Bla : brutal LDAP DSL python based.

The true millionaire by a John Deer not a Ferrari to show his worth. It's not only more costly, but it also packs more useful horse power.
Tractors are true mechanic porn only wealthy esthets can understand.

-- anonymous tattoed billionnaire

Why LDAP ?


I am not a fan of John Deer (too much vendor lock-in), but they sure look like the kiind of vehicle I would buy if my bank account let me buy more than a bike like today.
In term of horsepower when it comes to number of read per seconds to fetch a key in a tree, LDAP is pure power.

So much any IAM (Identity Authentication Management) comes with it.

Active directory ? Under the hood, it speaks LDAP, and it quacks like LDAP, thus, its an LDAP stuff.

Oauth ? IBM Keycloack very often comes with LDAP as a backend.

yunohost uses ldap for the management of its solution.

Most cloud based RBAC solutions will let you interface with LDAP.

It's easy to interface with RADIUS to even authenticate the leased routers from ISP.

LDAP is the backend for most distributed solution of /etc/password of the actual world. It is an underlook cornerstone of modern Authentication, Authorization, Accounting level.

It's AN INDUSTRIAL OVERPOWERED /etc/password bringing lust in your eyes, hence for all sysadmins aiming at mega corp a rock to have climbed.

However, LDAP SUX.

Why hating LDAP is sane

I would begin with the RFC 4511 on LDAP. I am a tad scared when someone says ASN1 BER about a transport layer.
ASN1 as an infamous past of being hard to implement correctly and having bugs that often ends up in critical vulnerabilities.

Then, there is X500 ITU... Well, for those who are used to read norms the International Union of Telecom (or whatever) as a a tendency to write hyper verbose un-understandable norms.

Then, there is the disrupting parsing of expression where operator are BEFORE the operands (and(x)(y)) instead of x and y or x y and. It may be surprising.

But still, sorry, not sorry, I love big bad boyz tailored for speed and replication.

openLDAP



OpenLDAP is a free software X509 Lightweigth Directory AP. Out of the many out there, it is infuriating BUT FREE.

What is infuriating is the sheer number of options the command line tools force you to remember to make a simple search.

With mysql/postgres the CLI tools at LEAST gives you a tad of history, a session with a context and a way to let you connect without repeating your all credentials.


Also, the documentation for configuring your initial setup is quite distilled on the internet. It requires careful reading on the net to have pretty basic stuff like the possibility to add users, groups, indexes, overlays ...

So ... I abused python.

Making your own DSL

A DSL or Domain Specific Language is turning an overwhise generalist language in your own console for your CLI. It's piggybacking on the giant shoulders.

Ipython has access to the strdoc and has history ... it's a perfect choice.
That's what bla is. A DSL, and I will explain a little bit on LDAP and on bla in the next few days :D

No comments: