Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

IT pros suffer OpenLDAP configuration headaches

Between the frustrations of installing OpenLDAP and annoyances with configuration problems, some IT pros are questioning its merit.

As a free alternative to Active Directory, OpenLDAP is a directory server that would be great, if it weren't so hard to install, configure and use, say IT pros.

OpenLDAP is an open-source Lightweight Directory Access Protocol (LDAP) that can be configured to access directory locations and run code. LDAP is a standard for accessing directory services. OpenLDAP can run on Linux servers, offers extensive software support and future compatibility -- and it's free.

Sander van Vugt, a Linux expert and SearchDataCenter.com contributor, provides tips on how to properly install the program. Once installed, users configure the LDAP to suit their needs and then run the server. From there, adding information to the LDAP database should be simple. But even van Vugt had difficulty with OpenLDAP on Red Hat. He tweets, "struggled with OpenLDAP on Red Hat and got it working :-)"

As a directory server, OpenLDAP is a very open way to acquire data; however, OpenLDAP configuration is challenging and not user-friendly. One must create several lines of text files in a specific format, which is very user unfriendly, explained van Vugt, adding that "since Red Hat sells another Directory server, it is not in their best interest to make managing OpenLDAP too easy." He plans to share tips on how he got the LDAP product working on sandervanvugt.com.

Knowing which application users are running OpenLDAP on is necessary to understand the complexity of their installation or configuration. Linux users should not be experiencing problems with OpenLDAP configuration. But it seems Red Hat developers altered the OS and negatively affected OpenLDAP use on its system. Even with Red Hat, where the aim is to convince customers to purchase its directory, no one wants a bad user experience on their OS.

The issue actually lies in Red Hat's OpenLDAP support, or lack thereof, said Howard Chu, chief architect of OpenLDAP.

"[Red Hat] are routinely months to years behind on the releases they bundle, subjecting their users to bugs that were fixed long ago," Chu said. Red Hat makes things more difficult by requiring the use of the Mozilla Network Security Services library for transport layer security support, he added.

"This library is very old, which ought to mean that it is very stable, but unfortunately, it's the opposite,” Chu said. “It is poorly implemented, based on a poor design and poorly supported."

Comments from the self-proclaimed tech geeks of the Twittersphere are also resoundingly negative about OpenLDAP, and LDAP in general.

@kalium: Seriously, OpenLDAP is the only service I've ever used where the very basic "set password -> use password" loop doesn't just work.
Kalium, hacker

This user also called OpenLDAP user-unfriendly. "It accepted what I put [in]. Then when I tried to administer it, it refused to accept my password," @kalium said.

But OpenLDAP is not the only program causing aggravation; other LDAP users have taken to Twitter to express their frustrations with the initial protocol service:

@eliankool: Finally decided: After 2 [years] of headache with #ApacheDS LDAP server, we will move to #OpenLDAP
Elian Kool, head of technology, @NetcentricEWE

When asked to elaborate on why it took two years to make the switch between the competitive open-source directory servers, Elian Kool, head of technology at Netcentric, a Web content management service provider, said that Netcentric liked "the idea behind ApacheDS -- but it got corrupted multiple times (including the backup!)." Another issue? ApacheDS did not have the memberOf attribution feature. This feature helps IT teams organize resources and keep track of its users; it is a way of tagging and sorting users in Active Directory. ApacheDS supports many different types of back ends based on need, which is why it is so appealing. But without the memberOf element, it left much to be desired for Kool.

Although Kool was not the only one with LDAP headaches, a lot of enterprises stick with what they know in technology. It is possible that this conservatism -- along with OpenLDAP configuration fears -- causes enterprises to wait years to make the switch or adopt the open-source directory server for the first time.

@vrutberg: I got 99 probl ... No wait, I've just got one problem and it's spelled LDAP.
Viktor Rutberg, Web development enthusiast

Rutberg is one of many LDAP customers unsatisfied with the technology. He was trying to set up OpenLDAP on his Mac using Homebrew, a package manager that eases aggravations such as having versions of software that aren't compatible with each other.

"I wanted to use simple auth but it kept spitting out Kerberos errors," Rutberg said.

Perhaps some of the negativity is because LDAP haters need to try something better than the free OpenLDAP product. Allen Wittenauer (@_a__w_) tweeted, "I wonder how many people who 'don't like LDAP' have only ever been exposed to OpenLDAP." Before you swear off LDAP because of errors and complicated configuration, test some other products and consider the benefits you're getting from LDAP integration.

@jwilhelmi: I wonder what the [audio-visual] AV industry would look like if LDAP became commonplace on all components and available in Active Directory as objects?
John Wilhelmi, security and IT service management consultant

The change would be positive, said John Wilhelmi, a Windows security and IT service management consultant. It would lead to more interaction between devices and IT, such as improving the understanding between real-time metadata in classrooms and the connectivity between IT systems and AV systems, he added.

An LDAP directory can be dispersed between multiple servers, and each server is synchronized periodically with a replicated version of the total directory. LDAP servers receive requests from the user and then pass them to other directory system agents when necessary, but ensure a single coordinated response for the user.

Dig Deeper on Linux servers

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Wow, what a great advertisement for Active Directory Lightweight Directory Services, which is free. http://technet.microsoft.com/en-us/library/cc754361%28v=ws.10%29.aspx

It's crazy to think that people would spend the amount of effort described fooling around with Apache DS or OpenLDAP when AD/LDS is free, has a very large following, community, documentation, etc.

Jackson Shaw
Dell Software Group

I find it surprising that people would spend so much time trying to get ApacheDS or OpenLDAP to "work" when Active Directory Lightweight Directory Services (AD/LDS) is available free-of-charge. In addition, it is widely deployed and has broad community discussion forums for plenty of self-help. It's a fire-and-forget solution.

Unless, of course, this falls into the typical religious discussion of *nix versus Windows in which case I'd say people are being short-sighted.
"One must create several lines of text files in a specific format." Not user friendly? Welcome to Linux, folks, it's not all Ubuntu GUI (and hopefully never will be). It even corrupted the backup? Seriously?! Did someone just say Active Directory is free of charge? Sure, if you happen to have a Windows server and administrator handy. Until it runs on CentOS or Fedora, it isn't "free of charge" anymore than Notepad is. That's like going to a bar that's "Free" after you pay a $10 entry donation.
We've been using OpenLDAP for 5+ years, even had it integrated with Kerebros. While it wasn't a cakewalk to set up, following many online tutorials made it farily straiightforward, even with our highly customized domain structure. Someone else took what I developed and updated to strip out the Kerberos component and update to the latest release running on Ubuntu 12.04 LTS.
I was once charged with creating an Active Directory structure in an all-Linux network using Samba and OpenLDAP. It was a bear. Working at the command line didn't phase me, as I've been doing that for years. But, navigating the arcana of the various config files which must be touched was, to say the least, challenging. Now, there are certain GUI tools that one can use, e.g. phpLDAPadmin. Unfortunately, they're just as arcane. Additionally, they have their own ways of creating objects which, in my case at least, didn't match up well with what I created manually. Did I eventually get my project to work? For the most part, yes. But, I never had full confidence in it, and am not sure it was worth the pain.