Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Linux Software

LDAP Tools - Where are they? 350

Posted by Cliff from the an-empty-toolbox-is-useless dept.
fixe asks: "I have spent the last few months up to my eyeballs in LDAP. While I am still hopeful of what LDAP can bring to the table I am admittedly disappointed in the tools, support and documentation surrounding the standard. I have been successful at creating and populating an LDAP directory and even authenticating against it, however I cannot find decent replacements for useradd, userdel, usermod, passwd, etc. Nor have I found any decent LDAP editors or browsers (preferably console or web-based). I am hoping that the Slashdot crowd might be able to shed some light on the subject. Are there any LDAP veterans out there who can reccommend any tools? What is the best way to maintain system account synchronization with an LDAP directory? Or perhaps, is there a more attractive alternative to LDAP?"
This discussion has been archived. No new comments can be posted.

LDAP Tools - Where are they? More

LDAP Tools - Where are they?

Comments Filter:

  • Check out Microsoft's tools (Score:3, Informative)

    by fawadhalim ( 83939 ) on Tuesday January 08, 2002 @01:31PM (#2804457)
    I know I'll get flamed like hell for writing this, but I suggest that you check out Microsoft's LDAP tools. I'm not sure about their interoperability with slapd etc, but they play along amazingly with Microsoft LDAP server.

    Also, check out gq , which is a pretty nice GTK+ based LDAP client. It's still very barebone, but it's better than the commandline tools for a lot of tasks.

  • I know what you mean. (Score:5, Informative)

    by Rick_Clark ( 21676 ) <rclarkNO@SPAMlinuxiso.org> on Tuesday January 08, 2002 @01:32PM (#2804461) Homepage
    I had to roll most of my own admin scripts. There is a great java based browser/editor though.

    http://www-unix.mcs.anl.gov/~gawor/ldap/

    It is the best thing out there as far as I can tell.

    Rick

  • my preferred LDAP browser (Score:5, Informative)

    by Doktor Memory ( 237313 ) on Tuesday January 08, 2002 @01:34PM (#2804472) Journal
    Unfortunatly, the best LDAP browser/editor I've found so far is neither web- nor console-based, but is a Windows program. LDAPBrowser 2.0, from the nice folks at Softerra [ldapadministrator.com], has been invaluable in helping me figure out how to make a bunch of openldap-based client programs talk to an MS Active Directory LDAP server. It's free-as-in-beer, and they have a number of other cool ldap toys available as well.

    You would think that wrapping a gtk+ interface around ldapsearch would be a straightforward and no-brainer proposition, but you would apparently be wrong.
    • For a gtk+ GUI LDAP brwoser, gq (http://biot.com/gq/ [biot.com]) would probably be what you want.

      For a command-line add/modify/delete utility, here's one I created:

      http://pushan.integritysi.com/down/ldapuser [integritysi.com]

    • I definately agree with this: i've tested LDAPBrowser (and a beta-version of LDAPAdministrator) on several different LDAP machines, including:
      • Netscape Directory Server 4.1x
      • iPlanet Directory Server 5.0
      • OpenLDAP
      • Microsoft SiteServer Commerce Edition 3

      Only the last one had some issues, but unfortunately I wasn't able to help the kind Softerra people (who were very responsive during the beta-test) out with it because I've changed jobs since.

      For those wanting to administrate an LDAP server (eg: adding/removing/editting entries), I would definately advise LDAPAdministrator

  • Windos tools (Score:3, Informative)

    by alen ( 225700 ) on Tuesday January 08, 2002 @01:36PM (#2804486)
    I'm in the process of helping deploy active directory. MS Windows comes with some LDAP tools that aren't too bad. I'm still in the learning stage so I can't frame a good opinion, but first impressions are OK. But like everything Windows if you want to get into the guts of the OS you'll have to dig around for the info. MS prefers you use their MMC based admin tools which don't give you much control.

  • IBM LDAP Client (Score:4, Informative)

    by dgenr8 ( 9462 ) on Tuesday January 08, 2002 @01:38PM (#2804504) Journal
    Go looking for the IBM SecureWay Directory Management Tool (DMT). It's a Java LDAP client that lets you edit the directory manually.

