I have been working on an article, which was accidentally published for about 8 hours, which is a bitter recount of my views on OpenLDAP.
IMNHSO OpenLDAP has been a tool fraught with complexity, needless overhead, and inhuman design problems. Replication is terrible to setup. The whole SSL thing is a debacle. The init scripts have failed (for at least 4 years) to take into account that the average human inits ldap as root, then starts it to run as 'ldap'. They rely on Berkley database, which is the bane of such things as RPM. The error output is ridiculous and often requires starting it, by hand, with -d .
ACLs, ACIs, lack of unified management, etc. All of these things factor into a solution that (until recently) has has a horrible slew of segfaults if the client or server mishaved.
However, the more that I rant, the more futile it seems. I am really bitching and complaining about other humans. Humans, who I might point out, Jesus Loves very much. So, who am I to tear apart their work?
In short OpenLDAP devs, if I have a voice, and since quiting the list some time ago, I don't. Please give us a few clear, nice things:
- Simple replication setup
- Some sort of unified management for ACIs at least
- An initscript that will chown the ldap directory, or a startup flag that causes this to happen before dropping priv's.
- Simple (read: HUMANE) SSL options (Hint: Verify Certs should WARN and not abort by default.)
- Automagic db_recover for bdb backends
For the rest, well, I think that I will stew that article a little longer. I don't want to hate on people.