LDIF is sort of bearable once you found proper tooling (ldapvi!) and overall the whole thing looks quite sensible and usable at first. For a few minutes. Right after installing slapd and adding your first organizationalPerson.
A few hours later, after wiring up a few applications, things will unfortunately have changed for the worse. Your schema is now cluttered with insane amounts of cruft and redundancy, because every application that supports LDAP (which is not the most common feat in first place) seems to have a slightly different idea of what your schema should look like or what a good password hash is.
Getting to the point of true single-signon is a major undertaking. And during large parts of that journey you will feel a lot like Indiana Jones. You get to puzzle together fragments of ancient documentation while fighting off a mythologic multi-headed hound. You get to spend hours in endless dungeons of subtle incompatibilities and meaningless error messages. And if you ever get bored there's always a fair share of cryptology waiting for the inquiring archeologist, sometimes humorously declared as "documentation" - but usually just in the form of brief S.O.S-messages carved into a usenet stone-wall somewhere on the internet. Sometime in 1983. By some other poor soul stumbling around in a similar - but of course not compatible and long deprecated - maze.
Yea, lots of fun can be had with LDAP. Not.
What does that look like in your setup?
Do you have ssh/kerberos, samba etc. all under one umbrella without nasty hacks?
All that a few weeks after i recommended OpenSSO to a client.. sheez.. :P
Why nobody uses DNS:
I'd also put SMTP, POP3, and IMAP in this category.
Look at it this way: LDAP is to X.500 as SNTP is to NTP.
SNTP is simple, because NTP is pretty simple. LDAP is a little bit hairy because X.500 was really, really, really hairy.
Just for reference, other directories:
Microsoft Active Directory
Red Hat Directory Server
Critical Path Directory Server
Sun ONE DS is free-as-in-beer. It's a newer derivative of the same codebase (Netscape) that became FDS.
Apache DS is something I've been experimenting with. Java-based. Easy to get up and running, comes with a really great default schema.
Sun OpenDS looked cool, but since the oracle acquisition, I can't bring myself to be interested in it.
LDAP is a protocol. NoSQL is a shitload of software that works extremely different and has no protocol or common data scheme.
LDAP is probably most used for organizing a companies data (employees) and works quite well for that. It's proven, it has major software products that are stable and used in worldwide deployments.
Just exchanging LDAP with NoSQL makes no sense and is a move only driven by "LDAP sounds soo old. Let's use that NoSQL everyone is talking about!". And maybe slap XML, Web2.0 and HTML5 on top of it. Just, you know.. it's state of the art!
I've yet to see a comment on this page that relates to the problems of the protocol. Mostly vague points without objective data.
Basing all those criticism on the fact that this protocol has been around or a while and thus has more than one RFC is just stupid.
I don't have the answers, I just didn't really like my experience with LDAP, and was idly wondering whether it'd be possible to build something better these days.
Do you have specific things in mind?
That said, there are plenty of systems that I have encountered in my years that are much friendlier to a new user. Specifically, I recall awful command line queries, kind of wonky tools in general, and, generally, a fiddly feeling to the whole thing. I did get things working, but I was never really happy with the whole setup. We ended up calling in a consultant to check over my work and see if there were ways to improve it, and aside from a few things, there really weren't.
I agree that getting started with LDAP when you are only used to relational databases is a real pain. On top of that, a lot of software with "LDAP support" is pretty bad at it. But once you have it up and running, you can integrate it with almost everything. I'm a big fan of the Sun LDAP Server and all its features like multi-master replication, ACLs and all those neat ways it offers you for modeling your directory data.
Also: "LDAP was originally intended to be a lightweight alternative protocol for accessing X.500 directory services through the simpler (and now widespread) TCP/IP protocol stack." (wikipedia) So that's what that lightweight is all about.
DO NOT mix up LDAP and "single signon" (e.g. kerberos) which are two separate things. You can use LDAP, however, to store your users and passwords and have all kinds of systems use that for authentication and authorization but that is not single signon.
Most SSO products I know use LDAP as their datastore, though.
I have always liked LDAP for its strong standardization and simplicity and LDIF is a plain, simple format that you can easily generate or type by hand. There is not a lot of overhead.