LDAP Tools - Where are they? 350
fixe asks: "I have spent the last few months up to my eyeballs in LDAP. While I am still hopeful of what LDAP can bring to the table I am admittedly disappointed in the tools, support and documentation surrounding the standard. I have been successful at creating and populating an LDAP directory and even authenticating against it, however I cannot find decent replacements for useradd, userdel, usermod, passwd, etc. Nor have I found any decent LDAP editors or browsers (preferably console or web-based). I am hoping that the Slashdot crowd might be able to shed some light on the subject. Are there any LDAP veterans out there who can reccommend any tools? What is the best way to maintain system account synchronization with an LDAP directory? Or perhaps, is there a more attractive alternative to LDAP?"
RIT (Score:1, Informative)
Check out Microsoft's tools (Score:3, Informative)
Also, check out gq , which is a pretty nice GTK+ based LDAP client. It's still very barebone, but it's better than the commandline tools for a lot of tasks.
I know what you mean. (Score:5, Informative)
http://www-unix.mcs.anl.gov/~gawor/ldap/
It is the best thing out there as far as I can tell.
Rick
Isn't Active Directory an LDAP implementation? (Score:3, Informative)
Slap me with a strongly worded post if I am incorrect, but isn't Active Directory an LDAP implementation?
Well check this out (Score:1, Informative)
LinPlanet [sourceforge.net]
my preferred LDAP browser (Score:5, Informative)
You would think that wrapping a gtk+ interface around ldapsearch would be a straightforward and no-brainer proposition, but you would apparently be wrong.
Windos tools (Score:3, Informative)
AD (Score:0, Informative)
Re:Check out Microsoft's tools (Score:5, Informative)
AFAIK, it supports LDAPv2, LDAPv3 and Active Directory. It supports most all SASL mechanisms, even NTLM when necessary.
IBM LDAP Client (Score:4, Informative)
Not a big industry player? (Score:3, Informative)
My Favorite tools (Score:4, Informative)
Also, I REALLY like the java LDAP Browser for GUI use (available from http://www.iit.edu/~gawojar/ldap)
As far as account creation tools, there's some nice trends among the big user provisioning corporate grade systems (i.e. Access360) to manage accounts in LDAP.
I'd stay away from Active Directory since it doesn't follow all of the standards. eDirectory's only big annoyance is that it's LDAP is actually a mapping on top of their old stuff, so sometimes that adds complexity. But for a long time they had the only multi-mastered replication setup. iPlanent now has that and MS/AD kinda does (but they have crappy granularity on their objects in case of collisions).
Anything but OpenLDAP (Score:5, Informative)
So, whatever you do, AVOID OpenLDAP.
Java based browser/editor (Score:2, Informative)
http://www.iit.edu/~gawojar/ldap/index.html
What about "Directory Administrator"? (Score:4, Informative)
My advice is to create two user hierarchies: one for administrative non-human accounts (e. g. root, mail, www) and one for real users. Same thing for groups. This way you can manage your real-user accounts with some kind of GUI frontend and even re-use the objects in an addressbook like Evolution Contacts without risking a security hole.
This has been a huge problem for us as well (Score:5, Informative)
Probably the most frustrating part is if you go on google and look for help, you see people mentioning that this works, but never any specifics. I assume you are just using pam_ldap to grab a password crypt from an LDAP server (which is a secure as giving everyone read permissions on your shadow file).
I think the best solution is to use an LDAP server to host all the user information that is normally in
ever hear of Freshmeat? (Score:1, Informative)
Some things you can use (Score:2, Informative)
If you want an all-in-one solution (Server & Gui to populate server), try the iPlanet Directory Server which is kind of free to use (downloadable at netscape.com) and has a really nice interface.
Another nice (non-free) thing is an LDAP-API for Visual Basic from SnarkSoft [snark-soft.com] which allows you to quickly write applications using data from your LDAP server. I know this isn't really a LDAP-solution, but it allows you to easily develop LDAP applications.
