Forgot your password?
typodupeerror
Red Hat Software Businesses The Internet

Red Hat Opens Netscape Directory 229

Posted by samzenpus
from the it's-good-to-share dept.
suezz writes " Eweek is running a story that Redhat is releasing Netscape Directory (LDAP) under the GPL - this is huge at least from my point of view. I know of at least two huge companies that have standardized on Netscape Directory for their web applications."
This discussion has been archived. No new comments can be posted.

Red Hat Opens Netscape Directory

Comments Filter:
  • by coop0030 (263345) * on Wednesday May 25, 2005 @11:07PM (#12641496) Homepage
    Red hat paid $20.5 million for this LDAP. Will they get that in return? Is it possible with this type of software?

    • by coop0030 (263345) * on Wednesday May 25, 2005 @11:16PM (#12641563) Homepage
      I forgot to mention this in my first post...but if enough customers purchase this by April 30th, Red Hat will have to pay an additional $2.5 million.

      Goodness, that is a lot of money.
      • by Anonymous Coward on Wednesday May 25, 2005 @11:32PM (#12641644)
        $20M is not a lot of money in Silicon Valley, especially for an enterprise product. Probably nothing compared to Netscape/iPlanet's development costs.

        Plus, after years of hotair, RedHat just became credible Windows alternative for internal applications. cheep.
        • But RedHat is not in Silicon Valley. In Raleigh-Durham , $20M is a lot of money. This investment is an interesting move to opening up more resources for the open source community

        • Plus, after years of hotair, RedHat just became credible Windows alternative for internal applications. cheep.

          I completely disagree. Take another look at redhat's cost - it's not cheap at all. Enterprise workstation costs $180, with no tech support. Red Hat Enterprise Server costs, at a *minimum*, $350, and that's without the update subscription, tech support, access to a 1-800 number, physical media, email support, and for a specific number of uses.

          My take on this: If we're going to replace windows
    • by LnxAddct (679316) <sgk25@drexel.edu> on Wednesday May 25, 2005 @11:38PM (#12641680)
      In the short term no they wont make this money back right away, but in the long term they'll make it back a thousand fold. Anyone who has ever tried to setup and configure OpenLDAP knows that its not worth it and will send you to a mental hospital fairly quickly. Netscape Directory (or whatever they're calling it now) is not only extremely easy to configure, but it was designed by brilliant engineers. Back a few years ago the engineers were claiming that one typical server running Netscape Directory could handle 200,000 clients. I haven't looked at the code yet, but according to some Red Hat enginneers that I've talked to that have seen it, they confirm that this is probably possible and were generally extrememly impressed with the code quality. Netscape Directory is high quality from its core all the way out to its exterior with easy configuration, how often do you see that in any environment(commercial or open).

      I know that a few of the Fedora devs commented on how they also got a whole bunch of additional code that they hadn't even asked for but came along with Netscape Directory that they are still trying to figure out what to do with. In a worst case scenario, they'll just open source it and let the community find uses for it (Red Hat open sources everything they do, they even allow any open source projects free use of any patents they may hold, patents btw are only held as legal defense). This a great advancement for the community and should allow many more businesses to start migrating to linux. Back to my original point though... this will allow many more companies to switch to linux, whether it be Red Hat or some other distro it doesn't matter. Overall it will increase linux's marketshare and as a result make linux more popular leading more businesses to look at it as an alternative. A good percentage of those businesses will probably become Red Hat customers so everyone wins.
      Regards,
      Steve
      • by NixLuver (693391) <<moc.citerehck> <ta> <etihwts>> on Wednesday May 25, 2005 @11:47PM (#12641729) Homepage Journal
        Actually, I'm aware of an installation where a single (fairly robust) sun box is running at 200GB db size and 32 million LDAP entries on SunOne (descendant of the Netscape code). It sucks, but it works. Let's be honest - even the NS directory server is a nightmare to set up beyond the most rudimentary schema. Easier than OpenLDAP, true, but *easy*?
      • My first ever experience with LDAP was with openldap, and it took 10 minutes to configure, and then maybe an hour to work out how I wanted my schema, and write an ldif of it to import. Unless it used to be significantly different than it is now, I can't see any way anyone could think its hard to configure.
      • not only extremely easy to configure

        "LDAP" and "easy" are oxymorons.

        NS directory may be easier to configure when compared to OpenLDAP, but i bet BOTH are madening when you go past the basic setup. LDAP is a sure path to the looney bin. i know. thats why i dont work with it anymore.
      • Yet another mindless raving rated as "Insightful" - where do you guys get this stuff?

