[Fedora-directory-users] Advantages of using FDS vs OpenLDAP?
Rich Megginson
rmeggins at redhat.com
Fri Jul 8 15:31:58 UTC 2005
Bryan wrote:
> This question is probably completely obvious to those more versed in
> LDAP, which I am not. And since I couldn't find an answer to this in
> the Wiki, I thought that it didn't hurt to ask.
>
> So what are the advantages of using a "specialized" LDAP server,
> whether Fedora/Red Hat Directory Server, Apache Directory, Open
> Directory, etc., versus using just OpenLDAP?
I'm not sure what you mean by "specialized" here. Could you explain
further? If you mean "OS or NOS specific", then FDS is not specialized
- it is used on a wide variety of OS for different purposes other than
just NOS user/group management. If you mean "small or used for a
specific purpose", then FDS is not specialized - it is used in very
large deployments, is highly scalable, even in WAN environments, and is
used for a variety of purposes.
> Increased functionality?
Yes. It seems one feature of OpenLDAP that many people want (or at
least ask for a lot) is multi-master replication, to eliminate a single
point of write failure or load balance among writable servers. FDS
supports 4 masters (meaning we've exhaustively tested it with 4 masters)
but can theoretically support many more, depending on your replication
topology.
Another feature of FDS is the GUI management console which many people
prefer to a command line interface. Sure, there are tools that allow
you to do user/group management using a GUI, but the console provides
that and much, much more - backups, restores, import, export, indexing,
schema, logs, full on-line server configuration, monitoring, metrics, etc.
Many of the features of OpenLDAP 2.3 which make management easier, such
as on-line configuration, on-line schema updates, in tree ACIs, auto
database recovery, and more, have been in FDS for years and are fully
tested, stable, and mature. It remains to be seen how stable the
corresponding features in OpenLDAP are. I'm not saying they aren't
stable in OpenLDAP, but I'm just saying that FDS has had these features
for years and they have been tested in very demanding production
environments.
> Heightened and more security measures?
We've done a lot of static analysis using tools like rats and
flawfinder, and dynamic analysis using tools like valgrind and purify.
We did quite a bit of "hardening" prior to open sourcing the code. But
I'm sure the OpenLDAP team can boast similar measures.
The crypto engine is NSS which we feel is more secure than OpenSSL
(although I suppose that's a matter of debate). But NSS 3.9.3 is FIPS
140 certified (OpenSSL is not, although I think certification is
underway). NSS supports any crypto device that conforms to the PKCS11
standard - OpenSSL usually supports these devices through vendor
proprietary interfaces. NSS was and still is developed by many of the
same folks who worked on the initial Netscape SSL implementation - some
of whom are our co-workers at Red Hat. NSS is the same crypto engine
that's in Mozilla/Firefox, Evolution, OpenOffice, Netscape/Sun/iPlanet
server products, and many others.
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20050708/2d382792/attachment.bin>
More information about the Fedora-directory-users
mailing list