  • LDAP Admin Tools (Score:2, Interesting)

    by nvrrobx ( 71970 )
    There are a few LDAP administrator projects listed on Freshmeat:

    http://freshmeat.net/projects/sldapa/
    http://freshmeat.net/projects/directoryadmin/

  • JAVA LDAP BROWSER (Score:2, Redundant)

    by Wolfier ( 94144 )
    Is what we are using.

    To get it:

    Go to google, search for "ldap browser" and click "I'm feeling lucky".

    Enjoy.

  • My Favorite tools (Score:4, Informative)

    by Daeslin ( 95666 ) on Tuesday January 08, 2002 @01:41PM (#2804523) Homepage
    Of course, the standard commandline classics (ldapsearch, ldapmodify, etc.) that come with any of the major vendors stuff (Netscape's SDK, Novell's eDirectory).

    Also, I REALLY like the java LDAP Browser for GUI use (available from http://www.iit.edu/~gawojar/ldap)

    As far as account creation tools, there's some nice trends among the big user provisioning corporate grade systems (i.e. Access360) to manage accounts in LDAP.

    I'd stay away from Active Directory since it doesn't follow all of the standards. eDirectory's only big annoyance is that it's LDAP is actually a mapping on top of their old stuff, so sometimes that adds complexity. But for a long time they had the only multi-mastered replication setup. iPlanent now has that and MS/AD kinda does (but they have crappy granularity on their objects in case of collisions).

  • libnss-ldap (Score:4, Offtopic)

    by coyote-san ( 38515 ) on Tuesday January 08, 2002 @01:41PM (#2804526)
    Have you looked at libnss-ldap? Install that, set up your /etc/nsswitch.conf file to refer to ldap in addition to your other resources, and all well-behaved programs (re: that use the NSS routines in glibc instead of attempting to modify /etc/whatever directly) should update the LDAP records.

  • Anything but OpenLDAP (Score:5, Informative)

    by Pegasus ( 13291 ) on Tuesday January 08, 2002 @01:42PM (#2804531) Homepage
    I dont know about commercial LDAP offers, but openldap led me to the conclusion to NOT use ldap anywhere. I still have it installed in three locations and am actively working in porting it to mysql or unix flatfiles, because it's so unreliable. nss library from padl.com for some reason doesnt always closes its connections, so you hit 1024 file descriptors limit within a week or so. yes, you can compile with -DFD_SETSIZE, but this only gives you more time until restart is needed. Second, replication never worked reliably, so trying to avoid fd problem with more replicas only casued more pain and sleepless nights rebuilding and reindexing databases (125k user entries, it takes 7 hours on 4way xeon). And if only the slapd itself would work! It stops responding every now and then, for no reason. OK, i can catch these with a trivial script ... but recently, i got more and more examples where connection is accepted, but result never comes ... so ldapsearch just sits there without answer, huh. I've also seen examples where some slapd threads would occupy one or more cpu in the box, slowing things down noticeably.

    So, whatever you do, AVOID OpenLDAP.
    • Hmm... we've got OpenLDAP in some test systems, and we haven't seen anything like that (but it's not under any load either).

      Are there any other free (in either sense) LDAP servers, though? All the others appear to be closed and/or $$$.

    • Re:Anything but OpenLDAP (Score:3, Interesting)

      by whynot ( 29314 )
      Some advice for rebuilding your LDAP-DB: Rebuild your directory on a RAMDISK, speeds things up by factor 5 for us. We are rebuilding our db on a daily basis. It has about 300k entrys and is 500MB in size and takes less than 60min to rebuild.

      OpenLDAP dies a lot over here too. Replication works quite well for us, the only "problem" ist that slurd opens lots of processes for every replication target - our main ldap-machine is running about 750 processes at all times.

      Don't even dare to try any 2.XX version of openldap - they have a lot of features you probably don't need and are even more buggy.

    • Re:Anything but OpenLDAP (Score:4, Insightful)

      by sheldon ( 2322 ) on Tuesday January 08, 2002 @02:42PM (#2804904)
      Ahh, and so goes the struggle of Open Source.

      It all works fine on someone's home machine, because it's never under any load. Try to put it into a moderate production environment, though, and it all falls down go boom.

      I used to hear similar comments about open source NIS implementations 3-4 years back.

      So you either start load testing it yourself, understand why it's broken and fix it. Or go with a commercial product that has already been through this process.
      • So you either start load testing it yourself, understand why it's broken and fix it. Or go with a commercial product that has already been through this process.