Openldap mailing lists (Score:1, Informative)
http://www.openldap.org/lists/
Personally I've used LDAPExplorer, a php based
viewer/editor. It works OK, but is not without its flaws. (Supports php 4.06 only, no longer maintained, sessions are intermittent) Since its GPL'd one could have some fun improving it.
I'm a river of knowledge to my people (Score:5, Informative)
Re:Uhh.... what's LDAP? (Score:2, Informative)
Acronym lookup dictionay for your reference:
http://www.ucc.ie/info/net/acronyms/acro.html
Re:Uhh.... what's LDAP? (Score:5, Informative)
LDAP was originally intended to be a more flexible and less resource intensive implementation of Directories (phone books are a good example but not the only one) a'la the older X.500 protocol.
LDAP has been embraced by alot of companies like Microsoft and Sun (my employer) as a core server technology to form the "glue" between distributed services.
One of the most common uses is to maintain remote password authentication databases. Similar in concept to RADIUS or NIS, but in a more standard implementation without all of the overhead.
For instance, Sun is moving it's internal network to LDAP authentication (originally it was unconnected, later they used NIS, both older systems are still in use at Sun right now). It allows an employee to use the same password for many different resources on the internal network while having a single place to update that password.
Re:Uhh.... what's LDAP? (Score:2, Informative)
Lightweight Directory Access Protocol (v3)
This protocol is specifically targeted at management applications and browser applications that provide read/write interactive access to directories.
Re:Directories are dead in the water (Score:5, Informative)
And to answer the original question, eDirectory is the new name for Novell's NDS, a mature yet still evolving directory service that is fully LDAPv3 compliant. As it has been available for so long, there are MANY third-party tools and utilities available to manage it (such as Bindview or JRBUtils) in addition to Novell's own tools and utilities. Novell's eDirectory management utilities include import/export tools built in to ConsoleOne (an admittedly heavyweight Java-based management console) as well as BulkLoad, a command-line LDAP utility that uses LDIF files for command input. These utilities permit import/export of userids in LDIF format, as well as the migration of data between LDAP servers.
eDirectory is fully cross-platform, currently running on Netware, NT, 2000, Linux, Solaris, and Tru64 UNIX. It's been demonstrated at tradeshows with databases of up to one BILLION user accounts. Features of the latest version, 8.6, include persistent searches, dynamic groups, and live backup. The next release is expected to include UDDI, SOAP, and DSML 2.0 support.
Novell is practically giving eDirectory away at a list price of $2/user or less. They are actually giving it away for VARs and developers that wish to bundle eDirectory as the dedicated directory for their applications.
Oh, and if you wish to stay with open source options, look on Freshmeat.net for OpenLDAP - it includes a set of client utilities that should fit at least some of your requirements. Freshmeat should also have other LDAP clients, including browsers.
linux/unix LDAP user tools (Score:4, Informative)
[open-it.org]
directory_administrator which is a GNOME LDAP user admin tool (slick enough for use by a frontline helpdesk).
there are other LDAP GUI's, KDE has one. search freshmeat.
gq [biot.com] a general purpose LDAP GUI tool. quite slick, comes with RH7.x.
Also, note that with RH7, the 'passwd' tool uses pam and will hence automatically work with LDAP authentication. (presuming your LDAP server is configured correctly for write access).
finally, you'll probaby want to develop your own scripts with template LDIF's for things like useradd, or find someone who's already done so. (i noticed there's a post on this thread providing a link to exactly that.) Note that for scripting, PADL's [padl.com] migration scripts are very informative. These are included with the OpenLDAP distribution.
Re:LDAP Admin Tools (Score:1, Informative)
http://freshmeat.net/projects/ldapexplorer/
It's a package in debian testing/unstable as well.
There's a gnome client called GQ LDAP Client which is a bit shaky, but works well once set up correctly.
A little shell/perl scripting should get you all the useradd tools you need. I've dome just that for a simple ldap-backed postfix/courier pop/imap mail server.
I intend to extend the tools for use in an ldap-authenticated samba PDC as well giving a one-stop non-MS infrastructure.
mbf.