        The above post is a stream of empty claims and not even a hint of factual support. How can you rate someone saying "I haven't looked at the code yet .. it is high quality from its core to its exterior" as *Insightful* ?? There is ZERO insight here.

        Nobody here knows what kind of server the Netscape guys were talking about, what those 200,000 clients were doing, or what the directory data looked like. We have No Insight int
        • Insight is a test from 5 years ago? Not in the computer world it isn't. You want to do more than flame at someone, then make the effort to find current benchmarks. Even the page you linked to says they're old: "A previous study can be found here, comparing various Directory Service technologies, but it dates back to May 15, 2000."

          Definitely overrated.
    • An active directory-killer is something Linux has needed--that is, one that is easy to set up, and has that MS-like integration. I wonder if they'll include integration with BIND/. Looks like Red Hat is going head-to-head with Microsoft to control the corporate LANscape.

      Now the CIO knows he/she can buy Red Hat "Professional" :) and Red Hat "Server 200x" and set up a "Domain" with it.
      • Novell eDirectory has been available on Linux for sometime and has features Netscape, OpenLDAP, Active Directory and Sun One lack.

        Now that Novell own SuSE I except eDirectory to be the number one Linux LDAP compliant directory available.
    • Red hat paid $20.5 million for this LDAP.

      Actually, Red Hat paid 20.5 million for this implementation of LDAP. It's actually the same protocol as everyone else.
  • by stratjakt (596332) on Wednesday May 25, 2005 @11:08PM (#12641503) Journal
    I think this is a good thing, I'm just honestly curious, having messed around with OpenLDAP, and never really doing much with ND.

    What's the major differences, feature-wise not philosophy-wise (no Free vs free vs Open vs open rants).
    • by bernywork (57298) * <bstapleton.gmail@com> on Wednesday May 25, 2005 @11:13PM (#12641532) Journal
      From TFA:

      single-authentication, user-identity management and multimaster replication. Also, centralized phone book, employee locator and org-chart tool.

      I would also suggest that the speed complaints that people have with OpenLDAP wouldn't be there.
    • I didn't really use both a lot, but I tried to set up an Open LDAP server with some modification to the default templates, it was a fucking HELL to make it works!

      Netscape Directory is sooooooo but soooo easy to install, manage (with a little gui if you want), replicate. It's really important in a big environment with thousands of users and hundreds of servers that really on ldap servers! I would never do that with OpenLDAP!
      • by Panoramix (31263) on Thursday May 26, 2005 @12:32AM (#12641938) Homepage

        Fwiw, I did install a Netscape Directory Server on a HP-UX 11 machine, not that long ago. It was reasonably straightforward, except in that I had to install a number of OS patches and muck around with kernel parameters.

        (Btw, what is it with these big proprietary apps that always want to change your kernel parameters? What on earth does Oracle need 2GB of shared memory for? And 64K file descriptors per process? That's beyond ridiculous. That sounds dangerously like extremely sloppy programming inside the product.)

        But I digress. My point is that installing and configuring NDS is not hard, but nothing like "soo but soo easy" either (e.g., a far, far cry from "apt-get install slapd").

        Enabling SSL is a PITA if you don't have the Netscape Certificate Server (which I didn't). I involves all manner of funky maneuvering with OpenSSL and some tools that you have to fetch from some obscure page at mozilla.org.

        Management is more or less the same than with OpenLDAP, which is to say that it mostly depends on how good or bad are your LDAP client tools. In fairness, I hear the Netscape client is nice. I couldn't use it because the damn thing runs on Windows and I was not about to install that in my laptop just to see a stupid LDAP client.

        Replication is probably better than OpenLDAP, though I haven't yet a chance to try it on either one.

        As for big environments with many users and clients, until today I would have gone with OpenLDAP (or, if a PHB just had to see a lot of money spent in this, with Novell or Microsoft's directories). That's because nobody had source code to NDS and it was all but discontinued from the vendor. You don't want to find yourself in a position where you know there's a bug in the software, but you can't fix it and your vendor won't because they discontinued the product (and are pretty much out of business themselves, anyway).

        Anyway. This is good news, certainly. Though I mostly hope there are parts and components that can be salvaged into slapd.

