Community Poll: Whats your favorite Directory Server?
13 Nov '09 - 02:47 by benrFor sometime now I've gone back and forth on what is my personally preferred (LDAP) directory server; in particular between Sun Directory Server Enterprise Edition, OpenDS, and OpenLDAP. Each has advantages and trade-offs:
- DSEE: Not free, complex, but well trusted, exceptional scalability
- OpenDS: Free, super simple install and management GUI included, best starter directory for sure, but relatively new to the scene and thus needs to build more cred.
- OpenLDAP: Not the best scalability, not the best replication or feature list, but very extensible, extremely well known and supported, free. Advanced features much more straight forward than competitors due to flat config file (especially ACLs, TLS, etc)
So I put it to my loyal and educated readers... which is your directory of choice?
I’m partial to Novell’s eDirectory(formerly NDS). It’s extremely flexible, scales well, and runs on multiple operating systems. It’s a real multi master directory service and X.500 compatible. Unfortunately, nobody knows about it because Novell isn’t exactly known for marketing their own products, or marketing anything at all!
Ian (Email) (URL) - 13 November '09 - 03:18
I tried eDirectory a couple years ago and it was horribly convoluted; felt like an IBM product. Looking again, there is Solaris/SPARC but not Solaris/x86 support. Good suggestion, was curious if someone would note it.benr - 13 November '09 - 03:45
Disclaimer: I am not a Sun employee but have done a significant amount of work with DSEE, sometimes as a subcontractor to Sun pro services.I am pretty Sure DSEE is available for people to run (without support) for free. There are free forums you can ask questions, but if you want official support (including hotfixes) you need to purchase a license + support contract. DSEE includes components like ISW (AD -> LDAP sync) and Directory Proxy Server, which are features you can’t get in OpenDS or OpenLDAP currently. DSEE is really mature, which is great from a community knowledge perspective, but it is also showing its age with respect to things like write performance and maintenance characteristics (db size on disk can grow very large in some cases). The imminent DSEE 7 release will address some of these, but not all.
I really like OpenDS’s ease of use and feature set. Super simple installer (command line or GUI) and the management GUI and dsconf makes most operations a piece of cake. The performance is amazing. Documentation on the OpenDS wiki is also very well done. One downside for OpenDS versus DSEE is that OpenDS doesn’t have quite as many of the subtle options documented. For the majority of sites though I think OpenDS is very reasonable product to pick and it is getting even better at a fast rate.
OpenLDAP – I hadn’t used it much in the last 5 or 6 years but actually installed it again to do some comparison testing earlier this week. I was blown away to realize that the way to edit the configuration is still vi’ing files, and the maintenance tools seem to lack any real polish. I did see that there has been a lot of good performance work and features added (thanks Symas!), but it definitely didn’t appear to be as well rounded of a product as the other two. I’ll be psyched once OpenLDAP can be easily managed using tools similar to dsconf and the docs are modernized.
Bill Hathaway (Email) (URL) - 13 November '09 - 04:52
Don’t have much experience at all with directory servers – but I will say OpenDS’s Java Web Start installer is a real eye-opener. Magic even.Dave - 13 November '09 - 06:20
Sun’s directory server was a nightmare for me to get installed and running; I ended up opting instead for Fedora Directory Server (now named 389 Directory Server to distance it from the Fedora Linux project, as it runs fine on other Linuxes and Solaris). Management seems to be a bit easier, the documentation is a lot easier to come by without paying somebody for a support contract, and it’s built on the same iPlanet code base as the Sun offering. If I needed the features of Sun’s offering, I’d probably have gone with it instead.I’d never touch OpenLDAP again because of how limited and immature its multi-master replication is.
Jeff Goldschrafe (Email) (URL) - 13 November '09 - 06:47
I agree with Jeff. Fedora Directory Server seems to be the best fit in our infrastructure.It has all the cool features of iPlanet, but it’s a bit easier to install and use.
Actually, I like where the whole FreeIPA product from RedHat is going.
For a small company, in the close future FreeIPA + Samba 4 will be bread and butter of Identity Management.
JES products are nice and full of features, but too complex to set-up for a small company.
Răzvan Corneliu Vilt (Email) - 13 November '09 - 07:05
We’re using OpenDS happily in a relatively small environment after a brief stint with OpenLDAP. The team are very responsive and capable, the documentation is excellent and the product is gaining traction as it’s maturing. The ease of OpenDS’s configuration and management made it a clear win over OpenLDAP and so we quickly migrated.The team seem to have a good roadmap of bringing in enterprise features that DSEE has until OpenDS is able to fit into DSEE’s place.
The installer, often mentioned as its best feature is fantastic for development and testing work. When working on anything to do with LDAP, it’s my first port of call as a test instance can be running in about a minute.
