
Ask HN: Which LDAP server doesn't require a degree to run? - majewsky
I have a bunch of services on my private servers that all support LDAP-based authentication, so I would like to deploy a suitable server for SSO. The only serious option seems to be OpenLDAP, which seems to consider itself a rather generic database that just happens to be used primarily for authentication. And even if I eventually get through the initial setup, that just gives me the directory service. I still would have to deploy something else to give the users a frontend for changing their password etc.<p>Can you recommend something simpler than that? Requirements:<p>- deployment on Linux server<p>- schema defines at least user accounts with passwords, and groups where users can be a member<p>- self-service web GUI for users: to review group membership and change passwords<p>- should not require a bazillion components (e.g. I ruled out Authelia after reading it wants an LDAP server <i>and</i> a Redis <i>and</i> a MongoDB)<p>This is not about an enterprise deployment with SLAs or anything. Just a dozen users and a handful of groups.
======
bloopernova
FreeIPA.

It supports a lot of features, has a lot of documentation backed by Red Hat,
and a fantastic mailing list that helps usually within hours. It also can
create a 2-way trust with active directory if that is also desired. It has
integration with multi-factor authentication too if desired.

I've been running a several hundred user development environment with dozens
of LDAP authenticated services, for about 4 years now. It has been great, the
web UI works really nicely, and it has active development.

I recommend it without hesitation.

If you want further information, email anthonyclarka2 a.t. gmail.

------
codemusings
I feel your pain. I had to deal with this for our dev environment and its
ridiculous how complicated it is to setup openldap. The creators are
masochists as far as I'm concerned. No sane person would look at the esoteric
syntax and directory layout and say "this is useful and straightforward". Not
to mention the fact, and I kid you not, a trailing whitespace on a
configuration line breaks everything.

------
runjake
Active Directory.

I’ve implemented LDAP with most of the available options. I wanted to hang
myself with just about every option except AD.

Fortunately, I think we are in or near a post-LDAP world.

~~~
stephenr
> Active Directory.

Running Windows Server for the purposes of just AD is ridiculous IMO.

> I wanted to hang myself with just about every option except AD.

I've worked with (then) Novell eDir, OpenLDAP and a little with AD. I found
OpenLDAP to be by far the nicest to use.

The moral of this story is: anecdotal evidence is anecdotal.

> Fortunately, I think we are in or near a post-LDAP world.

That's not a good thing.

~~~
runjake
> Running Windows Server for the purposes of just AD is ridiculous IMO.

I disagree. The pain of running Windows Server is outweighed by the
excellence, stability, effortless scalability, and programmability of AD.

> I found OpenLDAP to be by far the nicest to use.

I've implemented all the same (and others such as Netscape/Sun Directory
Server). I strongly disagree. Hell, I even come from a UNIX/C background.

> The moral of this story is: anecdotal evidence is anecdotal.

Pot. Kettle.

> That's not a good thing.

I guess we'll just have to agree to disagree across the board, then. Although
I am well used to it now, I find LDAP programming is obtuse and thoroughly not
a good setup for modern networks and APIs. There are much better, more
naturally scalable ways to do things.

Lightweight Directory Access Protocol is anything but lightweight.

~~~
stephenr
> Pot. Kettle.

That was my point. You have one view I have another.

------
stephenr
A self service web app is pretty simple - I found

[https://ltb-project.org/documentation/self-service-password](https://ltb-
project.org/documentation/self-service-password) in a few moments (ddg for
“ldap self service password”)

------
chatmasta
Along these lines, does anyone have any good references for the best way to
setup an authentication architecture for a product that is both multi-tenant
SaaS and installed on premises? (Think GitHub + GitHub enterprise).

Would it be a good idea to use LDAP even internally (on the equivalent of
GitHub.com) so that implementing on-prem is just a matter of swapping a config
value? Or would it be better to maintain your own auth system in a relational
database and sync it with LDAP if necessary?

------
actionowl
This is probably not what you’re looking for but I just want to mention that
you could implement a server supporting just what you need using ldapjs
([http://ldapjs.org/](http://ldapjs.org/)) and then create a custom web front
end for it.

------
adamfeldman
I’ve had my eye on [https://www.gluu.org](https://www.gluu.org). Haven’t yet
had the opportunity to deploy it though.