        A Samba server that I installed for a client has an uptime of around 500 days - it has never crashed. The reason I installed Samba: the NT server it replaced would crash about once a week.

        It looks like the open source Samba is better than the comercial NT.

        There are other examples:

        OpenSSH has less secutity holes than SSH
        IPF is better than XP's 'firewall'
        LaTex is better than.. well anything
        MIT Kerberos is better than MS Kerberos

        So your blanket statment that comercial is nesessarly better than OpenSource is false. Enjoy.

    • Re:Anything but OpenLDAP (Score:2, Informative)

      by Anonymous Coward
      We at the University of Texas have been using OpenLDAP for years and are very pleased. We're running 1.X for a 70K entries public white pages service that handles ~100K queries a day without a hickup. There are a number of other private 1.X services ~100K entries, but not heavly used. We also have 2.X running a private photo directory with ~120K entries holding ~500K photos for IDs and photo course rosters (~7GB id2entry.dbb -- kinda stresses various Linux utilities).

      We populate the directories live, but some complexities with our own record keeping requires a bulk reload weekly -- so the daemons are restarted at least once a week.
    • Hmmm. It works great for us, course we only have about 2K users, but it's being heavily used for authentication of IMAP users, SAMBA authentication, RADIUS for dial-in users, plus sendmail routing, mail500 listserve lookups, and our mail clients are using it as a directory, of course.

    • Re:Anything but OpenLDAP (Score:5, Informative)

      by smutt ( 35184 ) on Tuesday January 08, 2002 @04:41PM (#2805680)
      My organization chose OpenLDAP after doing extensive testing with IPlanet and DC Directory. We measure the size of our deployments in the 10's of thousands of users. I'm talking big honking SUN boxes with fiber channel, Gig-E and SAN's. I've found OpenLDAP(configured properly) stable and easily scalable. It's not the easiest thing in the world to setup, but at least it behaves deterministically and scales.
  • I use GQ [biot.com] for browsing around in an LDAP. It is a great start on a fully functional LDAP client tool, but still, many options still need to be implemented.
  • I like Jarek Gawor's Java based editor:
    http://www.iit.edu/~gawojar/ldap/index.html

  • What about "Directory Administrator"? (Score:4, Informative)

    by DocSnyder ( 10755 ) on Tuesday January 08, 2002 @01:45PM (#2804547)
    Directory Administrator [open-it.org] is a GUI (GTK+) frontend for user administration within a LDAP directory. It still requires some knowledge about a LDAP hierarchy, but it helps a lot.

    My advice is to create two user hierarchies: one for administrative non-human accounts (e. g. root, mail, www) and one for real users. Same thing for groups. This way you can manage your real-user accounts with some kind of GUI frontend and even re-use the objects in an addressbook like Evolution Contacts without risking a security hole.

  • This has been a huge problem for us as well (Score:5, Informative)

    by Casshan ( 4998 ) on Tuesday January 08, 2002 @01:45PM (#2804549) Journal
    I am with a admin group trying to integrate a couple hundred UNIX and Windows machines into a single login using an Active Directory server, which provides us with Kerberos authentication, and an LDAP directory. (This was mandated to us "from above") The kerberos authentication of course was easy, however there is hardly ANY information about actually using LDAP in a production environment.. we are trying to use the active directory LDAP server to provide the POSIX gecos and home directory information for the UNIX clients... however the default Active Directory schema does not include RFC2307 [faqs.org]

    Probably the most frustrating part is if you go on google and look for help, you see people mentioning that this works, but never any specifics. I assume you are just using pam_ldap to grab a password crypt from an LDAP server (which is a secure as giving everyone read permissions on your shadow file).

    I think the best solution is to use an LDAP server to host all the user information that is normally in /etc/passwd. This is possible in Linux and Solaris using the nss_ldap module which lets you add an "ldap" entry to your network switch file, and use ldap instead of /etc/passwd. It seems the best solution is Kerberos for authentication and LDAP for everything else, which Active Directory can provide, in a mixed-OS environment even.. but has anyone been able to successfully run nss_ldap [padl.com] against an AD LDAP server? (without using services for UNIX or other kludges) LDAP seems to be an integration nirvanna.. but without proper documentation I am afraid it will never see broader use..