        • I'm not an oracle dev, but I imagine that given oracle's reputation, they want the server to just work, regardless of load spikes, etc. There could be some unforseen time when you need 64k files open, like doing a massive modification to your database layout. Oracle just wants to make sure that it can do crazy things like that ahead of time, without having the system crash.
        • But I digress. My point is that installing and configuring NDS is not hard, but nothing like "soo but soo easy" either (e.g., a far, far cry from "apt-get install slapd").

          Enabling SSL is a PITA if you don't have the Netscape Certificate Server (which I didn't). I involves all manner of funky maneuvering with OpenSSL and some tools that you have to fetch from some obscure page at mozilla.org.


          It sounds like most of your problems were to do with install and configuration. The install will consist of:

          up2dat
    • by Temkin (112574) on Wednesday May 25, 2005 @11:26PM (#12641605)


      Speed, and certain enterprise features like multi-master replication if I remember correctly. It's been a while since Netscape dropped off everyone's radar, and I know they continued work on it after iPlanet broke up.

      You can compare them using SLAMD. www.slamd.com
    • by Doktor Memory (237313) on Wednesday May 25, 2005 @11:38PM (#12641681) Journal
      OpenLDAP is basically an LDAP toolkit. You've got your LDAP server, client libraries, command-line tools... but that's it. What you build with it is up to you, and you're starting from scratch each time pretty much.

      Now, that isn't necessarily a bad thing in and of itself, but when you're trying to bootstrap a real, useful corporate directory service from scratch, it's a hell of a learning curve.

      Netscape/SunONE Directory Server was less hacker-friendly, but it would take you from zero to a functioning directory in about 30 minutes, not including hiring a temp to type in all of the corporate info.

      It had its quirks, and I worry about the codebase being a bit... rotted these days. But I'm happy to see it hitting OSS-land. A little competition for OpenLDAP can only improve matters.
    • Asides from Multi master replication (OPenLDAP onyl allows a single master), Netscape directory server solves the 'OpenLDAP being fucking retarded, and holding ACLs to objects in the directory OUTSIDE the directory, therefore replicating objects before their access controls' issue.
    • by kauttapiste (633236) on Thursday May 26, 2005 @01:59AM (#12642263)
      Well, throwing some features off the top of my head:

      * multi-master replication (up to 4 servers)
      * very, VERY extensive plugin interface
      * useful access logging and log file analysers
      * SNMP reporting
      * configuration under cn=config branch (updatable over LDAP)
      * you can take backups by sending commands over LDAP

      And it's fast as hell, compared to OpenLDAP.
      • by hyc (241590) on Thursday May 26, 2005 @04:49AM (#12642715) Homepage Journal
        re: multi-master - like the SprintPCS guy said a few posts over - prone to failure and database corruption, utterly useless in an enterprise deployment.

        re: plugin interface - OpenLDAP supports both the (incredibly inefficient) Netscape plugin interface and its own (incredibly fast) plugin architecture.

        re: logging - "useful" is a subjective term. Since you don't explain what this means, it's difficult to comment further on it.

        re: SNMP reporting - you're right, this is lacking in OpenLDAP, and for IT purchasers going down the checklist of "must haves" this can be a problem. The NetSNMP package is an easy solution here, especially with all of the information provided by OpenLDAP's cn=monitor. I know of several commercial OpenLDAP deployments where this was an issue at first, but integrating NetSNMP allowed the OpenLDAP deployment to proceed.

        re: cn=config - This is implemented in OpenLDAP 2.3. And it doesn't require a server restart to make new plugin settings and other changes take effect, unlike Netscape/SunOne.

        re: backups via LDAP-initiated commands - this topic actually came up on the openldap-devel mailing list recently. The conclusion was that it was a band-aid Netscape needed for their lame replication mechanism.

        re: fast as hell - OpenLDAP 2.1 beats Netscape into the dirt. OpenLDAP 2.2 is even faster, and scales to large numbers of clients even better. If you still believe Netscape is faster than OpenLDAP, you haven't used a recent release of OpenLDAP.
        • Yeesh....

          I ran a major Netscape Directory server installation at a major US automaker. As far as I know, it's still running there. Started at 3.0, and was on 5.x when I left.

          Netscape's internal replication did indeed suck for a while, where the biggest failure was the inability to emancipate a slave directory and make it a master if the master puked.

          I got around that through the brilliantly elegant feature that Netscape had the OpenLDAP did not - the replication ChangeLog was availible via LDAP. I actual
  • by Dancin_Santa (265275) <DancinSanta@gmail.com> on Wednesday May 25, 2005 @11:12PM (#12641529) Journal
    How does this improve my user experience?

