Bryan wrote:

This question is probably completely obvious to those more versed in LDAP, which I am not. And since I couldn't find an answer to this in the Wiki, I thought that it didn't hurt to ask.

So what are the advantages of using a "specialized" LDAP server, whether Fedora/Red Hat Directory Server, Apache Directory, Open Directory, etc., versus using just OpenLDAP?

I'm not sure what you mean by "specialized" here. Could you explain further? If you mean "OS or NOS specific", then FDS is not specialized - it is used on a wide variety of OS for different purposes other than just NOS user/group management. If you mean "small or used for a specific purpose", then FDS is not specialized - it is used in very large deployments, is highly scalable, even in WAN environments, and is used for a variety of purposes.

Increased  functionality?

Yes. It seems one feature of OpenLDAP that many people want (or at least ask for a lot) is multi-master replication, to eliminate a single point of write failure or load balance among writable servers. FDS supports 4 masters (meaning we've exhaustively tested it with 4 masters) but can theoretically support many more, depending on your replication topology.

Another feature of FDS is the GUI management console which many people prefer to a command line interface. Sure, there are tools that allow you to do user/group management using a GUI, but the console provides that and much, much more - backups, restores, import, export, indexing, schema, logs, full on-line server configuration, monitoring, metrics, etc.

Many of the features of OpenLDAP 2.3 which make management easier, such as on-line configuration, on-line schema updates, in tree ACIs, auto database recovery, and more, have been in FDS for years and are fully tested, stable, and mature. It remains to be seen how stable the corresponding features in OpenLDAP are. I'm not saying they aren't stable in OpenLDAP, but I'm just saying that FDS has had these features for years and they have been tested in very demanding production environments.

Heightened and more security measures?

We've done a lot of static analysis using tools like rats and flawfinder, and dynamic analysis using tools like valgrind and purify. We did quite a bit of "hardening" prior to open sourcing the code. But I'm sure the OpenLDAP team can boast similar measures.

The crypto engine is NSS which we feel is more secure than OpenSSL (although I suppose that's a matter of debate). But NSS 3.9.3 is FIPS 140 certified (OpenSSL is not, although I think certification is underway). NSS supports any crypto device that conforms to the PKCS11 standard - OpenSSL usually supports these devices through vendor proprietary interfaces. NSS was and still is developed by many of the same folks who worked on the initial Netscape SSL implementation - some of whom are our co-workers at Red Hat. NSS is the same crypto engine that's in Mozilla/Firefox, Evolution, OpenOffice, Netscape/Sun/iPlanet server products, and many others.


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Reply via email to