For sometime now I’ve gone back and forth on what is my personally preferred (LDAP) directory server; in particular between Sun Directory Server Enterprise Edition, OpenDS, and OpenLDAP. Each has advantages and trade-offs:
- DSEE: Not free, complex, but well trusted, exceptional scalability
- OpenDS: Free, super simple install and management GUI included, best starter directory for sure, but relatively new to the scene and thus needs to build more cred.
- OpenLDAP: Not the best scalability, not the best replication or feature list, but very extensible, extremely well known and supported, free. Advanced features much more straight forward than competitors due to flat config file (especially ACLs, TLS, etc)
So I put it to my loyal and educated readers… which is your directory of choice?
I’m partial to Novell’s eDirectory(formerly NDS). It’s extremely flexible, scales well, and runs on multiple operating systems. It’s a real multi master directory service and X.500 compatible. Unfortunately, nobody knows about it because Novell isn’t exactly known for marketing their own products, or marketing anything at all!
I tried eDirectory a couple years ago and it was horribly convoluted; felt like an IBM product. Looking again, there is Solaris/SPARC but not Solaris/x86 support. Good suggestion, was curious if someone would note it.
Disclaimer: I am not a Sun employee but have done a significant amount of work with DSEE, sometimes as a subcontractor to Sun pro services.
I am pretty Sure DSEE is available for people to run (without support) for free. There are free forums you can ask questions, but if you want official support (including hotfixes) you need to purchase a license + support contract. DSEE includes components like ISW (AD -> LDAP sync) and Directory Proxy Server, which are features you can’t get in OpenDS or OpenLDAP currently. DSEE is really mature, which is great from a community knowledge perspective, but it is also showing its age with respect to things like write performance and maintenance characteristics (db size on disk can grow very large in some cases). The imminent DSEE 7 release will address some of these, but not all.
I really like OpenDS’s ease of use and feature set. Super simple installer (command line or GUI) and the management GUI and dsconf makes most operations a piece of cake. The performance is amazing. Documentation on the OpenDS wiki is also very well done. One downside for OpenDS versus DSEE is that OpenDS doesn’t have quite as many of the subtle options documented. For the majority of sites though I think OpenDS is very reasonable product to pick and it is getting even better at a fast rate.
OpenLDAP – I hadn’t used it much in the last 5 or 6 years but actually installed it again to do some comparison testing earlier this week. I was blown away to realize that the way to edit the configuration is still vi’ing files, and the maintenance tools seem to lack any real polish. I did see that there has been a lot of good performance work and features added (thanks Symas!), but it definitely didn’t appear to be as well rounded of a product as the other two. I’ll be psyched once OpenLDAP can be easily managed using tools similar to dsconf and the docs are modernized.
Don’t have much experience at all with directory servers – but I will say OpenDS’s Java Web Start installer is a real eye-opener. Magic even.
Sun’s directory server was a nightmare for me to get installed and running; I ended up opting instead for Fedora Directory Server (now named 389 Directory Server to distance it from the Fedora Linux project, as it runs fine on other Linuxes and Solaris). Management seems to be a bit easier, the documentation is a lot easier to come by without paying somebody for a support contract, and it’s built on the same iPlanet code base as the Sun offering. If I needed the features of Sun’s offering, I’d probably have gone with it instead.
I’d never touch OpenLDAP again because of how limited and immature its multi-master replication is.
I agree with Jeff. Fedora Directory Server seems to be the best fit in our infrastructure.
It has all the cool features of iPlanet, but it’s a bit easier to install and use.
Actually, I like where the whole FreeIPA product from RedHat is going.
For a small company, in the close future FreeIPA + Samba 4 will be bread and butter of Identity Management.
JES products are nice and full of features, but too complex to set-up for a small company.
We’re using OpenDS happily in a relatively small environment after a brief stint with OpenLDAP. The team are very responsive and capable, the documentation is excellent and the product is gaining traction as it’s maturing. The ease of OpenDS’s configuration and management made it a clear win over OpenLDAP and so we quickly migrated.
The team seem to have a good roadmap of bringing in enterprise features that DSEE has until OpenDS is able to fit into DSEE’s place.