Dominic (Email) - 13 November '09 - 07:27
Privately: right now openldap (I once set it up years ago and it runs since then) but the next one will be freeipa (ldap + kerberos in one). RedHat has a killer project there.Interesting times in ldap server land, indeed. My bets are in freeipa + samba 4 integration: ”http://freeipa.org/page/IPA_and_AD;”:http://freeipa.org/page/IPA_and_AD; there is a huge base of AD environments out there, so being able to just integrate a freeipa server in one of them (probably replacing the AD servers in the meantime) to serve both unix and windows clients natively will be sysadmin’s nirvana.
We’ll see…
natxo asenjo - 13 November '09 - 08:05
Not sure if its a recent change but DSEE is indeed free – note the amusing tagline ‘Download DSEE—at no cost, no kidding’ from [[http://www.sun.com/software/products/d..]]Mark - 13 November '09 - 08:14
OpenDS. Think this one is a winner. DSEE is free, and redhat, fedora, centos and many more have branded this server, it is free but can be difficult at times, has excellent logging features. But overall OpenDSTrausti Thor Johannsson (Email) (URL) - 13 November '09 - 08:59
I really appreciate this poll, because I’m currently with OpenLDAP but want to move away from it. It’s either DSEE or OpenDS for me but it seems as though it could go either way. I’m looking for something supportable and stable, so from that point of view its DSEE. But I feel a little worried about how that product will be maintained in light of the Oracle deal, so OpenDS is still interesting.Alex - 13 November '09 - 09:38
FreeIPA looks awesome; I can’t believe I haven’t heard of it before.benr - 13 November '09 - 09:50
Being a commercial customer of DSEE, I find it an exceptional product.I also find myself using Apache Directory Server (built into Apache Directory Studio which I use extensively for managing the content of my DSEE directories) for doing small testing work.
OpenDS isn’t something I’ve experimented with beyond the install-and-fireup stage however we’re using it within OpenSSO.
foo (Email) (URL) - 13 November '09 - 10:37
Hi, I have a question to LDAP in general. We currently store our identities in an MSQL databases, but we plan to migrate to LDAP. Is there a software where you can map attributes from DB to LDAP attributes? ThanksDennis - 13 November '09 - 10:44
Dennis: I know that OpenLDAP can do this, not sure about other products.foo: ApacheDS is awesome, but not sure about doing a production deployment on it yet. I do love Apache Directory Studio as an alternative to existing browsers. Can’t wait for TripleSec to be ready.
benr - 13 November '09 - 11:23
DSEE is rock solid, and since 6 the management interface has been pretty nice. OpenDS is up and coming, but not quite there yet. Editing ACLs in a file for OpenLDAP always bothered me.Casey (Email) - 13 November '09 - 11:52
Disclaimer: I work for Sun and stands behind both Sun Directory Server and OpenDS ;)Dennis: Sun Directory Server Enterprise Edition has virtual directory capabilities that allow to map different datasources to LDAP.
Foo, Ben, I agree that Apache Directory Studio is the best tool to do LDAP data management (as long as the size of the directory is reasonable. Beyond a certain size, I don’t know any good tool anyway).
Casey: You say OpendS is not quite there yet. What do you consider missing to be it ? Have you experimented with the most recent version (OpenDS 2.2.0-RC2) ?
Ludovic Poitou (Email) (URL) - 13 November '09 - 12:03
I heartily recommend DSEE, and we have been running the free version for years. We’ve never run into a problem that we couldn’t solve with help from the forums or other online resources. Our infrastructure has been upgraded over the years from a fairly complex DSEE 5.2 to a relatively simple 6.3 configuration (better multi-master support in 6 was a godsend!).We have a 3-way multi-master setup front-ended by 2 proxies that sit behind a Cisco load balancer, and we are starting to look at the Virtual Directory features of the proxies.
Haven’t looked into OpenDS since the project started, I’d be interested to see what has been going on with that project.
Mark (Email) - 13 November '09 - 13:11
@Dave:389 DS (i.e. Fedora DS) is based off of the Sun DSEE 5.2 Directory server and has a lot of limitations compared to DSEE 6.x. You might want to take another look at DSEE 6.3, it is light years better in management that the older versions.
Mark (Email) - 13 November '09 - 13:14
Ben,Yes, I can see that. Novell’s documentation has been lacking over the past few years. I’m used to edirectory because of NetWare. Every NetWare server has edirectory running on it by default. Getting edirectory running on non NetWare platforms without ever seeing it before would give me fits too. Once it is up and running, it is solid as a rock and easy to deal with. Overall it’s a completely hands off service in terms of schema and replica management.