    How can using ND make my life, as a user/administrator/purveyor of exotic animals, easier?

    I think that is a useful question to ask any time a "new" feature is presented.
    • by 0racle (667029) on Wednesday May 25, 2005 @11:22PM (#12641586)
      Ever used the Active directory on Windows? I mean a properly created one in a larger organization. Had to search for an email address of someone in another branch or division? Ever had to log into another machine on that network? Search for printers on another floor?

      Well, you can actually do that and more with any LDAP server.
      • You can do distributed authentication, mail routing, etc with LDAP, yes. Building most of the features of AD would involve lots of custom hacking though - for example, to do software auto-installs on log-in.

        There's a lot more writing of custom schema and swearing with LDAP than there is with AD, and a LOT less good documentation, but once it works it stays working, unlike AD ;-)
    • Welcome to the world of "Directory Services". They will help you locate resources on the network. As an administrator, enabling or restricting access to resources has now become a lot easier.

      Sarcasm aside: It's all about options. Another directory services project/product/option is always a good thing. However, I still want to see Novell return to its former glory. It's a sad day when people are relying on Active Directory, using it as a REAL directory services solution.

      But back to the point, it's good to
    • Also, why does this matter since the Mozilla Directory [dmoz.org] is already open?
  • Comparison (Score:5, Interesting)

    by rsax (603351) on Wednesday May 25, 2005 @11:15PM (#12641553)
    I know this story is going to prompt people wanting to know how the Netscape directory server compares with OpenLDAP. I've never used the Netscape one but what I would really love to know is how does it stack up against Novell eDirectory [novell.com]? eDirectory isn't open source but the licenses are damn cheap, the first 250,000 licenses are free. Any LDAP experts care to share their opinions?
    • Re:Comparison (Score:2, Informative)

      by Kartoch (38254)
      To add a bit of complexity in this question, I heard that guys from Samba are developping their own LDAP because they are not satisfied with OpenLDAP. Does anyone has more informations/opinions about it ?
    • Re:Comparison (Score:5, Interesting)

      by deviator (92787) <bdp&amnesia,org> on Wednesday May 25, 2005 @11:36PM (#12641664) Homepage
      I have to say that while I've not worked with ND, Novell eDirectory (formerly NDS) is a technically brilliant tour de force. It's a really amazing package; multimaster replication; multimaster schema changes; extremely efficient over slow links, unbelieveably secure (and has some really sophisicated extensible authentication systems), works on every platform under the sun, the APIs & developer tools are extremely mature, scales like crazy and runs super-fast, and like the previous poster said, it's CHEAP.

      Anything else, to me, is a weak imitation--but I guess as long as your directory speaks LDAP all is well. Unless it's Active Directory--which is really just a set of "nested" domains with automated trust relationships. And that part makes it a huge pain in the ass to maintain. (The trick to this is to throw an AD domain into eDirectory and have eDirectory manage the whole thing - it is so flexible it can manage _other directories._)

      NDS has always "just worked" - move, rename & merge tasks are super-easy. How does ND handle all of this?

    • Re:Comparison (Score:4, Insightful)

      by alistair (31390) <.alistair. .at. .hotldap.com.> on Thursday May 26, 2005 @05:16AM (#12642794)
      I have used both and run both in production at a major corporation.

      In many ways eDirectory is far more sophisticated. It is more close to a true X500 directory and it has some very sophisticated tools for data replication and management. The admin console is streets ahead of the old Netscape Java Console for starters and the APIs are very well developed. It is very easy do do operations such as prune and graft on the Novell Directory than on the typical standalone LDAP directories (Open LDAP, SUN ONE) where you have to essentially delete and recreate the entry rather than just modify the base DN.

      One key differentiator is replication strategy. eDirectory and Microsoft AD are genuine multi-master directories, you can configure them to accept updates anywhere and the data then replicates among the cloud of replicated servers. Open LDAP and Netscape's LDAP are have pyramid structure replication, you update a master, it updates slaves and these can update further consumer servers. This approach can have some advantages if you want to secure updates and be able to take a consistent snapshot of your data at a particular point in time.

      Speed is also an issue. I feel that SUN ONE is currently the leader in raw search speed, Netscape produced a very fast server on the same database backend and a suspect Novell is a little slower as it is more feature rich. You will probably only notice this if you are making in excess of 20 searches per second to your box.