LDAP is quite useful where I am (Score:4, Informative)
If you're seeking some bonafide support options, you might confer with openldap.org, or better yet iPlanet's Directory Server. The latter would cost some money, but it is an option.
Novell's been "going out of business" for years... (Score:4, Informative)
The fact is there's a niche between small business (Microsoft products) and Fortune 100 (*Nix) where Novell's products reside quite comfortably.
And eDirectory is a full-featured LDAP implementation in its own right. Not to mention the free version [novell.com] for Linux! (Registration required).
Hey, whad'ya know, I see that
Here it is again in plain text for your cut'n'pasting pleasure:
https://download.novell.com/ICSLogin/?"http://d
Re:Not a big industry player? (Score:3, Informative)
Re:my preferred LDAP browser (Score:3, Informative)
For a command-line add/modify/delete utility, here's one I created:
http://pushan.integritysi.com/down/ldapuser [integritysi.com]
LDAP Admin Help (Score:5, Informative)
Let me rephrase that: the protocol is mature and useful, and the servers by and large are mature and useful, but the support tools stink, as a general rule. Since it sounds like you are mostly concerned with user administration, I will stick to just that, and let other people mention tools they've found useful.
If you are using Solaris, AIX or Macintosh, using LDAP for accounts is pretty trivial, since the OS supports it directly - you'll need to have the POSIX user schema loaded, and point the OS's naming service to LDAP instead of its local database. Win2K/XP kind of force you to use Active Directory, so you are also taken care of there. In all of these cases, accounts other than the system superuser will be in LDAP, and so therefore synchronization is not a problem.
useradd, userdel, usermod and passwd are all replaced by ldapmodify, or you can use the tools included with some servers (the iPlanet console being a good example of how to do this right). Right now, there doesn't seem to be any substitute for thoroughly learning ldapsearch and ldapmodify, Perl and Net::LDAP. You can use ldapsearch and ldapmodify for quick actions (adding, modifying or deleting a single user, or changing a password) and Perl and Net::LDAP for more complex operations (or for putting together a CGI for common functions like changing a user's password).
I find I end up writing built-to-purpose Perl tools just about everywhere I go. In some cases, this is because of differences in admin policy at different sites, or differences in schema. In others, the issue is more contractual (whomever is paying me gets ownership of the code I write, so I have to rewrite from a clean sheet at the next site).
The good news is, it is fairly quick and painless to write replacements for useradd, usermod, userdel and passwd which can be run from the command line or as a CGI, and you only have to write them once for your site, if you write them well in the first place.
-jeff
Re:Isn't Active Directory an LDAP implementation? (Score:4, Informative)
To their credit, the Microsoft ADSI LDAP implementation is remarkably standards-compliant. I developed an app which authenticated users against OpenLDAP, and extended it to support ADSI as well with minimal effort (mostly involving generalization of assumptions about directory layout, rather than interface changes per se).
Just saw this on a mailing list: (Score:4, Informative)
Carillon Information Security Inc. would like to announce the release of
KDirAdm version 0.1
K DIRectory ADMinistrator is a tool for use by Directory Administrators to
manage their LDAP based directory. Using the K Desktop Environment (KDE) and
OpenLDAP toolsets, this application currently has all of the basic
functionality required to browse, add, and delete directory entries. As this
is an initial BETA release, the capability to modify existing entries, as
well as the ability to handle binary directory objects is currently missing.
This is planned for the next release, along with improved password entry
handling and possibly LDAP over SSL support.
KDirAdm is open source software released under the GNU Public License. As
such we encourage anyone to help us in the development of this software.
Specific jobs that need doing at the moment are improving the documentation,
the artwork, and of course, any LDAP wizards that want to help out will be
greatly appreciated.
The homepage for KDirAdm is at:
http://www.carillonis.com/kdiradm
where both source and Debian packages may be obtained.
Comments, suggestions, wishlist items and patches may be sent to
ppatterson@carillonis.com
So, it's "pre-beta" but has that ever stopped a true free software geek before?