The installer, often mentioned as its best feature is fantastic for development and testing work. When working on anything to do with LDAP, it’s my first port of call as a test instance can be running in about a minute.
Privately: right now openldap (I once set it up years ago and it runs since then) but the next one will be freeipa (ldap + kerberos in one). RedHat has a killer project there.
Interesting times in ldap server land, indeed. My bets are in freeipa + samba 4 integration: http://freeipa.org/page/IPA_and_AD; there is a huge base of AD environments out there, so being able to just integrate a freeipa server in one of them (probably replacing the AD servers in the meantime) to serve both unix and windows clients natively will be sysadmin’s nirvana.
We’ll see…
Not sure if its a recent change but DSEE is indeed free – note the amusing tagline ‘Download DSEE—at no cost, no kidding’ from http://www.sun.com/software/products/directory_srvr_ee/get.jsp
OpenDS. Think this one is a winner. DSEE is free, and redhat, fedora, centos and many more have branded this server, it is free but can be difficult at times, has excellent logging features. But overall OpenDS
I really appreciate this poll, because I’m currently with OpenLDAP but want to move away from it. It’s either DSEE or OpenDS for me but it seems as though it could go either way. I’m looking for something supportable and stable, so from that point of view its DSEE. But I feel a little worried about how that product will be maintained in light of the Oracle deal, so OpenDS is still interesting.
FreeIPA looks awesome; I can’t believe I haven’t heard of it before.
Being a commercial customer of DSEE, I find it an exceptional product.
I also find myself using Apache Directory Server (built into Apache Directory Studio which I use extensively for managing the content of my DSEE directories) for doing small testing work.
OpenDS isn’t something I’ve experimented with beyond the install-and-fireup stage however we’re using it within OpenSSO.
Hi, I have a question to LDAP in general. We currently store our identities in an MSQL databases, but we plan to migrate to LDAP. Is there a software where you can map attributes from DB to LDAP attributes? Thanks
Dennis: I know that OpenLDAP can do this, not sure about other products.
foo: ApacheDS is awesome, but not sure about doing a production deployment on it yet. I do love Apache Directory Studio as an alternative to existing browsers. Can’t wait for TripleSec to be ready.
DSEE is rock solid, and since 6 the management interface has been pretty nice. OpenDS is up and coming, but not quite there yet. Editing ACLs in a file for OpenLDAP always bothered me.
Disclaimer: I work for Sun and stands behind both Sun Directory Server and OpenDS
Dennis: Sun Directory Server Enterprise Edition has virtual directory capabilities that allow to map different datasources to LDAP.
Foo, Ben, I agree that Apache Directory Studio is the best tool to do LDAP data management (as long as the size of the directory is reasonable. Beyond a certain size, I don’t know any good tool anyway).
Casey: You say OpendS is not quite there yet. What do you consider missing to be it ? Have you experimented with the most recent version (OpenDS 2.2.0-RC2) ?
I heartily recommend DSEE, and we have been running the free version for years. We’ve never run into a problem that we couldn’t solve with help from the forums or other online resources. Our infrastructure has been upgraded over the years from a fairly complex DSEE 5.2 to a relatively simple 6.3 configuration (better multi-master support in 6 was a godsend!).
We have a 3-way multi-master setup front-ended by 2 proxies that sit behind a Cisco load balancer, and we are starting to look at the Virtual Directory features of the proxies.
Haven’t looked into OpenDS since the project started, I’d be interested to see what has been going on with that project.
@Dave:
389 DS (i.e. Fedora DS) is based off of the Sun DSEE 5.2 Directory server and has a lot of limitations compared to DSEE 6.x. You might want to take another look at DSEE 6.3, it is light years better in management that the older versions.
Ben,
Yes, I can see that. Novell’s documentation has been lacking over the past few years. I’m used to edirectory because of NetWare. Every NetWare server has edirectory running on it by default. Getting edirectory running on non NetWare platforms without ever seeing it before would give me fits too. Once it is up and running, it is solid as a rock and easy to deal with. Overall it’s a completely hands off service in terms of schema and replica management.
As an aside, Active Directory really seems like a kludge. Are most LDAP based directory services modeled off of AD? Good topic though, I’m going to check out OpenDS.