As an aside, Active Directory really seems like a kludge. Are most LDAP based directory services modeled off of AD? Good topic though, I’m going to check out OpenDS.
Ian (URL) - 13 November '09 - 13:37
I don’t have a preferred Directory Server as I don’t have a lot of experience with them so I’ll let the experts debate the pro’s and con’s. My only experience has been with OpenLDAP which has suited my needs.I just wanted to correct one thing that Bill Hathaway said about OpenLDAP. The current version of OpenLDAP supports keeping it’s configuration in flat files or in the directory in cn=config. For now both are supported but it’s expected that support for flat file configuration will be phased out.
One tool that I’ve found helpful is Apache DS Studio. It’s an eclipse plugin for browsing and editing LDAP directories and Scheme editor.
David M (Email) - 13 November '09 - 14:04
Why do you say openldap is not scalable?FYI: I’ve got a 4 way multi-master openldap cluster setup with ~30 slaves replicating from the multi-master cluster. How is that setup not scalable?
OpenLDAP is also the fastest DS server we’ve had a chance to test against the SunOne directory server, Active Directory, and 389 Directory Server (aka Redhat Directory Server). You also missed online schema changes when you store the configuration in the directory aka cn=config.
Jeff Schroeder (Email) (URL) - 13 November '09 - 14:57
Forgot to say… the bundled management tools for openldap suck as does the documentation. However, the mailinglist and irc channel are very helpful.ldapvi is my preferred ldap client.
Jeff Schroeder (Email) (URL) - 13 November '09 - 15:01
Oh, I’ll get flamed for this, but honestly, I don’t have any LDAP experience, and rather than spend time acquiring experience on one of the many open, free directory servers, I just built an active directory infrastructure.I got sick of not having centralized authentication, spending time on admining dozens of machines plus dozens of other non-related accounts. So I used AD and haven’t looked back since.
Matt Simmons (Email) (URL) - 13 November '09 - 17:36
I’ve been peripherally involved in a DSEE install. I’ve taken Sun’s LDAP class as well. I’ve used AD quite a bit. I’ve collapsed an AD domain & server into another.From what I’ve heard, AD isn’t that hard to setup with the defaults to get systems setup. Instal, start adding systems, done.
DSEE wasn’t so easy. The class wasn’t too bad, but did have some rough edges. The DSEE deployment was tough.
Why can’t you just drop an LDAP server in with all the default schemas loaded just like you can like AD?
FWIW, if I can run NIS, it’s way simpler. But I need the password lockouts and expiration that LDAP provides. Heck, why can’t LDAP setup for user accounts be as simple as NIS?
Tom (Email) - 13 November '09 - 18:09
Matt,Interesting that you talk about NIS.
With Active Directory I was never able to get the more advanced features such as Netgroups and automounts working.
I now use OpenLDAP for naming only and pretty much as a NIS replacement. For authentication, I use Kerberos. The LDAP/Kerberos combination provides me with Kerberised NFS for home directories, which is nice once you get it going.
Apache’s DS also rolls in a Kerberos server, but the documentation seemed very immature.
Edward
Edward Irvine (Email) (URL) - 13 November '09 - 20:03
Just a heads up, OpenLDAP no longer stores its configuration within a flat text file, as of 2.4 (iirc) its stored within the directory itself (to assist in replication).Adam GIbbins (URL) - 14 November '09 - 00:56
I would have to go with Fedora DS or 389 as it is known now. I have wiki’d the install and config:[[http://wiki.unixcraft.com/display/Main..]]
Kashif (Email) (URL) - 14 November '09 - 01:10
389 DS. Works good, good replication, and have always had good results with my JBoss AS.Justin (Email) - 14 November '09 - 03:34
Great thread, it’s awesome to see opinions and experience exchanged in an honest, open way!DISCLAIMER: I work at Sun in the DS engineering team.
Couple of players I know and I haven’t seen mentioned: Isode Directory Server (any users care to share their perceptions of the product? I’m just curious), UnboundID Corp. has a for-pay offering that was originally based on OpenDS (at least it was back in late 2006), IBM Tivoli Directory Server (these guys have some pretty amazing tools in the Tivoli fold that a lot of the players in the market could learn from-I won’t say here though), IBM RACF of course, Oracle OiD, Apertio and I’m sure I’m forgetting a bunch.
I hadn’t heard about freeIPA, thanks for pointing this out.
Picking your directory is really a complex matter because it depends on a lot of parameters:
. your immediate needs
. your mid/long term needs
. your will/want to learn (Would you rather pick something easy to start with even if doesn’t quite do everything you want or would pick something you’re sure will have you covered no matter what jumps at you?)