  • Some things you can use (Score:2, Informative)

    by crowke ( 300971 )
    As a student I'm doing some research on LDAP usability and -programming.

    If you want an all-in-one solution (Server & Gui to populate server), try the iPlanet Directory Server which is kind of free to use (downloadable at netscape.com) and has a really nice interface.

    Another nice (non-free) thing is an LDAP-API for Visual Basic from SnarkSoft [snark-soft.com] which allows you to quickly write applications using data from your LDAP server. I know this isn't really a LDAP-solution, but it allows you to easily develop LDAP applications.

  • linux/unix LDAP user tools (Score:4, Informative)

    by Paul Jakma ( 2677 ) on Tuesday January 08, 2002 @01:52PM (#2804597) Homepage Journal
    checkout:

    [open-it.org]
    directory_administrator which is a GNOME LDAP user admin tool (slick enough for use by a frontline helpdesk).

    there are other LDAP GUI's, KDE has one. search freshmeat.

    gq [biot.com] a general purpose LDAP GUI tool. quite slick, comes with RH7.x.

    Also, note that with RH7, the 'passwd' tool uses pam and will hence automatically work with LDAP authentication. (presuming your LDAP server is configured correctly for write access).

    finally, you'll probaby want to develop your own scripts with template LDIF's for things like useradd, or find someone who's already done so. (i noticed there's a post on this thread providing a link to exactly that.) Note that for scripting, PADL's [padl.com] migration scripts are very informative. These are included with the OpenLDAP distribution.
  • The university that I attend has deployed LDAP for use by it's some 25,000 students, faculty, volunteers, and anyone else associated with the school. As far as I can tell the university has written their own custom perl scripts for interfacing to the directory via a web browser. I have to say it works pretty damn nicely. I'm not sure what it says that they wrote their own scripts, but I suspect it was due to a lack of existing software to get the job done. I hope LDAP doesn't fall to the way side, because it's done very well for this campus.

  • You're not looking hard enough (Score:3, Interesting)

    by Anonymous Coward on Tuesday January 08, 2002 @01:56PM (#2804625)
    If you can't find LDAP tools, you havn't been looking hard enough. Here (http://www.dbaseiv.net/code/cpu.phtml) [dbaseiv.net] is a tool for doing unix style user management with an LDAP directory. Here (http://www-unix-mcs.anl.gov/~gawor/ldap/index.htm l) [anl.gov] is a fully functional, really awesome ldap browser that I have used extensively. These are just a tiny sample of all the software for directly working with an LDAP directory. Check the OpenLDAP and IETF lists for more tools, OpenLDAP comes with quite a few as well.
    If you have paid careful attention, you will notice that LDAP support has crept into hundreds and hundreds (of not thousands) of applications over the last year. The API's for doing LDAP programming yourself are also extremely well developed imho. You have options for C, PERL, C++, Python and a slew of other programming languages. Search Freshmeat or Sourceforge for LDAP and see what you come up with, I think you'll be surprised.
    I don't think LDAP is dead, I think it's one of those protocols like TCP that just sneaks up on you with it's usefulness :)

  • LDAP is quite useful where I am (Score:4, Informative)

    by hysterik ( 4400 ) on Tuesday January 08, 2002 @01:58PM (#2804639)
    I am employed by a major aerospace company, and have been using LDAP for several years for web based authentication. This has permitted us the option of "piggy-backing" any other web servers into this authentication scheme. The tools I have used have all been written by myself in Perl, using the Net::LDAP module. I believe there is at least one other module available to use, either available from CPAN. I believe Graham Barr is the author of this module. Using this approach, you should be able to build your own custom webpages for selective browsing of LDAP shares, and management.

    If you're seeking some bonafide support options, you might confer with openldap.org, or better yet iPlanet's Directory Server. The latter would cost some money, but it is an option.

  • The ultimate tool. (Score:4, Interesting)

    by Anonymous Coward on Tuesday January 08, 2002 @02:00PM (#2804648)
    Use Console One. It lets you manage your LDAP directory and a whole lot more. Imagine managing users, resources, printers, servers, EVEN files, all from a single Java based tool.

    That's right you can do all this and a whole lot more, using Novell Netware. Even if you don't use Netware, eDirectory (included in Netware or sold separately) allows a lot of these functions from within the Java based Console One. It runs on almost any platform, available today. It even has additional modules that allow things like single signon and more. That's right, all the advantages of .NET without the bugs and security risks. And, the best part, is it has been shipping for quite a while now, unlike certain other vaporware products.

