[nycbug-talk] Fwd: openldap vs. 389

Tue Oct 5 16:34:46 EDT 2010

 On Tue, Oct 5, 2010 at 12:26 PM, Jesse Callaway <bonsaime at gmail.com> wrote:
> Whoops. Didn't copy the list...
>
> (to Matt: I wasn't reading properly regarding the backend stuff. I
> thought you wanted puppet and dns as a backend for ldap which sounded
> a little backwards... and yeah so... yeah)
>
> Ah, okay. I see it's the Fedora ldap thingey. That's always looked
> promising and was hopefully easy to manage. I guess you're seeing the
> same. OpenLDAP is certainly an active project, and has hella community
> support. I've heard that there are some shortcuts and assumptions that
> the fedora ldapd makes about your structure which may or may not be
> helpful in the end. For a small org without needs for anything fancy,
> I'd say jump on the bandwagon and ride it.
>
> On the other hand, replication is very lightweight and is rather
> flexible with openldap. You can write a filter to replicate part of
> your directory to provide a certain "view" of the org. I think this is
> trouble with the fedora server.
>
> phpldapadmin is a pretty good front-end for openldap, which I'm
> assuming you are already running. It's not stellar, but it certainly
> gets the job done.
>
> So if you need A/D, and the phpldapadmin GUI isn't cutting it for
> you... then do it. If not, then I'd steer way clear of it for a while
> to afford some flexibility as your implementation changes over the
> coming months. After all it's LDAP so you can sync up what you need
> and migrate if it's desirable. OpenLDAP can do everything 389 does,
> except... you know I don't think that it's particularly performant for
> writes. But who needs a directory server which is write performant?
>
>
> In short, no I don't have any real working knowledge of 389, but I
> have heard of some minor pains in that it can't do "certain" tasks (i
> forget what) due to schema rigidity. OpenLDAP, on the other hand is
> like being given limestone and sand and being told to build the taj
> mahal.
>
> -jesse
>
>
> On Tue, Oct 5, 2010 at 7:27 PM, Matt Juszczak <matt at atopia.net> wrote:
>> Hi all,
>>
>> We are currently evaluating which directory server to use for our authentication implementation, pdns backend, and puppet backend.
>>
>> We have a proof of concept working with openldap but have recently begun looking into 389.
>>
>> For those who have worked with these two, which do you find to be better for your needs?  Which has better replication options?  What about community and active development?  Any major features in one that isn't in the other that are important to you?
>>
>> Thanks,
>>
>> Matt
>>
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk
>>
>
>
>
> --
> -jesse
>
>
>
> --
> -jesse
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

I have used both 389 and open LDAP extensively.

The history 389/fedora directory server/ they derive from iplanet
which was a sun invention. 389 is now an open source fork of a product
that always had a commercial code base, if you combine
redhat/iplanet/(fedora directory server) you have a ton of
documentation and a lot of history.

They both support LDAPv2 and LDAPv3. The major differences I see is
that the the 389 management console is UNPARALLELED in its management
capability. It is not just some snap on after the fact GUI. The
management console does everything! including configure multi master
replication agreements, these can be done from command line as well.
This gives 389 an edge in management.