We had to investigate the available open source LDAP servers for a project. Turns out that instead of just one offering (OpenLDAP) which was the case in past time we now have three. Two quite mature products (OpenLDAP and Fedora DS) and one fresh start (OpenDS). Apache Directory Server is a completely different story.


(Updated based on helpful comments from Quanah Gibson-Mount)

This is the well known big gamer of the open source community. It now supports multiple database backends (BerkleyDB, SQL, Perl) as well as virtual backends (Meta, Proxy, Monitor). It uses a new replication protocol called LDAP Sync which supports both consumer and supplier initiated replication (Pull and Push based synchronizations as it calls them). Configuration is now accessible by ldap (back-confiig) allowing for on the fly changes to schema/indexing/server configuration. As always all the latest extensions to the LDAP protocol are supported (most of them are defined as IETF drafts by the project leader Kurt Zeilenga anyway). Lastly, it uses an overlay mechanism in order to provide enhanced features to all backends available. Examples of very helpful overlays are:

  • Password Policy
  • Referential Integrity
  • Attribute Uniqueness
  • Constraint checking of attribute values (very cool!)
  • Translucent for creating a union of both local and remote content (another word for chaining as far as i was able to see)

In general a feature full project which can be used for much more than just a simple data storage server (for example it features a very powerful meta backend which can be used for highly configurable ldap proxy services instead of having to use an extra product like Sun One Directory Proxy).

According to latest stats it is able to handle databases of more than 150 million entries and thousands of operations per second (22,000 queries/second, 4,800 updates/second on an April 2006 test). Quite impressive numbers! High Availability standby master (in mirrormode) is already supported in the commercial offering CDS from symas.com (and will be added in 2.4) while N-way multimaster support is scheduled for the 2.4 release.

I do have some comments on the server though. I found that it is lacking some of the following features:

  • A strong console interface for remote administration (like the one featured in the Sun ONE Directory Server/Fedora DS). Some things like setting up replication can be made much easier by using a console interface instead of setting up things by hand. Since the configuration is now accessible through ldap operations i feel that a nice interface will be born .. sooner or later.
  • Documentation is lacking. Especially when dealing with things like multimaster replication or fine tuning the server there’s no readily available tuning or advanced operations guide. I ‘d love to see the same kind of documentation as the one available from the likes of Sun and Redhat.
  • I wasn’t able to find support for Class Of Service and Roles

Overall it seems to have a strong potential and starting to have commercial backing. It’s quite certain though that you ‘ll have to get your hands a little bit more dirty especially to get complex installations going compared to just using a commercial offering from Sun for example. But that’s the usual spirit of open source 🙂

More Info

Introduction to Overlays
Presentation on current OpenLDAP status

Sun OpenDS

This project is still at it’s early stage but looks quite promising. It envisions creating an open source purely Java based Directory Server (how well that will scale is something that remains to be seen). It’s main advantage is that it will use the brain power available in Sun (same people who have created the latest Sun ONE DS offerings) and that it has to be even more feature-full and strong than the current offering (Sun ONE DS 6.0) in order for OpenDS to replace it successfully. The problem is that there is no clear time-line of having a product available (current plans are to have a product offering around end 2007, early 2008) and even replacing SUN ONE DS (Sun is already working on an enhancement to the current 6.0 version). So everything about this project are still in a ‘remain to be seen’ status

More Info: http://opends.dev.java.net
A really nice Blog of a Sun employee mostly targeted at OpenDS: http://blogs.sun.com/DirectoryManager/

Fedora Directory Server

Fedora DS is the open source offering of the Redhat DS which is a descendant of the Netscape DS. Because of it’s code base Fedora already offers a broad range of features like:

  • Four-Way Multimaster replication
  • Graphical Console (the same as Netscape/iPlanet/Sun ONE DS) for remote administration
  • Roles, Class of Service
  • Active Directory synchronization
  • DIT based Access Control
  • Task invocation through LDAP, online configuration and management

Being based on the product offered by Netscape before the iPlanet split it’s already (supposed to be) capable of handling millions of entries and countless operations (according to our own experience of running a Directory Service for the Greek School Network based on the iPlanet/Sun ONE DS although our installation numbers around 170,000 entries). Combine this with the above features and the administration ease offered by the Admin Console (a must compared to OpenLDAP) and you get a very mature Open Source DS.

More Info: http://directory.fedora.redhat.com

A blog on O ‘Reilly comparing FDS and OpenLDAP from an administrator’s point of view