    Even if it isn't free, for enterprise use, it is down right cheap!
    • Novell's ConsoleOne is probably the best thing on the market today, although iPlanet has some very good stuff, too. Actually, Microsoft's ActiveDirectory is quite a nice directory, but of course, poisoned in such a way as to pretty much ensure that if you use it at all, your master servers will be AD, and all your administration will have to be done from AD, preventing you from using open standards effectively and marginalizing truly open systems. (This is "embrace and extend" at its sleaziest.)

      Also, don't forget the metadirectory approach as a valid one for trying to manage LDAP and other directories: Ganymede is the only open source project in this space that's much good, and it's starting to look fairly capable.

      Still, you get what you pay for: If you're making directory services a core part of your IT strategy (not a bad idea, but realize there are other approaches now, with Java, XML, etc.), it's worth buying the real stuff from Novell or iPlanet. Unfortunately, there's been little open source work in this area: if the open source products work at all (many don't), they don't scale and lack important features.

      That's too bad, because tying together things like MSWallet, .NET, and AD is one powerful way MS is going to continue to shove competitors off into the ditch. (...and a big reason why I and many others think the .GNU project is a BAD idea. Never play to your enemies strength.)

  • LDAP Admin Help (Score:5, Informative)

    by medcalf ( 68293 ) on Tuesday January 08, 2002 @02:00PM (#2804652) Homepage
    I've been working with LDAP for the past four years as a manager, consultant, administrator, project manager and architect in various situations and for various companies and clients. My experience has been with Netscape/iPlanet, OpenLDAP and Active Directory. I've worked on very small and very large projects. LDAP has the potential to bring amazing efficiency gains to an enterprise or Internet-based organization (ISP or ASP), but it also is fairly immature.

    Let me rephrase that: the protocol is mature and useful, and the servers by and large are mature and useful, but the support tools stink, as a general rule. Since it sounds like you are mostly concerned with user administration, I will stick to just that, and let other people mention tools they've found useful.

    If you are using Solaris, AIX or Macintosh, using LDAP for accounts is pretty trivial, since the OS supports it directly - you'll need to have the POSIX user schema loaded, and point the OS's naming service to LDAP instead of its local database. Win2K/XP kind of force you to use Active Directory, so you are also taken care of there. In all of these cases, accounts other than the system superuser will be in LDAP, and so therefore synchronization is not a problem.

    useradd, userdel, usermod and passwd are all replaced by ldapmodify, or you can use the tools included with some servers (the iPlanet console being a good example of how to do this right). Right now, there doesn't seem to be any substitute for thoroughly learning ldapsearch and ldapmodify, Perl and Net::LDAP. You can use ldapsearch and ldapmodify for quick actions (adding, modifying or deleting a single user, or changing a password) and Perl and Net::LDAP for more complex operations (or for putting together a CGI for common functions like changing a user's password).

    I find I end up writing built-to-purpose Perl tools just about everywhere I go. In some cases, this is because of differences in admin policy at different sites, or differences in schema. In others, the issue is more contractual (whomever is paying me gets ownership of the code I write, so I have to rewrite from a clean sheet at the next site).

    The good news is, it is fairly quick and painless to write replacements for useradd, usermod, userdel and passwd which can be run from the command line or as a CGI, and you only have to write them once for your site, if you write them well in the first place.

    -jeff
  • I understand that LDAP is supposed to be used for
    all kinds of great contact / location / description information, but how is it used in reality? It is used as a really difficult to use properties file. Judging the way most people use LDAP that I've seen, they would have been better off with a sql database. At least with SQL the queries are readable. (o=, c=, wtf= is a pain).

    The way I feel about it is that the LDAP 'problem' does exist and is solvable, but the right protocol/implementation does not yet exist. Until something much more friendly and useful comes along, I am firmly off the LDAP bandwagon.

    So if you're looking for a good tool to solve your LDAP problems, I suggest Oracle, PostgreSQL or MySQL. :]
    • LDAP and SQL are considerably different beasts for different purposes. What you propose is basically to say that screwdrivers make decent pry bars, so why ever buy a pry bar?

