Chris Brentano wrote:
I would second OpenLDAP, having used it in production at two different employers. It's always been stable and reliable. If you're restarting slapd every 15 minutes I'd take a good hard look at the problem versus just migrating away from it.
I've been using LDAP for quite a while. I discounted using it starting about 4 years ago. I inherited the existing broken LDAP installation, the person that was there before me tried all sorts of things to make it work. I never wanted to use it in the first place. So out it goes. I came up with, at least for me is a much more scalable, stable system authentication system based on SSH keys, and automatically generated passwd/group/shadow files. Managed by a couple scripts I wrote and distributed to the hundreds of nodes with CFengine(www.cfengine.org).
I can dynamically create passwd/group/shadow files on the fly for an "unlimited" amount of systems(in quotes because I need to manage the classes in cfengine to determine what class gets what set of files). Though at my current job I just have 3 different configs(mainly for different root passwords depending on the system type). I wrote the system about 2 years ago and used it extensively at my last job and it worked wonderfully.
LDAP is good I suppose for application level authentication(e.g. web apps). But for system authentication(all I really care about), while it does work, it is (to me):
- overly complicated(schema and stuff, my OpenLDAP 2.2 to 2.3 migration on my home network was a real pain) - not many good tools to manage it(well that I'm aware of at least, I use raw LDAP editors for the most part, I'm sure I could write some scripts if I was serious about long term support of it) - Maybe it's improved recently but replication in OpenLDAP used to be real sketchy. Configuration was arcane, and it was purely a master->slave relationship (not master<->master). - SSL is damn picky. One of the things the former guy at my company tried to do was load balance a pair of LDAP servers for higher availability but was unable to get that to work with SSL (I haven't tried myself). I'm fairly certain it would work without SSL, but don't care enough at this point to put any work into it. - I aim to eliminate any external dependencies on everything I can, last thing I need is some problem in LDAP taking down authentication for the entire network. I suppose if I really hork my custom generated password files the same could happen. - Has a funny way of not working when the network is down <g> - nscd is iffy to say the least. It's been mostly reliable on my home network over the past 7 years or so, but on occasion I login to my system and it tells me my user name is "I have no name!" (at least I can login at all since I use SSH key authentication). - Without nscd LDAP can be sluggish at times so it's a tough trade off..
Of course everyone's situation is different and I will admit that LDAP is a suitable solution for some, just not for me(anymore).
The reason I use it at home still is because it was my testing ground for my LDAP deployment at my company 7 years ago, I was getting close to replacing the local NT4 authentication server with samba-tng when they decided to downsize the company and well there went that plan :)
It also helps that I don't have to support any windows users (I saw your next comment about AD and exchange stuff).
LDAP was an interesting thing to play with, back in my early days with it the documentation was so bad I spent weeks or even months, with trial and error working with OpenLDAP, and getting samba-tng with domain authentication working, Netscape Roaming profiles with LDAP, and postfix mail routing. I even wrote a HOWTO doc at http://howto.aphroland.org/HOWTO/LDAP though I haven't updated it since 2003 I think. It was fun, learned a lot. But have learned even more since.
I toyed with the idea of using the SSH patch to store SSH public keys in LDAP a few years ago until I came up with the idea to take advantage of CFengine (which is a hellishly complicated tool in itself but I use it for far more things than just this), and I decided to finally put my LDAP ambitions to rest for good.
It's quite possible that my information about LDAP is out of date, I admit I haven't been on the cutting edge of that technology recently, though I still interface with my home installation on a regular basis(just added some new mail aliases into my LDAP config today actually), I haven't changed the way I go about things in LDAP in quite some time. Maybe I'm just gettin' old.
nate (also don't like NIS, and hate kerberos)