      So I would advise people to check out eDirectory. Novell have a great history of making some superb product which they then do their upmost to keep secret from paying consumers. If it is free it could well meet most of your needs, especially as the console makes it very easy to set up and populate with sample entries.
      • Thanks for an interesting read. My impression of Novell eDirectory mostly agrees with yours. A couple of points, not to detract from your excellent post:
        OpenLDAP 2.2 back-hdb supports subtree renames. The lack of this feature has been an obvious, longstanding deficiency but that was corrected over a year ago.
        Replication strategy - I think this may be an irreconcilable religious issue. I don't believe a feature that allows unresolvable update conflicts is suitable for use, others are willing to live wi
      • Re:Comparison (Score:2, Informative)

        by ian13550 (697991)
        Wow -- you should not talk about Sun ONE because you obviously don't know what you are talking about. What version of Sun ONE did you use? 4.x from 1999? You information is not correct at all and badly outdated.

        As of iPlanet 5.1 (before re-branding) you could do 2 way multi-master replication (with schema replication, etc etc etc) and with Sun ONE 5.2 (post-rebranding) you can do true attribute-based multi-master replication.

        eDirectory has a MAJOR fault where the thread processing a BIND attempt goes to s
        • Re:Comparison (Score:3, Informative)

          by alistair (31390)
          Hmmm, don't know what I am talking about, 7 years running a team of 8 people implementing a global LDAP service for a Fortune 500 Company, beta tester for SUN ONE versions 5.1 and 5.2 (including being the only person to submit a P1 bug on the 5.2 version) speaker at the RSA Conference Europe on Identity Management in 2003 and accepted for 2005, sorry if I need to dig out my cluestick.

          With eDirectory and AD, you can update any server and each server then replicated globally. Each have their own mechanism fo
  • by EvilStein (414640) <spam@@@pbp...net> on Wednesday May 25, 2005 @11:44PM (#12641705) Homepage
    I've used OpenLDAP and Netscape Directory Server. NDS is a *very very very* cool product. It's easy to use, scales like there's no tomorrow (it was the backend for a lot of the older Netscape Netcenter sign on functions) and it's nice & documented. (I still have books for it)

    Red Hat releasing it under the GPL is a good thing, any way that you look at it. Cool product, "big name company" supporting it, and oodles of applications that can already use many of its functions.

    Now, if someone would slurp up Netscape Calendaring Server and release *that* under the GPL..
    If the Netscape SuiteSpot Server suite still existed and was under the GPL, there's your Exchange-killer right there.
    • Now, if someone would slurp up Netscape Calendaring Server and release *that* under the GPL.. If the Netscape SuiteSpot Server suite still existed and was under the GPL, there's your Exchange-killer right there.

      Perhaps you might consider combining the now-open Netscape Directory and combining it with something like Citadel [citadel.org] which can do mail, calendars, and a bunch of other things, and is designed to plug into an external LDAP directory.

      That would give Exchange a run for its money, except for the same pro
  • Can RH possibly integrate the http://hula-project.org/ [hula-project.org] into this roll out? I would really like to have THE non-M$ directory/email/calendaring system running for my school district: single sign-on and email accounts for teachers, staff, students, parents... with Mac OS X Server directory delegation, Kerberos, etc.

    A killer kombination for Open Source.
  • by kjs3 (601225) on Wednesday May 25, 2005 @11:59PM (#12641779)
    This isn't particularly big news for the SMB market, but for the enterprise market, this is a huge open source win. Quality, scalable, enterprise capable LDAP solutions are a hot topic in all of the Fortune 500 sized companies that I deal with, and ND has a track record of being able to play ball there.

    Now if they would only open source Netscape calendaring...

    • by lactose99 (71132)
      Now if they would only open source Netscape calendaring...

      Did RedHat get rights to Netscape Calendar? I thought that was all sold to Steltor as Steltor CorporateTime [steltor.com] before it all got gobbled-up by Oracle and became Oracle Collaboration Suite's Oracle Calendar [oracle.com]. The only reason I know this is because my company was a legacy Steltor CorporateTime customer and we recently completed an upgrade to Oracle Calendar as support was about to expire on the Steltor product.

      If Netscape Calenedar was open-sourced, per
  • by mrbill (4993) <mrbill@mrbill.net> on Thursday May 26, 2005 @12:20AM (#12641886) Homepage
    Isn't Sun's Directory Server [sun.com] based off this as well? I thought they'd acquired all the old Netscape stuff back in the Netscape/iPlanet days.
  • Where are they now? (Score:2, Informative)

    by fce2 (819446)

    Where are the other bits of software that once was Netscape Suitespot?