      Here is some information comparing LDAP and SQL from the OpenLDAP FAQ:
      http://www.openldap.org/faq/data/cache/378.html

      And here is some from an old usenet post. It's specifically talking about why Netscape's LDAP server uses it's own database instead of a RDBMS, but it has lots of good information about how directory services and RDBMS's differ and why one does not make a good substitute for the other.
      http://groups.google.com/groups?q=ldap+compariso n+ sql&selm=36AD06E4.F7362E47%40netscape.com&rnum=9
  • I'm an e-commerce consultant, and I've been surprised in the last 2 years or so the vast number of LDAP-based installations I've seen in all sorts of e-business.

    Though not heavily deployed in the enterprise, ESPECIALLY *nix, basically due to the very issues you mention (few admin tools, high complexity), it is heavily used on the web and in Microsoft-centric environments. Active Directory almost follows the LDAPv3 protocols (two non-standard areas are both related to schema implementation. The variations are well documented and do not drastically effect applications)

    My admin tool of choice? Sad to say, it is the AD administrator. Second admin tool of choice? Microsoft Site Server 3.0, Commerce Edition's Membership Directory Manager MMC snap-in. Both are Microsoft Management Console snap-ins, but if you can get around that they work alright. The MSS3CE version is even fully LDAPv3 compliant, so you can use it with other directories, too. It also comes with a web interface you can use.

    As far as non-MS tools? Haven't seen a one worth it's salt, though a couple of my co-workers recommend talking to the NetIQ folks if that's your bend...

  • Just saw this on a mailing list: (Score:4, Informative)

    by Teancom ( 13486 ) <david&gnuconsulting,com> on Tuesday January 08, 2002 @02:07PM (#2804690) Homepage
    Weird, as this came in just yesterday on kde-pim:

    Carillon Information Security Inc. would like to announce the release of
    KDirAdm version 0.1

    K DIRectory ADMinistrator is a tool for use by Directory Administrators to
    manage their LDAP based directory. Using the K Desktop Environment (KDE) and
    OpenLDAP toolsets, this application currently has all of the basic
    functionality required to browse, add, and delete directory entries. As this
    is an initial BETA release, the capability to modify existing entries, as
    well as the ability to handle binary directory objects is currently missing.
    This is planned for the next release, along with improved password entry
    handling and possibly LDAP over SSL support.

    KDirAdm is open source software released under the GNU Public License. As
    such we encourage anyone to help us in the development of this software.
    Specific jobs that need doing at the moment are improving the documentation,
    the artwork, and of course, any LDAP wizards that want to help out will be
    greatly appreciated.

    The homepage for KDirAdm is at:

    http://www.carillonis.com/kdiradm

    where both source and Debian packages may be obtained.

    Comments, suggestions, wishlist items and patches may be sent to
    ppatterson@carillonis.com

    So, it's "pre-beta" but has that ever stopped a true free software geek before? ;-)
  • Novell's eDirectory is the fastest, most scalable & reliable LDAP directory around, runs on NetWare, Windows, Solaris, Linux, Tru64 Unix and AiX, and comes with some pretty cool LDAP tools.

    ConsoleOne is a graphical, cross platform GUI tool that allows you to do pretty much every thing. Add, Delete, Create, Modify, Search, Extend the schema, etc.

    There's also the ICE (Import, Convert, Export) tool which allows you to import, convert and export data from LDIF or other LDAP servers. ICE is available in a GUI and command line version.

    eDirectory is also managable through a browser, and if you use their DirXML product you can basically take any data from any system and expose it through LDAP.

    Novell's eDirectory is redistributable for developers. If you do development work, check all their goodies at their development site [novell.com]. You'll find LDAP class libraries, tools etc.

    The evaluation copy of eDirectory can be found here [novell.com] and includes the tools mentioned.

  • LDAP, Tools, Servers et al (Score:5, Informative)

    by JABOFH ( 261485 ) on Tuesday January 08, 2002 @02:12PM (#2804719) Homepage
    I've finished the process of migrating a fairly large ISP/Telco (1.5M users) to LDAP a couple of months ago. I've been at it for over a year, and
    from my own experience I can tell you that:

    1 - The best available tools are definitely the command-line that come with most servers.

    2 - OpenLDAP sucks big time in large scale environments. It's replication is anything but reliable

    3 - GQ is a very, very nice browser for LDAP. But I wouldn't use it for administration.