Novell has some pretty cool LDAP tools! (Score:2, Informative)
ConsoleOne is a graphical, cross platform GUI tool that allows you to do pretty much every thing. Add, Delete, Create, Modify, Search, Extend the schema, etc.
There's also the ICE (Import, Convert, Export) tool which allows you to import, convert and export data from LDIF or other LDAP servers. ICE is available in a GUI and command line version.
eDirectory is also managable through a browser, and if you use their DirXML product you can basically take any data from any system and expose it through LDAP.
Novell's eDirectory is redistributable for developers. If you do development work, check all their goodies at their development site [novell.com]. You'll find LDAP class libraries, tools etc.
The evaluation copy of eDirectory can be found here [novell.com] and includes the tools mentioned.
LDAP, Tools, Servers et al (Score:5, Informative)
from my own experience I can tell you that:
1 - The best available tools are definitely the command-line that come with most servers.
2 - OpenLDAP sucks big time in large scale environments. It's replication is anything but reliable
3 - GQ is a very, very nice browser for LDAP. But I wouldn't use it for administration.
4 - You can assemble a whole range of ISP services (mail, ftp, http, whatever) based on an LDAP tree. Even if you can't find a _insert favorite daemon here_ supporting LDAP, you can always use...
5 - PAM/NSS LDAP. It just rocks. If you configure it properly, anything using PAM/NSS will use/update your tree accordingly. This includes unix tools like "passwd", "useradd", or "finger", or services like QPopper and OpenSSH.
6 - The best way to automate some processes is to create our own tools. Net::LDAP is very easy to use, and does anything you can think of (in terms of LDAP ops)
A few tools (Score:4, Informative)
Object Identifiers
Re:This has been a huge problem for us as well (Score:2, Informative)
I've integrated myself several Windows, Linux and Solaris boxes under iPlanet Directory Server (which by the way, is free up to 200.000 directory entries).
The problem arise when you try to use Microsoft propietary LDAP (aka Active Directory). Just throw Active Direcotry away. Download for free Solaris 8 for Intel, download the latest LDAP Directory Server for Solaris Intel from iPlanet home page, and you will get plenty of docs from within iPlanet's site, and even Sun site. You can even call your Sun SE and get him to find all the documentation needed to integrate a Windows, Linux Solaris enviroment.
Realllllyyyyy ease!!
LDAP tools? Open Source tools are here! (Score:5, Informative)
As for management, we now host Directory Administrator,a great GTK front end to user management, I have also created a simply useradd program for creating users in ldap (its called addluser).
We are currently working on a new release of Directory Administrator with a new backend which will allow CLI, GUI, and Web clients to be built on it. Further, if you love WebObjects, Apple just released 5.1, which has a JNDI adaptor, allowing quick Web Apps to be built against LDAP directory servers using Java.
Is the documentation not up to snuff at Open-IT, then help out! We have some basic howtos, and I package pam_ldap, nss_ldap, openldap, and other great things to get you going.
Back to work...
Re:Active Directory (Score:2, Informative)
Ganymede, an LDAP manager / alternative (Score:5, Informative)
Well, I'll post a pointer to Ganymede [utexas.edu], which is not specifically for LDAP, but which could probably be useful in a lot of environments.
Ganymede is at once simpler than LDAP, in that it doesn't support the kind of hierarchical objects that LDAP and x.500 support, and in that it doesn't actually speak LDAP, and more complex, in that it has a sophisticated transactions model and can handle complex concurrent operations while maintaining namespace and referential integrity.
Ganymede is useful if you want to have a smallish (less than 50,000 users, say) 'flat' directory, but for which you want to allow detailed permisison delegation and fine-grained concurrency. If you have a very large NIS domain and you want to allow scores of users and admins to be changing their passwords and account information concurrently, Ganymede will work wonders for you.
We actually use Ganymede for just about everything here, up to and including our DNS, although we don't have our DNS support code 'productized' yet. We do master our LDAP directory from Ganymede data, in order to support applications which can use an LDAP server for an address book (such as Outlook and Netscape Messenger). If you were to combine Ganymede with something like Thomas Reith's ldapdiff [rhoen.de] utility, you could combine Ganymede's sophisticated administration services with LDAP for distribution.
