undefined | Better HN

0 pointsacdha14y ago0 comments

"90s database technology" in the sense that it's hard to work with and the support costs are unnecessarily high. The protocol is hard to work with - which makes debugging less appealing and thus most people avoid trying - and no server I've seen with the arguable exception ActiveDirectory has well-designed logging for typical sysadmin needs.

Beyond that everyone other than Microsoft uses the OpenLDAP code, which has a number of basic errors and rough-edges. slapd has numerous deadlock conditions and the only backend which doesn't have a low risk of corrupting your data (MySQL) is discouraged. The client libraries had basic design failures for aeons - the most glaring being the assumption that the network is perfect and will never drop or delay packets (timeouts are checked after blocking operations return, which takes several days due to retries at multiple levels). This means that OS X, Linux, FreeBSD, etc. clients will become unusable if your LDAP server is less than perfect - and since slapd deadlocks under normal use, this will occur sporadically. The developers were largely in denial about this - my patch to set SO_RCVTIMEO / SO_SNDTIMEO was ignored with unproven claims that this would magically work in the bleeding-edge trunk version (untrue then, could have changed now) but the libpam-ldap maintain is more conscientious so the similar patch there was accepted a couple years ago so at least Linux clients actually attempt to failover.

0 comments

charlieok14y ago

You definitely have more detailed knowledge of LDAP than I do. Do you know if there is a better alternative? One which could serve as a user directory for most or all of the major desktop and mobile operating systems?

acdhaOP14y ago

The problem is a massive network effect: almost everything supports LDAP - even Active Directory uses LDAP under the hood - and so there's a real network effect working against attempts to introduce something simpler. I was half-tempted to say "Facebook" since I'd lay even odds that LDAP won't be replaced by a similar network protocol rather than something which brings other selling points to increase the benefit of switching, and indeed it's becoming more and more common to use web-based authentication systems so that might be the eventual successor.

Something like ldap.js does seem like a good compromise: using a real database and a modern implementation without so much legacy baggage would probably be the best bet as you wouldn't be forced to upgrade every client just to get a working server.

charlieok14y ago

Web(http)-based or not, I'm interested in network protocols that aren't tied to a specific website, or otherwise encumbered.

By now somebody must have designed a decent protocol mapping LDAP's data model directly onto a nice RESTful API that R. Fielding and TBL would be proud of.

That should make for a good upgrade path, no?

j / k navigate · click thread line to collapse

0 pointsacdha14y ago0 comments

0 comments

charlieok14y ago

acdhaOP14y ago

charlieok14y ago

Web(http)-based or not, I'm interested in network protocols that aren't tied to a specific website, or otherwise encumbered.

By now somebody must have designed a decent protocol mapping LDAP's data model directly onto a nice RESTful API that R. Fielding and TBL would be proud of.

That should make for a good upgrade path, no?

j / k navigate · click thread line to collapse