lost the server fight, no wonder why a MS memo ordered a clobbering of Linux.

Could you have ever changed the code like we did using commercial software / OSs? And we will be uploading our changes to the respective authors to make the software that much better.

check

What is LDAP?

Um, excuse me. Perhaps I'm pulling a brain fart here, but just what IS LDAP? I know Slashdot is "news for nerds," but every nerd has to be introduced to a technology at some point, so please remember to expand your technology acronyms in a post.

Kerberos for authentication, KISS the rest.

[oddityfds]

Use Kerberos for authentication. There are PAM modules out there, and it is also supported in Windows 2000 (sort of).

You also need to distribute a passwd file. We store ours in AFS and distribute it using scripts run by cron. Since doesn't contain any password, users do not really need to touch it, but we generate the global passwd file from data in a database anyway. You might want to put stuff like e-mail forwarding information in that database as well, propagate it to the mail server using some simple scripts, and let your users access the database somehow. (Perhaps through a Kerberos authenticating gateway.)

KISS

Re:great resourse

[Pfhreakaz0id]

I found this thing sometime and it rocked. Great set of VBscripts for AD stuff http://www.people.virginia.edu/~pjh5u/code/adsi_ap p.txt

Beware the FUD! Mozilla has support

[kimihia]

Oh great, another article written to sound like LDAP hasn't got past the experimental dabbling stage.

LDAP has had support in Netscape 4 and Mozilla for quite a while. Here's a fairly old HOWTO I wrote: How to set up LDAP in Mozilla 0.9.2.

LDAP PAM

[justforkicks]

Hi ! Simply use PAM_LDAP (http://www.padl.com/pam_ldap.html) to ensure that all existing Linux commands are automagically LDAP compliant (eg. useradd, etc). Actually, I have used LDAP a lot and even patched qmail to use LDAP for user lookups. And I don't agree with you that there are not enough LDAP tools around. Cheers

LDAP tools

[shridhar]

Visit http://www.persistentdata.com/ for the
best tools available for database and directory
integration.

-Shridhar.

Dominant business share??

[sbjornda]

"Microsoft has had a dominant business share for as long as I can remember."

Perhaps you're very young then, kikta. I, on the other hand, can remember back to the 1990's when it looked like Netscape's web browser appeared set to dominate the world. It had problems adhering to standards, it rode roughshod over users' complaints, it commercialized the (at that time) excellent freeware called "Mosaic," the company made a sickening ton of money with its public offering, and there was no serious competition in sight. Then Microsoft announced Internet Explorer, and we cheered -- finally there was some serious competition for the Netscape juggernaut!

Re:Dominant business share??

[kikta]

No, I wish I was very young, but that isn't so. I was exaggerating a bit when I said that.

However, I don't remeber anyone cheering for IE at first. Most of the people I knew either said "Why the hell is MS making a browser? (and giving it away for free - hmmm...)" or "Man, that IE is a real piece of crap, I'll stick with [Netscape, Mosaic, Spyglass, Chameleon Web Surfer, etc...]."

Lightweight Directory Access Protocol

[JSBiff]

There are plenty of sites with info about what LDAP is. Do a search on yahoo.com, dmoz.org, or google.com and you'll find plenty of sites. Basically, it is a standard, high-level network protocol (like http, ftp or ssh), that allows you to access directory servers. A directory server is basically a database that is organized hierarchicaly(sp?) and is optimized for a lot of reads and very few writes. They are useful, for example, for running address book servers (Outlook or Netscape, and presumably other email clients) can use an LDAP server for looking up email addresses given a nickname, or a full name of a person, or even a partial name that is unique.

Another purpose that they are sometimes used for is to implement network authentication services, similar to the way Novell or Win2K server allow you to log into any workstation on your company's/organization's network using a network account. Your login account, instead of being created on individual workstations, is created in the LDAP directory and when you go to login to a workstation, the workstation requests authentication from the directory server.

I'm sure there are other uses for LDAP directory servers as well, but these are the two most common. Cheers.

Re:From a purely simplistic view, LDAP is pointles

I recall reading something about openldap that lets you migrade your /etc/[passwd,groups,hosts,services,protocols,...] into ldap from flat text files. I believe it also supports name lookups ala DNS.

