LDAP Tools - Where are they?

fixe asks: "I have spent the last few months up to my eyeballs in LDAP. While I am still hopeful of what LDAP can bring to the table I am admittedly disappointed in the tools, support and documentation surrounding the standard. I have been successful at creating and populating an LDAP directory and even authenticating against it, however I cannot find decent replacements for useradd, userdel, usermod, passwd, etc. Nor have I found any decent LDAP editors or browsers (preferably console or web-based). I am hoping that the Slashdot crowd might be able to shed some light on the subject. Are there any LDAP veterans out there who can reccommend any tools? What is the best way to maintain system account synchronization with an LDAP directory? Or perhaps, is there a more attractive alternative to LDAP?"

Active Directory

[flanker]

M$ is betting quite a bit on LDAP with AD, touting it as the number one reason for enterprises to move off of NT to 2000 server platforms. Unfortunately upgrading is such a complicated operation very few larger organizations are moving to it as fast as M$ would like. They have integrated all sorts of things into the standard directory service and it can be very confusing trying to figure out exactly what it is.

FWIW, Novell's NDS has been the only enterprise-class directory service since the mid-90's and AD is a play into this arena.

Of course, this is all moot since this is Slashdot and of course you aren't interested in technology from the Dark Empire (tm).

LDAP Admin Tools

[nvrrobx]

There are a few LDAP administrator projects listed on Freshmeat:

http://freshmeat.net/projects/sldapa/
http://freshmeat.net/projects/directoryadmin/

GTK based LDAP browser

[TheViffer]

I use GQ [biot.com] for browsing around in an LDAP. It is a great start on a fully functional LDAP client tool, but still, many options still need to be implemented.

You're not looking hard enough

[Anonymous Coward]

If you can't find LDAP tools, you havn't been looking hard enough. Here (http://www.dbaseiv.net/code/cpu.phtml) [dbaseiv.net] is a tool for doing unix style user management with an LDAP directory. Here (http://www-unix-mcs.anl.gov/~gawor/ldap/index.htm l) [anl.gov] is a fully functional, really awesome ldap browser that I have used extensively. These are just a tiny sample of all the software for directly working with an LDAP directory. Check the OpenLDAP and IETF lists for more tools, OpenLDAP comes with quite a few as well.
If you have paid careful attention, you will notice that LDAP support has crept into hundreds and hundreds (of not thousands) of applications over the last year. The API's for doing LDAP programming yourself are also extremely well developed imho. You have options for C, PERL, C++, Python and a slew of other programming languages. Search Freshmeat or Sourceforge for LDAP and see what you come up with, I think you'll be surprised.
I don't think LDAP is dead, I think it's one of those protocols like TCP that just sneaks up on you with it's usefulness :)

The ultimate tool.

[Anonymous Coward]

Use Console One. It lets you manage your LDAP directory and a whole lot more. Imagine managing users, resources, printers, servers, EVEN files, all from a single Java based tool.

That's right you can do all this and a whole lot more, using Novell Netware. Even if you don't use Netware, eDirectory (included in Netware or sold separately) allows a lot of these functions from within the Java based Console One. It runs on almost any platform, available today. It even has additional modules that allow things like single signon and more. That's right, all the advantages of .NET without the bugs and security risks. And, the best part, is it has been shipping for quite a while now, unlike certain other vaporware products.

Even if it isn't free, for enterprise use, it is down right cheap!

From a purely simplistic view, LDAP is pointless

[Drake42]

I understand that LDAP is supposed to be used for
all kinds of great contact / location / description information, but how is it used in reality? It is used as a really difficult to use properties file. Judging the way most people use LDAP that I've seen, they would have been better off with a sql database. At least with SQL the queries are readable. (o=, c=, wtf= is a pain).

The way I feel about it is that the LDAP 'problem' does exist and is solvable, but the right protocol/implementation does not yet exist. Until something much more friendly and useful comes along, I am firmly off the LDAP bandwagon.

So if you're looking for a good tool to solve your LDAP problems, I suggest Oracle, PostgreSQL or MySQL. :]

Re:Anything but OpenLDAP

[whynot]

Some advice for rebuilding your LDAP-DB: Rebuild your directory on a RAMDISK, speeds things up by factor 5 for us. We are rebuilding our db on a daily basis. It has about 300k entrys and is 500MB in size and takes less than 60min to rebuild.