Re:Anything but OpenLDAP (Score:2, Informative)
We populate the directories live, but some complexities with our own record keeping requires a bulk reload weekly -- so the daemons are restarted at least once a week.
The Secret OpenLDAP Speed Boost (Score:3, Informative)
There is a poorly documented (gee, surprise surprise) option to add indexes (at least for the ldbm backend). Try putting
index cn,gn,sn,uid,objectclass,o,ou pres,eq,sub
in your database definition in SlapD. Note that you will need to rebuild the DB after that. I suggest exporting it to ldif (via 'ldbmcat -n > file.ldif' with slapd offline), delete the db, then reimport (via 'ldif2ldbm -i file.ldif') and restart slapd. You will notice a *SERIOUS* speed increase during search and a *SERIOUS* speed loss during the initial import. Unless you're doing tonnes of updates, you shouldn't have any speed issues with updating it, though.
Re:From a purely simplistic view, LDAP is pointles (Score:3, Informative)
Here is some information comparing LDAP and SQL from the OpenLDAP FAQ:
http://www.openldap.org/faq/data/cache/378.html
And here is some from an old usenet post. It's specifically talking about why Netscape's LDAP server uses it's own database instead of a RDBMS, but it has lots of good information about how directory services and RDBMS's differ and why one does not make a good substitute for the other.
http://groups.google.com/groups?q=ldap+comparis
Re:Anything but OpenLDAP (Score:5, Informative)
GQ is also worth a look (Score:3, Informative)
in that directory'
It comes as Red Hat's standard LDAP admin tool. Get it here [biot.com]. Its not as good be, but neither is directory administrator the last time I looked.
Re:Isn't Active Directory an LDAP implementation? (Score:2, Informative)
Its actually quite sane - and the problems we have had in developing with it have not be AD, its been the unix client tools making assumptions about a functioning DNS (hint: it doesn't exist on MS networks).
But with a few config file tweaks its perfectly practical to kinit to your AD KDC and use that for a secure authenticaion! (In the end Tridge rewrote our own mini implemenation of the required peices to work around the buggy SASL libs).
Andrew Bartlett,
Samba Team
LDAP Software (Score:2, Informative)
IRMA 0.8 http://irma.incubus.de/
IRM 1.3.3 http://irm.schoenefeld.org/
Document Manager http://www.rot13.org/~dpavlin/docman.html
The following software already takes advantage of of LDAP:
Horde/IMP 2.0/3.0 http://www.horde.org
QMAIL http://www.qmail.org
Rolodap
A very good LDAP useradd, passwd change, etc. Java tool:
Java LDAP Browser V 2.8.2 http://www.iit.edu/~gawojar/ldap
http://www.mcs.anl.gov/~gawor/ldap
You can also use IRMA for user/group management. We initially started with IRM, but we are moving over to IRMA since it is very clean code and easy to extend.
We use Netscape Communicator 4.79 Roaming profiles so that users that move between Windows and *NIX can have their bookmarks, address book, etc. readily available. Don't use the mull.schema because it has a couple of errors. I will be posting the correct schema at http://www.igranite.com in a couple of weeks (the domain doesn't point anywhere at the moment) as well as more LDAP info. You may search IMP mailing lists for the latest schema I posted.
A project we would like to see started is LDAP Gina. I have no programming experience in Windows, so it would be great to have a community knowledgeable in both *NIX and Windows create an LDAP Gina. I found a NIS gina which could possibly be extended to LDAP?
As many corporate orgs are probably finding out, the GNU, GPL, and Linux community are producing high caliber software and solutions for corporate use. Linux is fast becoming the center of desktop use, already solidly beating back an attempt by Windows to break into the corporate *NIX environment. Having lost the server fight, no wonder why a MS memo ordered a clobbering of Linux.
Could you have ever changed the code like we did using commercial software / OSs? And we will be uploading our changes to the respective authors to make the software that much better.
check
Re:Isn't Active Directory an LDAP implementation? (Score:3, Informative)