Sorry to poke at a moldy old thread, but I think some misconceptions need to be cleared up. > * From: Mike Jackson <mj sci fi> > * Date: Fri, 08 Jul 2005 23:37:41 +0300 > Fedora Directory Server was called Netscape Directory Server until > just recently. It was the first LDAPv3 server in the world, afaik. > The code was commercially developed and tested for ~8 years and has > been in use in large scale deployments all over the world for a long > time. It has contained features for many years which OpenLDAP project > is just now considering, e.g. multi-master replication, ability to > alter the configuration of the running server via LDAP, in-tree > access control, etc. This "just now considering" is wrong. The OpenLDAP code has supported multi-master replication and in-tree access control since 1999, very shortly after the Project began. The design for dynamic reconfiguration started in-house at Symas in 2002. The point wrt MMR and in-tree access control is that the Project actively discourages their use, not that the features don't exist in OpenLDAP. The debates on the mailing lists going back all those years clearly show that none of this is a new consideration. We simply don't believe that the claimed benefits justify the risk. The point about load-balancing writes is totally specious, and anybody who pushes that factor is just deluded. High availability / SPOF arguments at least have some theoretical basis, but as easily as you can say "we've never had a data conflict problem with MMR" I can say "we've never had an SPOF issue with standby master" and moreover, we can state with 100% certainty no conflicts are in our data. The use of in-tree access controls violates some basic principals of good security design. I.e., good security comes from a top-down policy design. Once you have the design, you need to be able to verify that the deployed rules actually implement that design. With the centralized ACL rules, you can mathematically prove that your deployment matches your policy. With distributed controls that are subject to arbitrary modification, you cannot make any definitive statements about the security state. The key point that people miss in building distributed systems is that you need *centralized* control, while providing *distributed access* to those controls, otherwise manageability goes out the window. > Fedora is not what I would call a "specialized" LDAP server, it's > just a full-featured, standards based, general purpose, high quality > LDAP server. OpenLDAP is, in contrast, very specialized, having a lot > of different types of backends in the recent versions. You can do > some really tricky stuff with OpenLDAP that you can't do with Fedora, > if you need that sort of tricky stuff in your architecture. That's a very interesting way to spin things. OpenLDAP is a full-featured, standards based, general purpose, high quality LDAP server, that happens to include a number of powerful extras. You make it sound like the enhancements in OpenLDAP make it unsuitable for general use, which is untrue, since those enhancements are all modularized features that can be ignored if unneeded. > And the main difference for a new person like yourself is the amount > of available documentation. Fedora is professionally and extensively > documented, whereas OpenLDAP documentation is very scarce and terse. Yes, the OpenLDAP documentation is sparse, and this is a fatal flaw. Yes, what documentation exists is terse, and this is a vital strength. Nobody likes to spend time wading thru docs, and there's nothing gained from saying in 5 sentences what can be stated in only one. Certainly we need to work on expanding the scope of the documentation to cover the numerous holes. But good documentation is concise and to the point, and the docs I've written are precise. There may be a problem with imprecise readers, who skim and skip over things when every single word is crucial, but that's not our fault. I'm not here to attack FDS. I have nothing but respect for the team working on it today. But the fact that OpenLDAP developed under different conditions, with a different philosophy, is just that - philosophical difference. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