    4 - You can assemble a whole range of ISP services (mail, ftp, http, whatever) based on an LDAP tree. Even if you can't find a _insert favorite daemon here_ supporting LDAP, you can always use...

    5 - PAM/NSS LDAP. It just rocks. If you configure it properly, anything using PAM/NSS will use/update your tree accordingly. This includes unix tools like "passwd", "useradd", or "finger", or services like QPopper and OpenSSH.

    6 - The best way to automate some processes is to create our own tools. Net::LDAP is very easy to use, and does anything you can think of (in terms of LDAP ops)
  • RIT has a mildly nice system... here [rit.edu]. Basically, you can look people up on campus by e-mail address. Individual users can change their own listing. I know little about the actual implementation though.

  • A few tools (Score:4, Informative)

    by Ludoo ( 12304 ) on Tuesday January 08, 2002 @02:15PM (#2804730) Homepage
    maybe there are some duplicates with the above posts
    Object Identifiers Schema Browsers Language Libraries Exchange Schema
  • I keep hearing all of these announcements about LDAP-generic tools, but I don't think anybody is answering his questions. He's talking about USER-SPECIFIC tools, which is rather lacking. Granted, there are many different schemas for users, but it's more or less only a couple of standard schemas (that come with OpenLDAP).

    There's not that many good user management tools for LDAP. I don't feel like typing it in on raw mode with GQ, when a lot of it is duplicate information (to make sure it gets caught with the different schema names).

  • LDAP tools? Open Source tools are here! (Score:5, Informative)

    by jlittle ( 122165 ) <jlittle.cis@stanford@edu> on Tuesday January 08, 2002 @02:30PM (#2804803) Homepage
    As the host of open-it.org, are entire focus is solving this problem. Many people are actively working on integration with ActiveDirectory, and other tie ins, and people loosely associated with Open-IT are working in various projects that help resolve this (Samba-TNG supports ldap backends).

    As for management, we now host Directory Administrator,a great GTK front end to user management, I have also created a simply useradd program for creating users in ldap (its called addluser).

    We are currently working on a new release of Directory Administrator with a new backend which will allow CLI, GUI, and Web clients to be built on it. Further, if you love WebObjects, Apple just released 5.1, which has a JNDI adaptor, allowing quick Web Apps to be built against LDAP directory servers using Java.

    Is the documentation not up to snuff at Open-IT, then help out! We have some basic howtos, and I package pam_ldap, nss_ldap, openldap, and other great things to get you going.

    Back to work...
    • Checked out Directory Administrator. My biggest beef with it is that it seems to be hardcoded to manage posixUser and posixGroup objects, which we don't use at all. So it looks pretty but doesn't let me Administrate my Directory, as the title would suggest :)

  • Ganymede, an LDAP manager / alternative (Score:5, Informative)

    by jonabbey ( 2498 ) <jonabbey@ganymeta.org> on Tuesday January 08, 2002 @02:37PM (#2804860) Homepage

    Well, I'll post a pointer to Ganymede [utexas.edu], which is not specifically for LDAP, but which could probably be useful in a lot of environments.

    Ganymede is at once simpler than LDAP, in that it doesn't support the kind of hierarchical objects that LDAP and x.500 support, and in that it doesn't actually speak LDAP, and more complex, in that it has a sophisticated transactions model and can handle complex concurrent operations while maintaining namespace and referential integrity.

    Ganymede is useful if you want to have a smallish (less than 50,000 users, say) 'flat' directory, but for which you want to allow detailed permisison delegation and fine-grained concurrency. If you have a very large NIS domain and you want to allow scores of users and admins to be changing their passwords and account information concurrently, Ganymede will work wonders for you.

    We actually use Ganymede for just about everything here, up to and including our DNS, although we don't have our DNS support code 'productized' yet. We do master our LDAP directory from Ganymede data, in order to support applications which can use an LDAP server for an address book (such as Outlook and Netscape Messenger). If you were to combine Ganymede with something like Thomas Reith's ldapdiff [rhoen.de] utility, you could combine Ganymede's sophisticated administration services with LDAP for distribution.

  • Fun with LDAP (Score:3, Interesting)

    by uberchang ( 239765 ) on Tuesday January 08, 2002 @03:04PM (#2805061) Homepage
    Softerra's LDAP Administrator [ldapadministrator.com] is pretty good, and they have a freeware version called LDAP Browser. The LDAP Browser/Editor [iit.edu] is nice also.