Is it possible ldap will be the future of Linux/UNIX? or perhaps even the internet?

Re:libnss-ldap (SSL on Woody?)

Simple: woody's libs aren't compiled against openssl. See the bug reports:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug =8 0591&repeatmerged=yes

iPlanet LDAP comes with a nice GUI to LDAP servers

iPlanet LDAP server ships with awesome GUIs to administer and browse LDAP servers. You might want to try to download eval version and run only the GUIs, not the server daemons.

How to screw up OpenLDAP installations.

[ronabop]

Classic bonehead things I did to make openldap installations and directories less-than optimal:

1. I didn't stay up on patches, so I was running versions with known performance bugs. I should have kept up.

2. I did lousy, MySQL-101-db-like, structures (flat as all get out), which made the tree and replication features somewhere between pointless and painful. I should have fanned the tree out to different servers, increasing the ways I could spread the load. I also went too far the other way, and made high-quality, relational, db structures, which made my entry count absloutely absurd. I should have tuned my design under load.

3. I tried storing large objects in a record (say, 10-100K gifs) in each record and then wondered why it too so long to move 500 of those records.... over a 56K line. I should have used pointers or references to external blobs.

4. In speed critical applications, I did non-filtering lookups (the SQL equivalent of "select * from..."), so I was slogging though millions of bits I didn't need. I should have specified the data I needed, when I needed it.

5. I indexed all sorts of things that didn't need indexing, basically wasting tons of CPU for lookups that wouldn't be needed. I should have only indexed fields that were being frequently used, for the way they were being used.

6. I tried to stored transactional information, stuff that changed every few seconds or minutes, in an LDAP implementation that wasn't designed for "row or column" transactions. I should have used the right tool for that job, such as an atomic-transaction database.

7. When I compiled, I didn't use a fast backend, I accepted a slower gdb default. I should have used a tuned, compiled, backend.

8. I ran off of slow disks. I should never have tried to use IDE for a high-speed database.

9. I didn't tune LDAP to cache as much in RAM as possible. I should have tuned the slapd.conf entries.

10. I didn't deploy ldap servers at critical points, and instead, tried to use a few big ones. A tree of smaller servers would have worked faster.

11. I wrote scripts that did _really_ dumb things, like try to read and then edit every record in a live OpenLDAP *dbm database on the fly. I should have broken it into smaller work units,and treat the protocol on its merits.

12. Rather than pull a fast, clean, backup daily (which requires a restart), I was just running it until it died. I should have pulled regular backups, and the restart helps to close any niggling descriptors left open. :-)

There's lots of ways to screw up any program.... I've killed apache with oversized log files and open fds, I've brought postgresql to it's knees by neglecting maintenance, I've brought MySQL to a dead stop because of file sizes (ugh.) and table design.... the list goes on and on.

That doesn't mean that apache, or http, sucks, or that SQL is useless, it means that tools have to be used properly, and learning the limitations of your tools is a painful step in learning how to use them.

HTH,
-Bop

Check out Enrole 4

It manges your LDAP for you, creates accounts accross all your enterprises resources, you'll find the product here

Netscape Java LDAP API

with this API you can write your own app, which handles delete, add, etc.

Works for me, servlet which acts as an addressbook 150K+ people, throughout an web-app.

pretty fast too.

I agree

[^HiCKeY^]

sincerelly

Re: ditto!

[citmanual]

This is definately the best available, from what I've seen. And is it definately too bad that it is a windows-only program.

Gnome ldap tree-view browser

Debian has one called "gq."

Re:From a purely simplistic view, LDAP is pointles

SORRY! what have you been smokeing

LDAP is a descendant of X.500 it Freakin well is a
directory - you can of course use it to provide autentication.

