Linux.com

Search

Special Offers

Get special offers on:

Linux
Application Dev
Programming
Software

Email:

Feature

Your LDAP administration toolbox

By Brian Jones on March 17, 2004 (8:00:00 AM)

Share    Print    Comments   

Do you have what it takes to manage an LDAP infrastructure? Administration of a directory means having a thorough knowledge of the directory's structure, data, security, performance, and general configuration. It also means knowing how to efficiently respond to requests for information about any aspect of the directory, and indeed, any aspect of your environment for which your directory is the canonical source of information. In this article, I'll go over some of the standard (and not so standard) tools that can put you firmly in control of your directory.

Getting GUI with LDAP: Graphical tools

New graphical tools for LDAP administration seem to come along every day. Some are Web-based, while others are full-fledged desktop applications running without a browser. I have tried many of the Web-based tools and nearly all of the desktop applications that run under Linux. Of these, the one I've found most useful is one that I don't often see recommended on the various LDAP mailing lists. It's a humble Java application called LDAP Browser.

In spite of its name, LDAP Browser is far more than a simple browser that lets you view the data in your directory. It is a full-fledged administration tool, allowing you to add, delete, and modify entries, with full support for encrypted sessions as well as specialized support for certain attributes -- for example, it enables you to verify or reset an encrypted userPassword attribute for an entry. With LDAP Browser you can move an entire section of your LDAP directory to another part of your directory. In my early testing, I moved the entire contents of a subtree of my directory, containing about 1,000 entries, and put it underneath an existing subtree -- an operation I've had problems doing using other tools. In addition, if you simply must have a browser-based tool, LDAP Browser is written in Java and can run either as an applet or a standalone application. While the application hasn't been updated since (apparently) 2001, it is 100% LDAPv3 aware, and the tool works as well as or better than any other tool out there that I've tried.

GQ, another standalone application that is heavily recommended on the LDAP mailing lists, is a GNOME application that is included on a lot of Linux distribution CDs, usually as an add-on application. Though I'll probably take heat for saying so, I've never made friends with GQ. I've turned up multiple ways of crashing the tool, and I did not find it to be particularly user-friendly. Add to this my growing resentment of open source projects that lack anything resembling documentation and you have my less-than-glowing review of the tool. However, the fact that it is so heavily hyped on the mailing lists leads me to believe that GQ is probably useful for those who overcome its quirks.

Only two worthwhile Web-based LDAP administration tools spring to mind: phpLDAPadmin and YALA (Yet Another LDAP Administrator). (DISCLAIMER: I once contributed to the YALA project, to add support for TLS connections.) These tools are equally useful, and are probably the least buggy of the Web-based administration tools I've used (the number of which is nearing a dozen). If you have a relatively small directory, don't need connections to multiple directories, and don't do crazy things with loads of data at any given time, these tools are fine, assuming you don't mind maintaining a Web server to support them. For enterprise-strength administration, I've had more luck with the desktop tools. On the other hand, if you need a specialty tool for LDAP, like a special interface just to manage LDAP and Qmail, or LDAP and RADIUS, or some other configuration, there is probably a Web-based tool to ease your pain. It's worth searching freshmeat.net for these tools.

In closing

I hope this sampling of my favorite tools helps you narrow your search for LDAP administration software and gives you a baseline to measure other tools by. There are a million other tools available to ease LDAP administration. The fact that I have some kind of gripe with about 99% of them should not keep you from trying them out. LDAP environments can vary greatly in their configuration, and one LDAP admin's useless crapware is another's savior. Find one that fits your brain and stick with it.

Up to now in this column we've covered building and installing OpenLDAP, designed a simple directory, and added some entries. After reading this article, you are now armed with the tools necessary to move forward as an LDAP administrator. These tools can help you tinker with your directory -- poking and prodding at it to discover (or change, or destroy) all that it holds. Next time, we'll learn how to make your Linux system an LDAP client, using LDAP for authentication as well as user and group lookups.

Brian Jones is the founder of linuxlaboratory.org, and has worked as a *nix systems, network, and database administrator for the past six years. He currently works for the Computer Science department at Princeton University.

<<  prev (1/2)
 

Share    Print    Comments   

Related Links

Last 5 articles by this author:

Sponsored links:

Comments

on Your LDAP administration toolbox

Note: Comments are owned by the poster. We are not responsible for their content.

Directory Administrator

Posted by: Administrator on March 25, 2004 10:04 PM
The aptly named <A HREF="http://diradmin.open-it.org/index.php" TITLE="open-it.org">'Directory Administrator' </a open-it.org>is a great tool if you want to do basic posixAccount-based user management in an LDAP directory. It's quick and convenient, though not overly flexible.

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya