T 2.155 Lack of, or inadequate, planning of OpenLDAP

OpenLDAP is a complex application with a modular structure and, in addition, can be used with various other applications. This results in a high complexity requiring the systematic planning of the OpenLDAP use.

A number of problems can arise from a lack of, or inadequate, planning:

• Backends
  
  The access to the database used by OpenLDAP does not take place directly via the slapd server, but is performed by one or several backends. The selection of the backend(s) and the selection of the related directives and parameters have a direct impact on the functions OpenLDAP is able to offer. If, for example, the back-ldif backend is used for the storage of data to avoid the installation of an additional database, only rudimentary functions of the directory service are available. Supporting a large number of users or other objects is then not possible in a useful way.
• Overlays
  
  The adaptability of OpenLDAP arises from overlays to a large extent. They control the flow of data from and to the backends and allow additional functions without the need to adapt or re-program the backends. The lack of planning of the overlay use can result in using overlays which do not or inadequately fulfil the desired function, have OpenLDAP run unnecessary operations or impair OpenLDAP in its function. For example, the required logging of access to the directory service can fail or be ineffective when the debug function of the slapd server itself and the auditlog and accesslog overlays cannot be planned correctly. Another example is the unique overlay if it is applied to internal operational parameters. Thus, OpenLDAP can enter undefined system states. If several overlays are used together (stacked), their effectiveness depends on the order in which they are called up, which is why a lack of planning might cause errors.
• Applications
  
  OpenLDAP works closely together with other applications and makes functions available to them. For example, OpenLDAP can manage the user administration and address book function for email programs, Internet servers and other applications. Without other applications, OpenLDAP is not able to meet the specifications of the LDAPv3 log. Thus, a database (in general, BerkeleyDB by Oracle) is required to store the directory service objects for OpenLDAP. In addition, OpenLDAP needs utility programs for secure authentication (for example Cyrus-SASL) and for encrypted communication (SSL/TLS). When connected to other applications, a number of errors might arise due to the lack of, or inadequate planning. For example, incorrect versions of one or several programs whose compatibility is not given might be used. In most cases, it is also forgotten to protect the interfaces between the applications so that data can be exchanged in unencrypted form via network connections.
• System environment
  
  In the event of the lack, or inadequate planning, OpenLDAP might be run in an inadequate system environment. If, for example, a distributed file system such as NFS (Network File System) is used for the data storage of OpenLDAP, then file functions using OpenLDAP or BerkeleyDB are not available. Among other things, this applies to the locking function with which the database of the directory service can be blocked securely whilst being used in order to prevent parallel access by another user.