Women in Technology

Hear us Roar



Article:
  Demystifying LDAP
Subject:   Ldap or Database (users, roles, etc)
Date:   2006-07-31 07:53:58
From:   javadevdc
I'm not convinced it is cleaner or easier to implement an ldap server as opposed to a mysql server running with users, roles, etc.


If the user provisioning service that is implemented in mysql is well documented, I don't see the advantage ldap has over the database.


I also think ldap is much more difficult for programmers than giving them and api and a model of the users and roles.

Full Threads Oldest First

Showing messages 1 through 6 of 6.

  • Brian K. Jones photo Ldap or Database (users, roles, etc)
    2006-07-31 08:16:03  Brian K. Jones | O'Reilly AuthorO'Reilly Blogger [View]

    Hi,

    Your very first sentence proves the point in the article, actually. What exactly do you mean by "users and roles"? Do you mean system level users and roles, or users and roles that are defined only in your environment in the database? The fact that I would have to ask this question lends creedence to the argument for using LDAP over a database for certain tasks, because the LDAP data schemas are generally widely published and standardized. If I talk to an LDAP user from just about anywhere and mention "inetorguser", they know pretty much what I'm talking about and what it implies. Not so with your users and roles.

    Further, you could well be right that your particular implementation for user provisioning might be "better". I have no idea, really, because I have no clue how you're defining "better". To my mind, not having to devote the resources of database admins, schema designers, developers and the like to do something that has already been done a thousand times over (and is proven to work a thousand times over) is "better" for two reasons:

    First, it costs less in terms of time (and probably money)

    Second, the data layout for users is standardized. This means that if I come into your environment to do work and you're using ldap, I already know what I'm dealing with, because as an admin, I've dealt with LDAP a million times before (and probably with the schema you're using for user data, as well). I have *not*, on the other hand, dealt with your custom creation a million times before. This goes for developers as well as admins.

    This is all without even mentioning that what I'm talking about in the article is only *marginally* about user *provisioning*. It's really more about user data storage and retrieval, which is an area where LDAP is clearly an accepted standard over custom mysql schemas. For example, no email client that I've used can grab their addressbook information from a mysql server - and even if they could, am I to expect my users to be able to fill in information about the site-specific data schema? Or worse, am I to expect the admins (er, me) to go and configure (and keep updated!) all of my users' email client configs? No Bueno(tm)

    I'd like more detail on which aspects of LDAP you think developers would find more difficult? Have you ever coded using php_ldap, JNDI, python-ldap, Net::LDAP....? I've used all of these as a developer, and have found using them to be far simpler than coding against a database in most instances. To tell the truth, the models are fairly similar, and where the differences exist, I believe 9 out of 10 developers would *prefer* LDAP, and the 10th developer probably works for Oracle or something. I'm confident of this because I support developers who have told me as much, and it's usually these developers that I have to keep away from the LDAP server for fear they'll store inappropriate data in the LDAP server because it's so *easy* to code against.

    Please clarify your arguments against using LDAP, and cite examples where you've experienced pain with LDAP. It's certainly possible I've missed your point, and I'd love the opportunity to help if I can. :-)
    • Why Active Directory?
      2006-07-31 10:26:16  javadevdc [View]

      Hi,
      One thing I'm curious about too is the use of Microsoft Active Directory. I work mostly in open source & Java shops and yet a lot of these environments use Active Directory. When I inquire about it the response is usually Active Directory is a lot easier than OpenLdap.
      • Brian K. Jones photo Why Active Directory?
        2006-07-31 10:35:11  Brian K. Jones | O'Reilly AuthorO'Reilly Blogger [View]

        Hi again!

        Active Directory *is* easier to set up than OpenLDAP, but if that's the only reason for using AD over OpenLDAP, then the decision-making process needs work, IMHO ;-)

        AD is different from just about every other LDAP implementation in existence, so when I say "LDAP", I'm careful to separate that from anything having to do with AD, because it's different (surprise!).

        There's no reason you can't develop against AD, though - it's just another (non-standard, ms-specific) schema is all. BTW - you can send queries to AD (or any ldap server) using IE (if you like that kind of thing). This is one plugin I can't find for firefox/mozilla, which is ironic since the same company gave birth to the code that later became Sun ONE Directory server, Netscape Server, and now Fedora Directory server.

        Oh yeah, I also forgot to copy in the link to the Java LDAP browser in my last post --> http://www-unix.mcs.anl.gov/~gawor/ldap/
    • Ldap or Database (users, roles, etc)
      2006-07-31 10:00:19  javadevdc [View]

      First off, if you can point me to an easy setup for ldap on debian/Ubuntu and a simple program (preferably in Java) that can access a user and permissions granted to that user that would be great.

      Maybe these are myths, but this is what my experience is :
      * ldap is different for each implementation. Microsoft Active Directory is not going to be similar to OpenLdap. Someone is not going to up and running with Active Directory or OpenLdap from setup to programming.
      * You need someone that specializes in Ldap to set it up; not so with mysql and say JAAS or Acegi. I can set up roles, users and a complex permission system using Spring's Acegi in less than an hour.
      * OpenLdap is hard to set up.

      >>I believe 9 out of 10 developers would *prefer* LDAP, and the 10th developer probably works for Oracle

      As a developer, I would like to easily set up my environment. ldap is not as easy as setting up users and roles in a database.

      Oracle has an identity server so they would push ldap.

      I'd love to see a getting ldap up and running on linux for busy people.

      • Brian K. Jones photo Ldap or Database (users, roles, etc)
        2006-07-31 10:29:23  Brian K. Jones | O'Reilly AuthorO'Reilly Blogger [View]

        >First off, if you can point me to an easy setup >for ldap on debian/Ubuntu and a simple program >(preferably in Java) that can access a user and >permissions granted to that user that would be >great.

        If you've never in your life seen LDAP, then I guess its as easy as doing anything else you've never seen before. In other words, "easy" is a relative term. However, a google search turns up two documents you might find helpful.

        http://directory.fedora.redhat.com/wiki/Howto:DebianUbuntu
        http://www.openldap.org/doc/admin23/quickstart.html

        As for OpenLDAP, I don't personally like it (and I've used it extensively). However, it's harder to tweak to perfection for a production deployment than it is to set up a simple test. See the above link to set up a quick test server. I prefer fedora directory server, but have never tried to build it on a non-RH-based distro. I know users who *have* built it on gentoo and debian though.


        >As a developer, I would like to easily set up my >environment. ldap is not as easy as setting up >users and roles in a database.

        If the priority is not to do what is necessarily easier for the developer, but to deploy the right application or service in the right way, then sometimes, as a developer, you must learn things that you don't currently have familiarity with in the interest of using the right tool for the job.

        If you set up an ldap server once, then back up your data (a one-command process to dump to an ldif file), then future setups are Mind Numbingly Easy(tm)

        :-)

        If there's more demand for the document you request, perhaps I'll write one myself! Thanks for that input!

        • Ldap or Database (users, roles, etc)
          2006-08-14 09:49:08  jblaine [View]

          "If the priority is not to do what is necessarily easier for the developer, but to deploy the right application or service in the right way, then sometimes, as a developer, you must learn things that you don't currently have familiarity with in the interest of using the right tool for the job."

          Well said.