Oh and I used to support X.500 and X.400 sevices in the Uk

Flexibility

[JkaB]

Having been involved in numerous corporate scale Directory deployments as a consultant, I think I can safely say you're underestimating LDAP, or rather, have a too narrow view of what it's for. Of course, Directory Datastores are a concept of a datamodel, and LDAP is both a protocol by which to access the data, and a way of representing it. The inherent flexibility of datamodelling in LDAP is precisely why you won't find the equivalent of 'useradd' as a generic tool. LDAP is not a replacement for /etc/passwd, it _can_ be. But what if the user in question also has associated with them an x.509 certificate, a maildir, an out-of-office-autoreply msg, .. well you get the point. Besides, it doesn't have to be a user you're representing in the Directory. Might as well be a machine, a network, or a customer, or a collection of urls (think roaming bookmarks) So, in your specific situation; you roll your own. Get ldap client library wrappers for your favourite script language (Perl and PHP have excellent modules available, even if PHP's is a bit 'strange' on multidimensional arrays when dealing with multiple results/multiple values to an attribute), add twenty-or-so lines of business logic, some nice HTML tags, and Bob's your uncle :) Don't be intimidated, you'll get two steps closer to enlightenment in the process.

ldap schema builder

[atif_ghaffar]

I started a project a while back to write a web based schema builder. Initially it was for my project (ispman) and I wanted to write the tool simply to get my hands dirty with schema stuff (i learn like that).

Its avaialable for demo at
http://ispman.sf.net/schema/editor

Its incomplete (should work as proof of concept). So if anyone interested to work on it let me know.

How is LDAP being used in the world?

Do the ERP, HR and CRM applications of the world (the usual suspects of SAP, Peoplesoft, Siebel, etc )used LDAP for user login profiles. (one password for these application, once place where the access profile is defined and maintained )

Also do the HR and CRM integrate with LDAP to allow data (on employees and customers ) to be in sync so that a)Employee has a new office phone number and/or title and this is changed once and reflected in both the HR profile and the LDAP white pages, and b) customer (who logs on web site) phones into call centre with issues and new information, which is reflected in their web profile.

The last time I looked into this the answer was no and no. That was 2 years ago. Has this improved any?

LDAP has great potential for custom work because it reduces the work of hand building another crappy login / authorization / authentication piece. But until the ERP, HR and CRM are integrated into the picture its a pimple on the ass of an whale.

How else, where else is it being used? What are AOL, Ebay, Amazon, GE, Yahoo (some said that their using eDirectory?) doing?

Commercial LDAP Admin tools

[PerWei]

If you're well off, take a look at NetPoint from Oblix (http://www.oblix.com/).

It's much more than a LDAP tool, marketed more as e-biz infrastructure tool. The main feature is identity management but it also contains group management and generic management of LDAP/X.500 objects.

We're deploying it now and it will contain all our 40.000 internal users and a lot of our customers/partners. We're using iPlanet Directory servers and will use iDS as a metadirectory for all other directories (AD, NDS) that people might like to use (mgmt. decision). Hopefully LDAP will give us a single administrative point for userid/password for all our applications, including Web access, Unix logon, NT logon etc.

We see more and more systems beeing LDAP enabled, from application access down to VPN servers. We even have HP scanners where you use LDAP as the source for email addresses when scanning and mailing documents.

LDAP is here to stay !

Re: No it's not

Wow, what a searing and incisive rebuttal!

Whatever happened to
"I know you are, but what am I?"

What's that?

What in hell is a/an LDAP?

Free Commercial java LDAP browser

[pegacat]

O.k., coming in a little late to this discussion after making sure it was o.k. with my corporate masters :-).

The Java ldap browser I wrote is available for free download from Computer Associates. It comes with a Windows Install Version and a Solaris Tar file. (Being java you can probably persuade it to run under linux, but I've had trouble with Swing and linux, so no promises. If you can get it going, it runs about 4 times as fast as under windows though ... :-)

Quick Feature List

• Supports SSL and SASL
• saves/imports ldif files
• Pluggable architecture
• User customisable display via html forms
• i18n support
• yada yada yada... it does heaps.

... and kudos to my company CA for making it available for free download (normally it's packaged with our 'eTrust Directory' X500/ldap directory, which is pretty darn neat, but is *not* a free download :-)!

Unfortunately this is not (yet) an open source product, but if anyone uses it, finds it helpful, and writes to me, I'll have a better chance of persuading people here to make it so...