Hi everyone! For the past year I've been working on a simple LDAP server for user management, targeted at self-hosted servers.<p>The idea is that OpenLDAP is a pain to install, configure and manage, and on top of that you need a frontend if you want a web UI.<p>LDAP instead provides a minimalistic LDAP server that supports the subset of LDAP needed for user management and authentication, with almost no configuration required, and a nice UI/API in front of it.<p>We just released version 0.4 (and 0.3 actually) and it should now be stable enough to use it yourself!<p>We've had some people using it for tests as well.
LDAP really needs more love. Almost everything can be integrated with LDAP in some form, yet managing the server and configuration is always a bit tricky.<p>Currently I'm trying to learn to be more productive with LDIF honestly is much simpler than I thought. It's a great way to do bulk changes and handy in scripts, but it's not a sensible way to do everyday interactions. Right now there aren't many good tools, Apache Directory Studio is rather nice, but feels old fashion and not the kind of tool you'd want people to interact with on a daily basis... Unless they understand a bit about how LDAP works.<p>It really nice to see a new LDAP project, especially one that more focus on making the protocol more accessible.<p>For those who need something simple there's also the OpenBSD LDAP daemon, which also works pretty well.
Something cool that I didn't highlight since it's not the main point:<p>The web UI uses the OPAQUE protocol to log in/store passwords, so your password is never sent to the server (it instead stores just enough information for you to provide a cryptographic zero-knowledge proof that you have the correct password).
It's a bit undermined by the fact that LDAP binds use plaintext passwords, but I thought it would be cool to implement :)
Another project with similar goals, glauth: <a href="https://github.com/glauth/glauth" rel="nofollow">https://github.com/glauth/glauth</a>. it's written in Go and has a declarative config--you can define users and groups in yaml. Makes it really easy to do HA and manage your LDAP estate using Ansible.
I have been using lldap for a while (paired with Authelia), and it is a real godsend.<p>I feel like I need a PhD to configure openldap, while this was as out of the box as it gets.<p>Kudos to the devs!
FWIW, I have another entry in the same genre: <a href="https://github.com/majewsky/portunus" rel="nofollow">https://github.com/majewsky/portunus</a> - Seems like there really is a lot of pain with LDAP to go around.
This is very interesting. I have build a lot of services that authenticate against LDAP or request user attributes (99% domain controllers in Microsoft land) and I believe this can be a very solid basis for user management for anything outside that plantation. Will certainly keep an eye on this.
Any thought about supporting SQL databases for the user backend with configurable queries? Would be awesome to be able to take an existing SQL database of users and use that to serve LDAP authentication queries.
How does it compare to 389 Directory Server? I've been using that with SSSD for user management and authentication in a small LAN with about twenty machines for about ten years. It is rock solid, but every few years when I do an major OS upgrade I have to get deep into the weeds and it always takes me a few days to become familiar with all the backend stuff again. I'm not using Kerberos or single sign on or anything fancy.
What do all of the people who want to work with *nix in their infrastructure, but also want to utilize AD and LDAP use?<p>OpenLDAP? FreeIPA? 389 Server? ApacheDS? The project in this post? Or something else?<p>I mean, is it even viable to use something like that for most general purpose use cases, as opposed to caving in and going with something running on MS software/cloud platforms?<p>Which is the easiest to get started with and administer? Personally, I've used OpenLDAP in containers for a bit and overall the experience was pretty good. That said, I'm yet to see something as nice as Keycloak for managing a directory service (just something that you can setup in 15 minutes, that has a nice web UI and that has a wide variety of functionality).
This looks really cool and should help me out when integration testing things are require an LDAP connection. For example setting up the Jenkins ldap connector in an automated test.<p>PS: I'm glad we no longer need to state in the title of a Show HN post "written in rust".
I just went through the pain of setting up FreeIPA and I wish I saw this first. It's not that FreeIPA was difficult to setup it's that it's immensely complex with lots of parts and little documentation. Ultimately, all I really wanted was the LDAP part for a basic directory service and authentication. Definitely going to be taking a closer look at this, thank you for sharing!