I don’t have a preferred Directory Server as I don’t have a lot of experience with them so I’ll let the experts debate the pro’s and con’s. My only experience has been with OpenLDAP which has suited my needs.
I just wanted to correct one thing that Bill Hathaway said about OpenLDAP. The current version of OpenLDAP supports keeping it’s configuration in flat files or in the directory in cn=config. For now both are supported but it’s expected that support for flat file configuration will be phased out.
One tool that I’ve found helpful is Apache DS Studio. It’s an eclipse plugin for browsing and editing LDAP directories and Scheme editor.
Why do you say openldap is not scalable?
FYI: I’ve got a 4 way multi-master openldap cluster setup with ~30 slaves replicating from the multi-master cluster. How is that setup _not_ scalable?
OpenLDAP is also the fastest DS server we’ve had a chance to test against the SunOne directory server, Active Directory, and 389 Directory Server (aka Redhat Directory Server). You also missed online schema changes when you store the configuration in the directory aka cn=config.
Forgot to say… the bundled management tools for openldap suck as does the documentation. However, the mailinglist and irc channel are very helpful.
ldapvi is my preferred ldap client.
Oh, I’ll get flamed for this, but honestly, I don’t have any LDAP experience, and rather than spend time acquiring experience on one of the many open, free directory servers, I just built an active directory infrastructure.
I got sick of not having centralized authentication, spending time on admining dozens of machines plus dozens of other non-related accounts. So I used AD and haven’t looked back since.
I’ve been peripherally involved in a DSEE install. I’ve taken Sun’s LDAP class as well. I’ve used AD quite a bit. I’ve collapsed an AD domain & server into another.
From what I’ve heard, AD isn’t that hard to setup with the defaults to get systems setup. Instal, start adding systems, done.
DSEE wasn’t so easy. The class wasn’t too bad, but did have some rough edges. The DSEE deployment was tough.
Why can’t you just drop an LDAP server in with all the default schemas loaded just like you can like AD?
FWIW, if I can run NIS, it’s *way* simpler. But I need the password lockouts and expiration that LDAP provides. Heck, why can’t LDAP setup for user accounts be as simple as NIS?
Matt,
Interesting that you talk about NIS.
With Active Directory I was never able to get the more advanced features such as Netgroups and automounts working.
I now use OpenLDAP for naming only and pretty much as a NIS replacement. For authentication, I use Kerberos. The LDAP/Kerberos combination provides me with Kerberised NFS for home directories, which is nice once you get it going.
Apache’s DS also rolls in a Kerberos server, but the documentation seemed very immature.
Edward
Just a heads up, OpenLDAP no longer stores its configuration within a flat text file, as of 2.4 (iirc) its stored within the directory itself (to assist in replication).
I would have to go with Fedora DS or 389 as it is known now. I have wiki’d the install and config:
http://wiki.unixcraft.com/display/MainPage/Linux
389 DS. Works good, good replication, and have always had good results with my JBoss AS.
Great thread, it’s awesome to see opinions and experience exchanged in an honest, open way!
DISCLAIMER: I work at Sun in the DS engineering team.
Couple of players I know and I haven’t seen mentioned: Isode Directory Server (any users care to share their perceptions of the product? I’m just curious), UnboundID Corp. has a for-pay offering that was originally based on OpenDS (at least it was back in late 2006), IBM Tivoli Directory Server (these guys have some pretty amazing tools in the Tivoli fold that a lot of the players in the market could learn from-I won’t say here though), IBM RACF of course, Oracle OiD, Apertio and I’m sure I’m forgetting a bunch.
I hadn’t heard about freeIPA, thanks for pointing this out.
Picking your directory is really a complex matter because it depends on a lot of parameters:
. your immediate needs
. your mid/long term needs
. your will/want to learn (Would you rather pick something easy to start with even if doesn’t quite do everything you want or would pick something you’re sure will have you covered no matter what jumps at you?)
. your constraints (budget, performance, system size, maintenance, etc…)
what product you pick is usually a good indication of what is important to you. Bottom line is there is product for you out there, you need only find the one that fits you best.
Thanks for starting the thread Ben!
