[Fedora-directory-users] Advantages of using FDS vs OpenLDAP?

Rich Megginson rmeggins at redhat.com
Fri Jul 8 15:31:58 UTC 2005 

Bryan wrote:

> This question is probably completely obvious to those more versed in  
> LDAP, which I am not.  And since I couldn't find an answer to this in  
> the Wiki, I thought that it didn't hurt to ask.
>
> So what are the advantages of using a "specialized" LDAP server,  
> whether Fedora/Red Hat Directory Server, Apache Directory, Open  
> Directory, etc., versus using just OpenLDAP?

I'm not sure what you mean by "specialized" here.  Could you explain 
further?  If you mean "OS or NOS specific", then FDS is not specialized 
- it is used on a wide variety of OS for different purposes other than 
just NOS user/group management.  If you mean "small or used for a 
specific purpose", then FDS is not specialized - it is used in very 
large deployments, is highly scalable, even in WAN environments, and is 
used for a variety of purposes.

> Increased  functionality?

Yes.  It seems one feature of OpenLDAP that many people want (or at 
least ask for a lot) is multi-master replication, to eliminate a single 
point of write failure or load balance among writable servers.  FDS 
supports 4 masters (meaning we've exhaustively tested it with 4 masters) 
but can theoretically support many more, depending on your replication 
topology.

Another feature of FDS is the GUI management console which many people 
prefer to a command line interface.  Sure, there are tools that allow 
you to do user/group management using a GUI, but the console provides 
that and much, much more - backups, restores, import, export, indexing, 
schema, logs, full on-line server configuration, monitoring, metrics, etc.

Many of the features of OpenLDAP 2.3 which make management easier, such 
as on-line configuration, on-line schema updates, in tree ACIs, auto 
database recovery, and more, have been in FDS for years and are fully 
tested, stable, and mature.  It remains to be seen how stable the 
corresponding features in OpenLDAP are.  I'm not saying they aren't 
stable in OpenLDAP, but I'm just saying that FDS has had these features 
for years and they have been tested in very demanding production 
environments.

> Heightened and more security measures?

We've done a lot of static analysis using tools like rats and 
flawfinder, and dynamic analysis using tools like valgrind and purify.  
We did quite a bit of "hardening" prior to open sourcing the code.  But 
I'm sure the OpenLDAP team can boast similar measures.

The crypto engine is NSS which we feel is more secure than OpenSSL 
(although I suppose that's a matter of debate).  But NSS 3.9.3 is FIPS 
140 certified (OpenSSL is not, although I think certification is 
underway).  NSS supports any crypto device that conforms to the PKCS11 
standard - OpenSSL usually supports these devices through vendor 
proprietary interfaces.   NSS was and still is developed by many of the 
same folks who worked on the initial Netscape SSL implementation - some 
of whom are our co-workers at Red Hat.  NSS is the same crypto engine 
that's in Mozilla/Firefox, Evolution, OpenOffice, Netscape/Sun/iPlanet 
server products, and many others.

>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050708/2d382792/attachment.bin>

More information about the Fedora-directory-users mailing list