[nycbug-talk] Fwd: openldap vs. 389

Jesse Callaway bonsaime at gmail.com
Tue Oct 5 12:26:49 EDT 2010 

Whoops. Didn't copy the list...

(to Matt: I wasn't reading properly regarding the backend stuff. I
thought you wanted puppet and dns as a backend for ldap which sounded
a little backwards... and yeah so... yeah)

Ah, okay. I see it's the Fedora ldap thingey. That's always looked
promising and was hopefully easy to manage. I guess you're seeing the
same. OpenLDAP is certainly an active project, and has hella community
support. I've heard that there are some shortcuts and assumptions that
the fedora ldapd makes about your structure which may or may not be
helpful in the end. For a small org without needs for anything fancy,
I'd say jump on the bandwagon and ride it.

On the other hand, replication is very lightweight and is rather
flexible with openldap. You can write a filter to replicate part of
your directory to provide a certain "view" of the org. I think this is
trouble with the fedora server.

phpldapadmin is a pretty good front-end for openldap, which I'm
assuming you are already running. It's not stellar, but it certainly
gets the job done.

So if you need A/D, and the phpldapadmin GUI isn't cutting it for
you... then do it. If not, then I'd steer way clear of it for a while
to afford some flexibility as your implementation changes over the
coming months. After all it's LDAP so you can sync up what you need
and migrate if it's desirable. OpenLDAP can do everything 389 does,
except... you know I don't think that it's particularly performant for
writes. But who needs a directory server which is write performant?


In short, no I don't have any real working knowledge of 389, but I
have heard of some minor pains in that it can't do "certain" tasks (i
forget what) due to schema rigidity. OpenLDAP, on the other hand is
like being given limestone and sand and being told to build the taj
mahal.

-jesse


On Tue, Oct 5, 2010 at 7:27 PM, Matt Juszczak <matt at atopia.net> wrote:
> Hi all,
>
> We are currently evaluating which directory server to use for our authentication implementation, pdns backend, and puppet backend.
>
> We have a proof of concept working with openldap but have recently begun looking into 389.
>
> For those who have worked with these two, which do you find to be better for your needs?  Which has better replication options?  What about community and active development?  Any major features in one that isn't in the other that are important to you?
>
> Thanks,
>
> Matt
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>



--
-jesse



-- 
-jesse

More information about the talk mailing list