We first had a look at Sun Directory Server and OpenDS but finally decided against both (against the first, because we already had openldap-expirience, and against OpenDS because it does not support passthrough-authentication to Kerberos). We got it working perfectly for Unix, Linux and MacOS X clients (including netgroups and automount). We are now switching completely to Active Directory 2008 R2, though because we could not get Windows-clients to handle Kerberos in an easy way (MIT-Tools for Windows do not seem to be well integrated an hassle-free).
Pitty, but AD seems to be the easiest way out. Not that its easy to integrate all other platforms in an AD (automountMap, etc. is missing) but it wouldn’t be the other way round either.
I known the scalability issues with OpenLDAP, but the recently introduced NDB backend should bring OpenLDAP verry stable and scaleable replication. It is only sync replication not async.. NDB is also the backend for MySQL Cluster and there is also an apache module for it.
I like Oracle internet directory (OID). Oracle married an LDAP directory server with an Oracle database used as the backend storage for it.
The command line tools are simple to use, and there’s an ugly Java-based GUI which works well enough for browsing the scheme(s), but is simply garbage to use for anything more than that.
What I like the most about OID is that his configuration can be completely automated via SVR4 packages, since it has the CLI tools to do the job. And because he uses an Oracle Database, HA is assured via RAC and ASM.
My next choice would be Sun One directory (formerly Netscape directory) server.
“Would you rather pick something easy to start with even if doesn’t quite do everything you want or would pick something you’re sure will have you covered no matter what jumps at you?”
Only a fool would pick something just because it is easy; whichever the solution, it should solve as many of the problems as possible and be designed for the LONG TERM AND SCALABILITY.
Being easy is not the correct criteria IF the solution implemented will have long term consequences and become a vital, critical part of the infrastructure.
If it were my employee, and they picked a solution “just because it is easy to implement”, that would get them fired, on the spot, no ifs, buts, or maybes.
If the process of figuring out technology is too difficult for one, one shouldn’t be in IT or CS; they should go do something else.
Oracle Internet Directory (OID)
I used OpenLDAP, tooks sometime to get it working but was all good at the end! Been working on the SUN version for the last 6 months and I really start to like it more and more! Replication can be easily managed, just a bit worry about ACI (ACL), was very straight forward with OpenLDAP, looks like you need to creat LDIF file with the SUN version.
OpenLDAP – smbk5pwd is a killer feature. The drawbacks are the maintainers, who are acerbic, expect you to know every last inch of LDAP and couldn’t put out a stable release to save their lives – the standard bugfixing advice is to upgrade to the latest version. Performance is apparently better than any other LDAP server, but I haven’t done any testing myself.
Many websites claim that they sell original Gucci shoes, but the shoes that they are actually selling in the name of Gucci are simple replica of Gucci. So, make sure that you are buying the real brand.
The sociology essays writing would be not very easy to complete! But, the online writing services would be able cope with this and even more difficult task.
http://www.ladyshoesstore.com/
http://www.ladyshoesstore.com/jimmy-choo-jimmy-choo-sandals-c-3_12.html
Good post! Thanks for your information!
http://www.mobilershop.com
http://www.beautycasa.com
great reading. I recently came across your blog and enjoy reading along. I thought I would leave my first comment here. you post offen refer the very points in it.. Nice blog. I will keep visiting this blog more often. no doubt that the site http://www.super-e-world.com/ offen mention this.
I’m a little late finding this article, but I loved it.
As we know, now sunglasses are loved by more and more people, and everyone would like to have a pair of comfortable sunglasses,save up to 47%.welcome to http://www.eyewear-rayban.com
for best web online store http://www.salepumashoes.com
but the shoes that they are actually selling in the name of Gucci are simple replica of Gucci. So, make sure that you are buying the real brand.
Having done Directory stuff for 10+ years, hands down DSEE was the best. If you put it together right, did the details like setting changelog expires you could get 100% service availabilit and 5-9′s on a node.
But 389 Directory Directory Server (OpenDS) sure looks like a nice fork and is sparking my interest.
eDirectory would be second, but last I looked it I deemed it too conveluted internally. Not an easy chew. IBM, never really caught my fancy. OpenLDAP, great for one of but scalable it is not. But a nice reference system.