    Netscape Calendar was not actually developed by Netscape, but was a version of CS&T's CorporateTime system. CS&T later renamed to Steltor, and is now part of Oracle, CorporateTime forming a large part of their colloboration suite.

    Both Netscape and Sun got copies of everything when iPlanet split. Sun still develops and sells them, first as Sun ONE, now as Java Enterprise System. Netscape tried to keep development going for a w

    • So where is the other Netscape software?

      It has took them 8 months to GPL it. I guess they've focused more in the netscape directory.
    • So where is the other Netscape software? I'm mostly talking about Messaging Server, which is an awesome piece of software

      Sun still sells JES Messaging Server, which is a blend of NMS and Sun's old SIMS. There's still a Linux port. It runs some of the larger ISP mail systems on the planet, competing with OpenWave's Email Mx.

      I'm not sure who got ahold of Netscape's rights after iPlanet. The old NMS message store has it's roots in CMU's Cyrus IMAP. The last versions of the iPlanet server used Sun's MT

  • LDAP is lightweight (Score:4, Interesting)

    by Sufood (861621) on Thursday May 26, 2005 @12:35AM (#12641950)
    It's all very well and good to have a lightweight directory system as part of your operating system. However, if Red Hat wants it's identity management system to be more than a lightweight, it should consider asking Netscape to implement more features of the X.500 Directory standard.

    The problem with LDAP is that adding the 'L' (lightweight) to the 'DAP' (directory access protocol) removed many features including, most noticably, proper distribution of data over multiple servers and proper chaining of requests.

    Proper distribution and request chaining protools would allow Linux systems and MS systems to share a perceived common user data store. At the moment, hybrid enterprises are forced to support multiple islands of trust in the organization. It also sets the operational limits of the system to an enterprise/employee rather than a global/customer scale solution.

    Still, it's a good thing that Red Hat is implementing a directory based identity management solution. It's a step in the right direction.

    • LDAP has been able to do distribution over multiple servers for some time. The L in LDAP modifies the protocol, not the server software.

      As to directory based ID management, Linux (including Redhat) has had it for eons. You have always had your choice of using kerberos or LDAP or NIS or whatever you like. In fact, I have done some set-ups ~4 years ago where we used LDAP for the ID. It Worked fine.
    • The problem with LDAP is that adding the 'L' (lightweight) to the 'DAP' (directory access protocol) removed many features including, most noticably, proper distribution of data over multiple servers and proper chaining of requests.

      The reason the university of Michigan created a standalone LDAP server was because 96 or 98% of their requests (I can't remember what the number was exactly) were coming through their LDAP to DAP gateway.

      LDAP removed many features including, most noticably, proper distribution
      • Also, DAP uses the OSI protocols, including ASN.1. Are you sure that's what you want?
        • LDAP uses ASN.1 as well, as it must. And while DAP was defined in the context of OSI protocols, it is not inseparably tied to them. Many companies have released good DAP over TCP implementations.
          • LDAP uses ASN.1 as well, as it must.

            Really? Can you point to the RFC section where it says ASN1 is mandatory?

            Do you think most DAP over TCP implementions are more or less stable than LDAP implementations?
            • Perhaps English is not your first language. Otherwise, it would seem to be self-evident.

              http://www.ietf.org/rfc/rfc2251.txt?number=2251 [ietf.org]

              Section 4 "Elements of Protocol" (page 9)

              4. Elements of Protocol

              The LDAP protocol is described using Abstract Syntax Notation 1
              (ASN.1) [3], and is typically transferred using a subset of ASN.1
              Basic Encoding Rules [11].

              • I didn't doubt you, I just wanted you do do the work. I was wrong: LDAP does indeed use a subset of ASN 1. Point is, it's not a full implementation - this is often touted as one of LDAP's advantages - and I don't see anyone complaining about it except from 2 guys on Slashdot.

                From your RFC:

                The protocol elements of LDAP are encoded for exchange using the
                Basic Encoding Rules (BER) [11] of ASN.1 [3]. However, due to the
                high overhead involved in using certain elements of the BER, the
                following addi
      • The previous poster is right on. Data distribution in LDAP is a hack, accomplished using the poorly specified concept of "referrals" that was added as an afterthought to LDAPv2 and is still underspecified today in LDAPv3.

