IT pros suffer OpenLDAP configuration headaches

Between the frustrations of installing OpenLDAP and annoyances with configuration problems, some IT pros are questioning its merit.

As a free alternative to Active Directory, OpenLDAP is a directory server that would be great, if it weren't so hard to install, configure and use, say IT pros.

OpenLDAP is an open-source Lightweight Directory Access Protocol (LDAP) that can be configured to access directory locations and run code. LDAP is a standard for accessing directory services. OpenLDAP can run on Linux servers, offers extensive software support and future compatibility -- and it's free.

Sander van Vugt, a Linux expert and contributor, provides tips on how to properly install the program. Once installed, users configure the LDAP to suit their needs and then run the server. From there, adding information to the LDAP database should be simple. But even van Vugt had difficulty with OpenLDAP on Red Hat. He tweets, "struggled with OpenLDAP on Red Hat and got it working :-)"

As a directory server, OpenLDAP is a very open way to acquire data; however, OpenLDAP configuration is challenging and not user-friendly. One must create several lines of text files in a specific format, which is very user unfriendly, explained van Vugt, adding that "since Red Hat sells another Directory server, it is not in their best interest to make managing OpenLDAP too easy." He plans to share tips on how he got the LDAP product working on

Knowing which application users are running OpenLDAP on is necessary to understand the complexity of their installation or configuration. Linux users should not be experiencing problems with OpenLDAP configuration. But it seems Red Hat developers altered the OS and negatively affected OpenLDAP use on its system. Even with Red Hat, where the aim is to convince customers to purchase its directory, no one wants a bad user experience on their OS.

The issue actually lies in Red Hat's OpenLDAP support, or lack thereof, said Howard Chu, chief architect of OpenLDAP.

"[Red Hat] are routinely months to years behind on the releases they bundle, subjecting their users to bugs that were fixed long ago," Chu said. Red Hat makes things more difficult by requiring the use of the Mozilla Network Security Services library for transport layer security support, he added.

"This library is very old, which ought to mean that it is very stable, but unfortunately, it's the opposite,” Chu said. “It is poorly implemented, based on a poor design and poorly supported."

Comments from the self-proclaimed tech geeks of the Twittersphere are also resoundingly negative about OpenLDAP, and LDAP in general.

@kalium: Seriously, OpenLDAP is the only service I've ever used where the very basic "set password -> use password" loop doesn't just work.
Kalium, hacker

This user also called OpenLDAP user-unfriendly. "It accepted what I put [in]. Then when I tried to administer it, it refused to accept my password," @kalium said.

But OpenLDAP is not the only program causing aggravation; other LDAP users have taken to Twitter to express their frustrations with the initial protocol service:

@eliankool: Finally decided: After 2 [years] of headache with #ApacheDS LDAP server, we will move to #OpenLDAP
Elian Kool, head of technology, @NetcentricEWE

When asked to elaborate on why it took two years to make the switch between the competitive open-source directory servers, Elian Kool, head of technology at Netcentric, a Web content management service provider, said that Netcentric liked "the idea behind ApacheDS -- but it got corrupted multiple times (including the backup!)." Another issue? ApacheDS did not have the memberOf attribution feature. This feature helps IT teams organize resources and keep track of its users; it is a way of tagging and sorting users in Active Directory. ApacheDS supports many different types of back ends based on need, which is why it is so appealing. But without the memberOf element, it left much to be desired for Kool.

Although Kool was not the only one with LDAP headaches, a lot of enterprises stick with what they know in technology. It is possible that this conservatism -- along with OpenLDAP configuration fears -- causes enterprises to wait years to make the switch or adopt the open-source directory server for the first time.

@vrutberg: I got 99 probl ... No wait, I've just got one problem and it's spelled LDAP.
Viktor Rutberg, Web development enthusiast

Rutberg is one of many LDAP customers unsatisfied with the technology. He was trying to set up OpenLDAP on his Mac using Homebrew, a package manager that eases aggravations such as having versions of software that aren't compatible with each other.

"I wanted to use simple auth but it kept spitting out Kerberos errors," Rutberg said.

Perhaps some of the negativity is because LDAP haters need to try something better than the free OpenLDAP product. Allen Wittenauer (@_a__w_) tweeted, "I wonder how many people who 'don't like LDAP' have only ever been exposed to OpenLDAP." Before you swear off LDAP because of errors and complicated configuration, test some other products and consider the benefits you're getting from LDAP integration.

@jwilhelmi: I wonder what the [audio-visual] AV industry would look like if LDAP became commonplace on all components and available in Active Directory as objects?
John Wilhelmi, security and IT service management consultant

The change would be positive, said John Wilhelmi, a Windows security and IT service management consultant. It would lead to more interaction between devices and IT, such as improving the understanding between real-time metadata in classrooms and the connectivity between IT systems and AV systems, he added.

An LDAP directory can be dispersed between multiple servers, and each server is synchronized periodically with a replicated version of the total directory. LDAP servers receive requests from the user and then pass them to other directory system agents when necessary, but ensure a single coordinated response for the user.

Dig Deeper on Linux servers