I run an LDAP server in the Kubernetes cluster for my homelab, and I wanted user/group creation to happen based on files I checked into git. I haven’t seen anything that can really do this so I decided to write it myself.
ldapenforcer is a program that reads config files containing users and groups,
and creates and modifies LDAP objects to match the config files.
It’s idempotent and can be run repeatedly to ensure the server is always properly configured.
First time with Claude Code
I wrote all 5600 lines of Go in just a few days with Claude Code. In fact, most of the work was done in the first two days; later work was more documentation and examples than it was bug fixes.
I’m used to working with ChatGPT and Claude chat and I like them a lot; Claude Code improves a lot on top of those tools. If I hadn’t used Claude Code, I suspect the work would have taken me a few weeks of side project time, maybe more, and the result wouldn’t have been worth all that. For just a few days of work, though, it’s already paid off.
It was super fun to build, and really rewarding to see it work so quickly.
I’m not going to lie, it was unsettling. It was also really fucking cool, though. The experience spawned a few remarks on Claude Code and the future of programming, and at least one informal prediction salon.
Motivation
I really tried to avoid writing this program. I started out with an approach to applying LDIFs that worked sort of like database migrations, which I described here, but it was very fragile and unwieldy for more than just a handful of users and groups.
Recommendations
- You probably don’t want to run 389 Directory Server for your homelab (not that I am in a position to judge).
- Many people recommend authentik, but it cannot define users and groups in files (without another configuration management system like Ansible).
- lldap is a very nice LDAP server that is easy to administer without any training (which cannot be said of 389 Directory Server), and it has a nice GUI for users and groups, and good documentation.
- A kind commenter on Reddit pointed me to glauth, which is a simple LDAP server that accepts user/group creation via files; I haven’t used this but I probably would have tried it if I’d known about it.