Nice!!!! Definitely giving this a whirl!<p>The only features I need in LDAP<p>* One-way (master->RO) Replication<p>* Standards compliance for queries/binds<p>* Easy authentication for setup/administration<p>* Add additional schemas (For instance, the SSH Key schema)<p>OpenLDAP definitely makes all the above quite difficult, but it's doable.<p>One esoteric feature we use of OpenLDAP is SASL delegation. This allows us to defer some users to Active Directory. Nice party trick.
I just don't understand why LDAP software has to generally be so unnecessarily complicated. I'm not talking about the protocol or the domain knowledge, i'm talking about implementations.<p>I've played with OpenLDAP and 389ds.<p>OpenLDAP is dumb in the sense that its own configuration is stored in OpenLDAP itself, so you need to know openldap to start learning openldap. And its community is quite toxic (i've seen people in their irc channel mocking users asking questions and giving out replies like "it's not in the official docs but it's in the codebase, you should have read the source code").<p>389ds... is barely documented. The official documentation often points to the proprietary counterpart from RedHat, but it's not clear what the open version corresponds to which proprietary version.<p>This is really a niche that could use some disrupting imho...
I did this for a project at my old company. We were using ApacheDS as a LDAP server, but we were doing a lot of updating to the datastore, and DS kept having issues with corruption.<p>But our use case was really limited, so I wrote a server process that talked LDAP, but it was essentially hard coded to support the 4 or 5 queries that we actually did. Then it was backed by our core Postgres backend.<p>The ASN parser was the trick of it to be sure. For whatever reason, I had a lingering bug in it that I could never track down. Some kind of heisenbug that I was never able to duplicate, and even spamming the logs with tons of debug info, I could never get a handle on it. It wasn't fatal, but it was annoying. Been so long, I don't recall the details.<p>ASN is tricky, but it's not that hard.<p>But, in the end, it worked for our use case.
Does anyone know of any nice CLI/TUI ldap browsing tools?<p>ldapsearch is horrible to use for browsing. Apache Directory Studio is a giant Java application with an overcomplex UI, and falls over as soon as you want to use Kerberos (at least, if you want to re-use the TGT that the user got when they logged in, instead of providing their credentials directly to Apache DS so that it can get its own TGT via JGSS or whatever).<p>I know of shelldap, which is OK. But what I'd really like is a sort of Finder like UI where the path of entries is represented by columns, and the attributes of the currently selected entry are displayed in the final column, or the pane below.
I'm glad to see that. Dbs like opebldap are way too complicated for simple tasks like having multiple users for NAS' and tools in a small group. It reminds me of send mail with the hours of config.
This seems to be just want I was looking for.
Right now I use keycloak but I'd like to have user data separate.<p>I'm what format is data stored?
How resilient is the stored data against corruption?
Great work~<p>In this space there's also Univention (based on OpenLDAP+Samba), which bootstraps the whole configuration from e.g. domain setup to joins to other server instances. Manageable through a web interface as well. UCS aims to be compatible with Active Directory™ - so it still comes with all the legacy complexity of OpenLDAP and more.<p>If compatibility with external integrations or preexisting AD domains is a must-have, it's an alternative.
Can this be used for automatic tests or there are some other tools that people use for that use case?<p>We develop apps that have LDAP/AD auth. integration and I always wanted to have that feature tested locally, without relying on corporate network and full blown LDAP/AD server.
This is fantastic. LDAP servers have always been atrocious.<p>Can anyone suggest an open source self-hosted IdP for use with SAML and/or OAuth? Specifically not looking for a cloud-hosted one, and ideally not something horrifyingly complicated like Shibboleth.
I’ll watch with interest, and am heartened with the responses I see. One thing I wish is that the license were also more “lightweight”. GPL3 for a piece of backend network infra seems a bit fraught. This is usually the domain of ISC, MIT, or BSD.