    If you are using LDAP as your addressbook, ldap-abook [freshmeat.net] is a nice interface to add/delete/modify entries. Most email clients are LDAP-aware these days and it's convenient to be able to share an address book between my personal and work email accounts.

    I've had to roll my own to do system accounts, however. Make ldapmodify your new best friend, or write an interface of your own - there is a lot of support for Perl or PHP LDAP functions out there. Server-side, I've used OpenLDAP [openldap.org] and iPlanet's Directory Server [iplanet.com], and I prefer iPlanet. iPlanet has a free non-commercial license option, is significantly faster than OpenLDAP, and has hooks to synchronize with an NT or Active Directory domain so you could do all the user administration in Windows and they would propagate over to your LDAP server.

    Other fun things you can do with LDAP are:

    Handle Unix authentication through pam_ldap [padl.com]
    Hook into NIS with the NIS/LDAP gateway [padl.com]
    Authenticate through apache with mod_auth_ldap [nona.net] or auth_ldap [rudedog.org] or Netegrity [netegrity.com]
    Centralize your smtp routing data in LDAP for sendmail

    Good luck.
  • Also, you might check out iDSRK from iPlanet. It's a set of performance testing tools, a tool for generating bulk loads, etc. Quite useful in some circumstances.

    -jeff

  • Webmin's LDAP plugin... (Score:3, Interesting)

    by Spoing ( 152917 ) on Tuesday January 08, 2002 @03:07PM (#2805077) Homepage
    Webmin, my favorite tool, has an LDAP module. It looks basic, so I don't know if it would be appropriate.

    Links: Webmin & Freshmeat page for LDAP module (LDAP module site is in French but easy to grok);

    1. http://www.webmin.com/webmin

    2. http://freshmeat.net/projects/ldap_module

  • If you work for an Oracle shop, you can use Oracle Internet Directory LDAP, which is based on Oracle's Application Server product. Details here [oracle.com].
  • A quick plug for a useful LDAP-related tool I wrote: it's an LDAP to DSML (version 1.0) gateway, which allows you to read DSML (which is an XML-based language) out of, and write it to, any LDAP-enabled directory server.

    It's not graphical, though :-)

    Find it here [dsmltools.org].

    Gerv
  • Check out the LDAP module at CPAN [cpan.org]. 'Course, if you don't already know Perl it will take you an hour or so to learn it, but I think you will find it to be the most flexible and powerful LDAP tool available.

  • JDBC driver for LDAP (Score:2, Interesting)

    by eGuy ( 545520 )
    Novell has a JDBC driver for LDAP. It maps SQL statements to LDAP(At least those it can. Those it can't map directly to LDAP it does it's own joining of the data). Its a free download available at developer.novell.com/ndk/ldapjdbc.htm Its also 'works with LDAP 2000' certified. (From the OpenGroup) This means it should work with any LDAP compliant directory. Its useful if you have normal reporting tools that use JDBC drivers. For example StarOffice can import data from JDBC drivers with a nice GUI - This way you don't have to know about the LDAP syntaxes or anything about LDAP except that its a Data Base. They also have an ODBC driver that only works with eDirectory(NDS). Hope that helps.
  • LDAP is a large part of my job, I've written dozens of scripts for handling various LDAP chores. And whatever you do I strongly recommend that as much as possible for any scripting, use something like Net::LDAP instead of using or wraping shell scripts around any of the OpenLDAP utils. Maybe it's just a project maturity thing or something, but the OpenLDAP people seem to have an infuriating habit of changing the behaviour/output of ldapsearch which means you will end up having to tweak or rewrite every script that uses it if you ever upgrade. That said the OpenLDAP utils are quite handy to have around, no matter which implementation you're running as your actual LDAP servers.

    Also if you're running iPlanet/Netscape's directory server grab their resource kit, the ilash util which can do a lot of things, has a really nice feature in that you can drop an entry into vi and edit it. ud or whatever it's called in the OpenLDAP utils can sort of do that, but only for certain hardcoded attributes, and not the ones you're likely to need either.

Slashdot Top Deals

"What man has done, man can aspire to do." -- Jerry Pournelle, about space flight

Close