AD is a poach, only use it because most places have AD… Things like microseconds since 1600…name changes and unneccesary messing with the LDAP spec that really adds zero value but does add aggrivation. But it is becoming more open as many have picked away at it’s nuances to a point where you can write some good code into it.
My preference for data drive is HRIS/ERP to DSEE then use IDM or a custom Java or C++ program to do AD, Oracle and others.
Been out of hard core Directory stuff for 2 years, need to install 386-DS and give it a run.
Hello,I love reading through your blog, I wanted to leave a little comment to support you and wish you a good continuation. http://www.laptopadapterac.com Wishing you the best of luck for all your blogging efforts.
Set in the original release of the white / black and red University this Saturday, 2 Retro Air Jordan on several retailers, including KickzStore / secret society began. [url=http://www.oknike-shox.com]Nike Shox[/url] They offer same day shipping and the actual retail price, this time they are. Retro Air Jordan 2 was released in 1986, and with [url=http://www.oknike-shox.com/category-5-b0-Nike+Shox+R2.html]Nike Shox R2[/url]
white-based foundation, is man-made leather and lizard skin side panel construction.
Following my own exploration, billions of persons all over the world get the home loans at different creditors. Therefore, there’s great possibilities to receive a financial loan in all countries.
Nike Shoes, nike dunks, Nike air jordan ,Nike Shox Nike Air Rift, nike sneakers, Nike Air Force One, jordan shoes, Nike Air MaxShop authentic Nike Air Force One / 1 Shoes, including Nike Air Force 1 Premium, Nike Air Force 1 Supreme, Nike Air Force 1 Mid and ike Air Force 1 low. http://www.iofferitems.com
http://www.mbtshoeslatest.com
http://www.nikeairmaxshoe.com
.hi guys,why not try some medium, high quality life needs it, i suppose you are a crazy movie lover like me:p, there are one wonderful DVD movie i really love and want to share with you. Queer As Folk DVD really has amazing plot , wonderful screen, and also nice musics. Don’t miss it!!! if you want Queer As Folk DVD, Queer As Folk DVD set , Queer As Folk DVD boxset or Queer As Folk DVD Seasons 1-5 DVD boxset, just go to http://www.buydvdezy.com/goods-322-Queer-As-Folk-Seasons-1-5-DVD-boxset.html i found. it is very helpful~~~
http://www.buydvdezy.com/goods-322-Queer-As-Folk-Seasons-1-5-DVD-boxset.html
pass it? Never!
Hp pavilion g70 battery
http://www.batterylaptoppower.com/hp/pavilion-g70.htm
Acer aspire 4720 battery
http://www.adapterlist.com/acer/aspire-4720.htm
discount nfl jerseys from china
cheap nfl jerseys
I know you probably get a lot of comments like this Air Jordan 2010, but just wanted to let you know that I really appreciate the work you have put into the blog. I was wondering if I could put a link on my blog because I am sure my followers would love to read it Air jordan 1. Let me know.
Her head was bowed and when she raised white timberland boots it to look at me, she could barely smile without pain. http://www.timberland6inch.com/ LIJ
nice post! welcome to see ugg boots
Really interesting articles. I enjoyed reading it. Thanks for sharing a nice info
http://www.uggsalebootsuk.com
Thanks for sharing a nice info
http://www.uggsalebootsuk.com/ugg-sale-catalog/new-products” rel=”nofollow”> http://www.uggsalebootsuk.com/ugg-sale-catalog/new-products
Days are getting colder.Are you looking for a pair of great boots to keep your feet warm?The answer for you is ugg boots.
Days are getting colder.Are you looking for a pair of great boots to keep your feet warm?The answer for you is ugg boots.
http://www.uggonlinebootssale.com/products
http://www.saleuggbootsonline.co.uk/
ugg boots -a symbol of fashion that almost everyone want to own a pair of it! all over world and also be popular in uk.
Chirstmas is coming.Maybe you are be troubled by how to choose gift. Ugg boots can be a good choice . http://www.uggbootssale-cheap.com/
To the office, see Ms. relish talking about womesn shoes.
Recently, the successive failure of the Ipad Accessories
Network model there are wedding dress three buy,