. your constraints (budget, performance, system size, maintenance, etc…)
what product you pick is usually a good indication of what is important to you. Bottom line is there is product for you out there, you need only find the one that fits you best.
Thanks for starting the thread Ben!
arnaud (Email) (URL) - 14 November '09 - 16:38
We first had a look at Sun Directory Server and OpenDS but finally decided against both (against the first, because we already had openldap-expirience, and against OpenDS because it does not support passthrough-authentication to Kerberos). We got it working perfectly for Unix, Linux and MacOS X clients (including netgroups and automount). We are now switching completely to Active Directory 2008 R2, though because we could not get Windows-clients to handle Kerberos in an easy way (MIT-Tools for Windows do not seem to be well integrated an hassle-free).Pitty, but AD seems to be the easiest way out. Not that its easy to integrate all other platforms in an AD (automountMap, etc. is missing) but it wouldn’t be the other way round either.
Peter Caligari (Email) - 15 November '09 - 11:11
I known the scalability issues with OpenLDAP, but the recently introduced NDB backend should bring OpenLDAP verry stable and scaleable replication. It is only sync replication not async.. NDB is also the backend for MySQL Cluster and there is also an apache module for it.Daniel van Eeden (Email) - 16 November '09 - 07:02
I like Oracle internet directory (OID). Oracle married an LDAP directory server with an Oracle database used as the backend storage for it.The command line tools are simple to use, and there’s an ugly Java-based GUI which works well enough for browsing the scheme(s), but is simply garbage to use for anything more than that.
What I like the most about OID is that his configuration can be completely automated via SVR4 packages, since it has the CLI tools to do the job. And because he uses an Oracle Database, HA is assured via RAC and ASM.
My next choice would be Sun One directory (formerly Netscape directory) server.
UX-admin (Email) - 16 November '09 - 16:42
“Would you rather pick something easy to start with even if doesn’t quite do everything you want or would pick something you’re sure will have you covered no matter what jumps at you?”Only a fool would pick something just because it is easy; whichever the solution, it should solve as many of the problems as possible and be designed for the LONG TERM AND SCALABILITY.
Being easy is not the correct criteria IF the solution implemented will have long term consequences and become a vital, critical part of the infrastructure.
If it were my employee, and they picked a solution “just because it is easy to implement”, that would get them fired, on the spot, no ifs, buts, or maybes.
If the process of figuring out technology is too difficult for one, one shouldn’t be in IT or CS; they should go do something else.
UX-admin (Email) - 16 November '09 - 16:50
Oracle Internet Directory (OID)tbooth (Email) - 16 November '09 - 23:57
I used OpenLDAP, tooks sometime to get it working but was all good at the end! Been working on the SUN version for the last 6 months and I really start to like it more and more! Replication can be easily managed, just a bit worry about ACI (ACL), was very straight forward with OpenLDAP, looks like you need to creat LDIF file with the SUN version.rno (URL) - 17 November '09 - 16:28
OpenLDAP – smbk5pwd is a killer feature. The drawbacks are the maintainers, who are acerbic, expect you to know every last inch of LDAP and couldn’t put out a stable release to save their lives – the standard bugfixing advice is to upgrade to the latest version. Performance is apparently better than any other LDAP server, but I haven’t done any testing myself.James (Email) - 19 November '09 - 06:47
Just want to tell you that your blog is like having a whole banana split for dessert – fantastical.[[http://www.louboutinshoesonline.com/]]
christian louboutin shoes (Email) (URL) - 18 December '09 - 07:47
[[http://www.buykamagra.com]] buy kamagra[[http://www.viagracialis.com]] viagra cialis
M65 Jacket (Email) (URL) - 21 January '10 - 02:39
Many websites claim that they sell original Gucci shoes, but the shoes that they are actually selling in the name of Gucci are simple replica of Gucci. So, make sure that you are buying the real brand.gucci man shoes (Email) (URL) - 23 January '10 - 03:53
Good post! Thanks for your information!As Seen On TV (Email) (URL) - 27 January '10 - 06:59
Good post! Thanks for your information! As Seen On TVAs Seen On TV (Email) (URL) - 30 January '10 - 05:54
[url=”http://www.uggglobal.com/ugg-hammond-slippers-c-695.html”>weather uggs[/link]
[url=”http://www.uggglobal.com/ugg-hot-selling-c-668.html
”>ugg hot selling[/link]
[url=”http://www.uggglobal.com/ugg-classic-tall-c-673.html
”>ugg argyle knit[/link]
ugg hot selling (Email) (URL) - 01 February '10 - 09:15
The sociology essays writing would be not very easy to complete! But, the online writing services would be able cope with this and even more difficult task.NICI33Cr (Email) - 03 February '10 - 14:12
Your article is very useful!Thank you for sharing.Nice post.