OpenLDAP dies a lot over here too. Replication works quite well for us, the only "problem" ist that slurd opens lots of processes for every replication target - our main ldap-machine is running about 750 processes at all times.

Don't even dare to try any 2.XX version of openldap - they have a lot of features you probably don't need and are even more buggy.

Re:Active Directory

[a9db0]

I've used NDS extensively in a couple of organizations and found it to be reasonably flexible and as reliable as a dead cat. NDS handles thousands of users, replicates across hundreds of servers, and has given me no grief. It's solid. It's reliable. It just doesn't have the mind-share it deserves.

Re:This has been a huge problem for us as well

[sheldon]

Hmm, it's pretty easy to add fields to the Active Directory schema. There's also AD editing tools that will let you modify them at low level.

Failing that AD/LDAP is pretty easy to script using ADSI interfaces.

I've never done what you are looking at, but it doesn't seem like it should be that difficult.

Re:This has been a huge problem for us as well

[martinde]

Have you seen this [bayour.com]?

Re:Life beyond LDAP

[mabatche]

We are actually using a product from Novell called DirXML to do exactly this. We are syncing RACF/Notes/NDS/(soon NT Domains) and peoplesoft with our "meta directory" (It's actually just NDS but we call it a meta directory). We are pretty early on in the project, but so far things are looking good.

Another eDirectory user

[kelzer]

Go to the CNN website [cnn.com] and scroll down to the bottom of the page. Look over to the right. CNN uses eDirectory to track the stories you read, and then serve you custom content (and advertising) based on your apparent interests.

Fun with LDAP

[uberchang]

Softerra's LDAP Administrator [ldapadministrator.com] is pretty good, and they have a freeware version called LDAP Browser. The LDAP Browser/Editor [iit.edu] is nice also.

If you are using LDAP as your addressbook, ldap-abook [freshmeat.net] is a nice interface to add/delete/modify entries. Most email clients are LDAP-aware these days and it's convenient to be able to share an address book between my personal and work email accounts.

I've had to roll my own to do system accounts, however. Make ldapmodify your new best friend, or write an interface of your own - there is a lot of support for Perl or PHP LDAP functions out there. Server-side, I've used OpenLDAP [openldap.org] and iPlanet's Directory Server [iplanet.com], and I prefer iPlanet. iPlanet has a free non-commercial license option, is significantly faster than OpenLDAP, and has hooks to synchronize with an NT or Active Directory domain so you could do all the user administration in Windows and they would propagate over to your LDAP server.

Other fun things you can do with LDAP are:

Handle Unix authentication through pam_ldap [padl.com]
Hook into NIS with the NIS/LDAP gateway [padl.com]
Authenticate through apache with mod_auth_ldap [nona.net] or auth_ldap [rudedog.org] or Netegrity [netegrity.com]
Centralize your smtp routing data in LDAP for sendmail

Good luck.

Webmin's LDAP plugin...

[Spoing]

Webmin, my favorite tool, has an LDAP module. It looks basic, so I don't know if it would be appropriate.

Links: Webmin & Freshmeat page for LDAP module (LDAP module site is in French but easy to grok);

1. http://www.webmin.com/webmin

2. http://freshmeat.net/projects/ldap_module

Re:Another eDirectory user

[szpak]

AIM is powered by eDirectory... which means AOL is using it.

With some imagination as well as use of eDirectory (which has been demonstrated publicly to scale to 1 billion users, and in-house at Novell to 3 billion) AOL/Time-Warner, or perhaps the Liberty Alliance, could provide a credible alternative to Microsoft/.NET/Passport.

JDBC driver for LDAP

[eGuy]

Novell has a JDBC driver for LDAP. It maps SQL statements to LDAP(At least those it can. Those it can't map directly to LDAP it does it's own joining of the data). Its a free download available at developer.novell.com/ndk/ldapjdbc.htm Its also 'works with LDAP 2000' certified. (From the OpenGroup) This means it should work with any LDAP compliant directory. Its useful if you have normal reporting tools that use JDBC drivers. For example StarOffice can import data from JDBC drivers with a nice GUI - This way you don't have to know about the LDAP syntaxes or anything about LDAP except that its a Data Base. They also have an ODBC driver that only works with eDirectory(NDS). Hope that helps.

Re:This has been a huge problem for us as well

[sheldon]

Haha. No I'm saying that the LDAP default install in AD lacking certain fields doesn't appear to be a challenge because they can be easily added.