devbeatitude.com
RSS | GitLab | Email Me
08 Oct 2018

Samba Over ApacheDS Over OpenLDAP

My application has internal users and groups, with role-based access control based on group membership… in other words, it’s a plain old corporate business application, not a retail app or a social network where anyone can sign in with Google, Facebook, Amazon etc.

So I need a directory server. In the dawn of time (a few years ago) I gave my installation team more freedom to choose their own components… Since our target platform is Linux, they chose OpenLDAP.

OpenLDAP is a major pain in the ass to configure to our requirements. I wrote ever so many lines of shell script to add a partition (e.g. arkcase.com); enable TLS; add three or four LDAP schema elements required by my application, but not loaded by default into OpenLDAP; and change the default admin password.

All this was on CentOS 6. Well, when CentOS 7 came out, all these scripts stopped working! The CentOS 7 OpenLDAP packages broke something. I didn’t have enough guts to wade back into the code.

Where could we go from OpenLDAP? Since my application is written in Java, next we chose ApacheDS. Still more oodles of shell script required! In ApacheDS, the official documentation to add a partition says to use a GUI tool! The only way to automate it is to use the tool once, record the LDIF it generates, and write script code to generate the same LDIF.

And it didn’t take long before we had real problems. One of our teams had to load 5,000 test users; ApacheDS choked on the load script; too much traffic all at once. Throw in random exceptions and occasional corrupted data stores, and we were ready to move on again.

Since pretty much all our customers are on Active Directory, we really wanted an Active Directory-compatible directory server that is free and runs on Linux. Actually we had these three requirements (AD-compatible, free, Linux) this entire time, so the fact it took me so long to find Samba 4 just goes to show what a bad architect I am.

The guide looks intimidating, but the process couldn’t be simpler, especially if you only need Active Directory compatibility in terms of directory services (not so much DNS, file shares, Kerberos, certificate management…). All my oodles of shell script boil down to 150 lines of Ansible directives, most of which setup a folder structure. After configure ; make ; make install I have a working Active Directory compatible server, complete with partition, TLS support, and my desired administrator password.

The lesson is simple, but I seem to forget it just as often as I learn it: always go for the service that most closely meets your requirements. Samba is free; runs on Linux; compatible with Active Directory; and easy to install and configure.

Tags: ldap lessons-learned
Other posts
Creative Commons License
devbeatitude.com by David Miller is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License .