[moe]

As someone who has had to maintain a midsized openldap setup I can only agree wholeheartly: The day the LDAP dinosaur dies will be a happy day.

LDIF is sort of bearable once you found proper tooling (ldapvi!) and overall the whole thing looks quite sensible and usable at first. For a few minutes. Right after installing slapd and adding your first organizationalPerson.

A few hours later, after wiring up a few applications, things will unfortunately have changed for the worse. Your schema is now cluttered with insane amounts of cruft and redundancy, because every application that supports LDAP (which is not the most common feat in first place) seems to have a slightly different idea of what your schema should look like or what a good password hash is.

Getting to the point of true single-signon is a major undertaking. And during large parts of that journey you will feel a lot like Indiana Jones. You get to puzzle together fragments of ancient documentation while fighting off a mythologic multi-headed hound. You get to spend hours in endless dungeons of subtle incompatibilities and meaningless error messages. And if you ever get bored there's always a fair share of cryptology waiting for the inquiring archeologist, sometimes humorously declared as "documentation" - but usually just in the form of brief S.O.S-messages carved into a usenet stone-wall somewhere on the internet. Sometime in 1983. By some other poor soul stumbling around in a similar - but of course not compatible and long deprecated - maze.

Yea, lots of fun can be had with LDAP. Not.

[buster]

I recently integrated my companies LDAP server with OpenSSO, which also meant integrating Suns LDAP schema and everything, and it was working just fine. Maybe it's openldap that sucks? Never used it, though. I don't know why LDAP is bad, it's quite a perfect tool for certain situations, that would be a nightmare with SQL and even more so with NoSQL. That there are a lot of RFCs is the major negative point the OP makes and there is no reason this is a bad thing, too. The OP just had his first look into RFCs i guess. There are plenty of RFCs for every protocol in use (IMAP for example, even sieve filters have several RFCs). It's good to have RFCs to look things up, i don't see the negative point here.

[moe]

Could be that the Sun impl is better, but many problems seemed to be inherent. Like pretty much every app expecting a different or redundant schema.

What does that look like in your setup? Do you have ssh/kerberos, samba etc. all under one umbrella without nasty hacks?

[kahawe]

I have used OpenLDAP and Sun LDAP on several occasions and while the initial learning curve for the whole "LDAP thing" might be steep for both, it was pretty obvious that OpenLDAP simply doesn't offer a lot of features that Sun's LDAP server has. And I agree with you, OpenSSO is a product where Sun really got it right and I am more than happy it got opensourced.

[buster]

Yes. But apparently Oracle abandoned the project. Looks like it is continued by ForgeRock: http://forgerock.com/openam.html

All that a few weeks after i recommended OpenSSO to a client.. sheez.. :P

[niels_olson]

The Kerberos reference is a nice touch.