        By throwing out all of the design intelligence that went into the X.500 DSP protocol, defining how server-to-server communication works, the LDAP folks have set themselves back another decade and are still struggling to define the controls and extensions to provide the distribution feature
        • Agreed, "referrals" are a hack, as were "alises" which appeared and then were dropped from the Netscape and SUN series of servers.

          However, you have to accept that this is an issue of hourses for courses. I run a global network of LDAP servers which processes tens of millions of queries per day across a corporation. 95% of our queries want to know what cost center a users is, what the phone numbers for people called "alistair" are or are used for password or token authentication.

          Referrals aren't an issue h
          • I don't see a major issue here

            That's OK for you to say, because you've already considered the factors that are important to your individual use case. But LDAP is intended to fit a multitude of use cases and for the protocol designers to take this stand is grossly irresponsible.

            You blithely say that "Techniques for bridging between databases" are well understood, but you don't notice that they only work when the entire system and all connections work well. When any component fails or misbehaves, the behav
            • Hmmm, an interesting discussion.

              I still disagree, the key points for me is that LDAP is Lightweight and provides Access to data. I think the designers of the protocols have done an excellent job in designing a protocol which is lightweight and can be extended through supported controls; we use about two of these but I know other LDAP developer who use far more and have even written their own to extend the protocol.

              What I don't think LDAP is ever good for is replicating between servers, it is an awful prot
        • What exactly is it about the referrals currently used in multiple-million object LDAP servers you dislike?

          Referals work. Server to Server works. They're in production. Now. There are almost no DAP servers. LDAP was invented because DAP was bloated. It suceeded in the marketplace. DAP did not.

          Again - tell me, specifically, what's wrong. Don't tell me it's 'not proper' or 'underspecced'that doesn't mean anything. Burden of proof is on you - I'm happy with LDAP, so is the rest of the world, so I can't be bo
          • I've already proved you wrong once, haven't you had enough yet?

            "Referrals work." Only in a fantasy world where security and authentication are unimportant, and where firewalls don't exist.

            The fact that there are still people submitting drafts to the LDAPEXT Working Group to define controls and extensions for real distributed operation is proof that the rest of the world is not as happy as you are with LDAP's server to server capabilities today. If you can't see that, it's no burden to me.
            • Sorry, that LDAP uses a portion of ASN 1 does not prove that DAP (which lost in the marketplace) is better than LDAP (which is being used now, and works).

              Referals work fine on every LDAP server I've set up. Hashes are sent through SSL encrypted pipes, LDAP glue works, it ain't hacky,m it works between LDAP directories.

              Prove your point.
              * Saying 'security and authentication' are mysteriously bad doesn't do it.
              * That people are still submitting things to the LDAP working group proves nothing either. People
          • I run some half million object LDAP servers and have the following issues with referrals.

            i) ACL Management is inconsitent. e.g.

            A client connects to server A. They bind and that establishes the branches and attributes they are allowed to access. They search and receive a referral to server B. They then connect to this server. However, the credentials are not always passed correctly for that server resulting in some unconsisency in the data to be returned. This seems to vary by server vendor but more specif
            • Does that go some way to meeting your burden of proof? (don't get me wrong, I like them, I just feel they could do with some refinement).

              It certainly does - but like you, I'm more inclined to think that the LDAP RFC needs to be expanded to cover areas outside the spec rather than wholesale replaced with OSI DAP, as the original poster was suggesting. Think of LDAP like ipsec in the early days, or SANs right now - a good technology at the point where it's so useful everybody wants to interoperate with it,
  • by sillypixie (696077) * on Thursday May 26, 2005 @01:00AM (#12642054) Journal
    I feel happy about this.

    I feel that this may be karmic retribution for Sun railroading us into having to use ^$@#%$&ing pkgadd, instead of those lovely tarball installs of yore, where it all installed into a single directory that I could tar up, or simply blow away if it screwed up... ah, the days of control...

    But then, in the short term, the only way that I can see Netscape Directory Server making it into the enterprises that I deal with daily are if it comes bundled or as a dependency for some very well-trusted and established open source app, like maybe a CMS or something such as Bugzilla, or SVN. As an "Enterprise Directory" (ooh aah) it will be a long time before this version could compete, if ever -- everybody wants a stack, these days.

    Still, it could be interesting leverage for the big Sun clients who are actually paying for the SJS Directory Server. I think this is the final stage of the commoditization of the animal that is a directory server... damn, I owe a certain Burton Group analyst a beer now...

