Ask HN: Which LDAP server doesn't require a degree to run?

17 points by majewsky ↗ HN
I have a bunch of services on my private servers that all support LDAP-based authentication, so I would like to deploy a suitable server for SSO. The only serious option seems to be OpenLDAP, which seems to consider itself a rather generic database that just happens to be used primarily for authentication. And even if I eventually get through the initial setup, that just gives me the directory service. I still would have to deploy something else to give the users a frontend for changing their password etc.

Can you recommend something simpler than that? Requirements:

- deployment on Linux server

- schema defines at least user accounts with passwords, and groups where users can be a member

- self-service web GUI for users: to review group membership and change passwords

- should not require a bazillion components (e.g. I ruled out Authelia after reading it wants an LDAP server and a Redis and a MongoDB)

This is not about an enterprise deployment with SLAs or anything. Just a dozen users and a handful of groups.

14 comments

[ 2.7 ms ] story [ 47.5 ms ] thread
Active Directory.

I’ve implemented LDAP with most of the available options. I wanted to hang myself with just about every option except AD.

Fortunately, I think we are in or near a post-LDAP world.

> Active Directory.

Running Windows Server for the purposes of just AD is ridiculous IMO.

> I wanted to hang myself with just about every option except AD.

I've worked with (then) Novell eDir, OpenLDAP and a little with AD. I found OpenLDAP to be by far the nicest to use.

The moral of this story is: anecdotal evidence is anecdotal.

> Fortunately, I think we are in or near a post-LDAP world.

That's not a good thing.

SAMBA 4 AD is a valid alternative if your requirements are relatively simple. You still need a third party product (or build one) to provide a web interface if you need that.
But OP doesn't need AD semantics: he wants centralised auth for a bunch of apps hosted on linux.

This is ridiculously simple with OpenLDAP. The only part that's 'missing' is a self-service web UI.

> Running Windows Server for the purposes of just AD is ridiculous IMO.

I disagree. The pain of running Windows Server is outweighed by the excellence, stability, effortless scalability, and programmability of AD.

> I found OpenLDAP to be by far the nicest to use.

I've implemented all the same (and others such as Netscape/Sun Directory Server). I strongly disagree. Hell, I even come from a UNIX/C background.

> The moral of this story is: anecdotal evidence is anecdotal.

Pot. Kettle.

> That's not a good thing.

I guess we'll just have to agree to disagree across the board, then. Although I am well used to it now, I find LDAP programming is obtuse and thoroughly not a good setup for modern networks and APIs. There are much better, more naturally scalable ways to do things.

Lightweight Directory Access Protocol is anything but lightweight.

> Pot. Kettle.

That was my point. You have one view I have another.

> Fortunately, I think we are in or near a post-LDAP world.

I want to learn. What technologies does replace LDAP in enterprise environments?

You're seeing services like Azure Active Directory and "Directory-as-a-Service" options like JumpCloud come up.

And while they may or may not totally replace AD for every org today, they will get there sooner than later.

This is probably not what you’re looking for but I just want to mention that you could implement a server supporting just what you need using ldapjs (http://ldapjs.org/) and then create a custom web front end for it.
Along these lines, does anyone have any good references for the best way to setup an authentication architecture for a product that is both multi-tenant SaaS and installed on premises? (Think GitHub + GitHub enterprise).

Would it be a good idea to use LDAP even internally (on the equivalent of GitHub.com) so that implementing on-prem is just a matter of swapping a config value? Or would it be better to maintain your own auth system in a relational database and sync it with LDAP if necessary?

FreeIPA.

It supports a lot of features, has a lot of documentation backed by Red Hat, and a fantastic mailing list that helps usually within hours. It also can create a 2-way trust with active directory if that is also desired. It has integration with multi-factor authentication too if desired.

I've been running a several hundred user development environment with dozens of LDAP authenticated services, for about 4 years now. It has been great, the web UI works really nicely, and it has active development.

I recommend it without hesitation.

If you want further information, email anthonyclarka2 a.t. gmail.

I feel your pain. I had to deal with this for our dev environment and its ridiculous how complicated it is to setup openldap. The creators are masochists as far as I'm concerned. No sane person would look at the esoteric syntax and directory layout and say "this is useful and straightforward". Not to mention the fact, and I kid you not, a trailing whitespace on a configuration line breaks everything.