    (-:

    Pixie
    • I feel that this may be karmic retribution for Sun railroading us into having to use ^$@#%$&ing pkgadd, instead of those lovely tarball installs of yore, where it all installed into a single directory that I could tar up, or simply blow away if it screwed up... ah, the days of control...

      Oh excuses... excuses... You could still do this, you just need to know how to hack the package DB as well. Packages make field support much easier, and following standards for disk layout, seperating data and binar

  • Open LDAP was hard for me to set up, I finally joined forces with an old sysdamin. Even with her old ways she finally managed to convert NIS over to LDAP and promote it to Linux, Windows, Mac OSX and SGI. I about the time she got the SGI's working said, " So long Alice.." and ran west ward on the continental us. LDAP was a nightmare it, it was really nightmarish for the ADD young sys admins. I know at a company that I was looking into was using a verison of LDAP for the whole company's email, security to lo
  • by dlippolt (100881) on Thursday May 26, 2005 @02:56AM (#12642456) Homepage
    In the development and staging environments it was great. As other posters mentioned you could get from zero to something usable in less than 30 minutes. Everything was as you would expect.

    However... in the -production- environment, with 10's of millions of ldap objects connected to SprintPCS's provisioning systems which were making 1,000+ ldap writes --a minute-- the SunOne system absolutely blew chunks.

    LDAP architects will ask what the hell we were doing with the entire database in one ldap instance rather than partition the dataset, and they'd be right, but we were acting under Sun's direction since at the time we had one of (if not) the largest LDAPs in the world.

    LDAP architects would also wonder why on earth you would ask an ldap server to live under such a write intensive churn, and they'd be right again.

    That being said...

    -- Multimaster replication would never ever work. Most of the time the entire SprintPCS userbase was hanging off one master and less than 4 replication slaves. For several months the entire messaging system was wedged into a single point of failure nightmare. (to be fair, this wasn't all slapd's fault and had 1/2 of the root cause in Sprint Datacenter practices which produced predictable results [internetnews.com])

    -- Other posters asked for SunOne Calendar server to be opensourced. My first response is to suggest you have your head examined since that thing would die for absolutely no reason on a regular basis. We actually automated the process of detecting its death and restoring from last night's backup. If you were a SprintPCS customer and your calendar ever seemed screwy now you know why. Of course further reflection suggested opensourcing it is probably the only thing that could help at this point because...

    -- We used to get hotfix builds from Sun which were missing entire sections of the binaries. Whoever was managing the code would forget to use the same compilation flags for hotfixes as original code so we would receive webmail frontend builds which couldn't talk to imap backends, or calendar backends which wouldn't accept connections from calendar front ends.

    -- SOL if you wanted to run more than 4G of memory in slapd.

    Dont consider this post a rant, just let any CIO's/etc. reading this know that this opensource release will probably work great for you if you dont load it heavily (unlike exchange 5x, which would grenade just sitting there)

    On the other hand, if you want to push the performance envelope, pretty much expect it to take alot of time and cause a bunch of headaches -in production-. Get help from people who have pushed the performance of the tools you are considering running.

    Weird mood tonight.
  • by The Last Gunslinger (827632) on Thursday May 26, 2005 @04:55AM (#12642734)
    Why is this even newsworthy?

    IBM has licensed its enterprise-class LDAP directory server software free of charge for over 5 years now.

    Yep, free. Go to ibm.com and download it for yourself. Anyone. For any purpose.

    http://www-306.ibm.com/software/tivoli/products/di rectory-server/ [ibm.com]

    It's currently under the Tivoli brand, going as the IBM Tivoli Directory Server v6.0.

    Not only does it pack all the bells and whistles of other enterprise LDAP directories, such as multimaster and cascaded replication models, but instead of flat files it *includes* IBM DB2 UDB enterprise edition database (also licensed free of charge) for its data storage. I've seen the comparative test results, and nothing touches this solution for performance and scalability.

    It runs on just about anything, too...including Linux on non-x86 hardware.

    And they've always GIVEN it away. Free download.

    So, someone explain again WHY any company of any size would PAY for an LDAP solution, or why RedHat giving away Netscape Directory is big news?
  • Where I'm currently contracting, it most likely won't fly to implement Netscape Directory since there probably won't be pre-compiled SPARC binaries for Solaris, etc.

    However, even though we won't be officially allowed to run ND on Linux, that doesn't mean we can't use it as a club to beat Sun to get the price of support for Sun Java System Directory Server reduced.

The universe does not have laws -- it has habits, and habits can be broken.

Working...