[Fedora-directory-users] Advantages of using FDS vs OpenLDAP?

Howard Chu hyc at symas.com
Fri Dec 2 14:02:33 UTC 2005 

Sorry to poke at a moldy old thread, but I think some misconceptions
need to be cleared up.

>     * From: Mike Jackson <mj sci fi>
>     * Date: Fri, 08 Jul 2005 23:37:41 +0300

> Fedora Directory Server was called Netscape Directory Server until
> just recently. It was the first LDAPv3 server in the world, afaik.
> The code was commercially developed and tested for ~8 years and has
> been in use in large scale deployments all over the world for a long
> time. It has contained features for many years which OpenLDAP project
> is just now considering, e.g. multi-master replication, ability to
> alter the configuration of the running server via LDAP, in-tree
> access control, etc.

This "just now considering" is wrong. The OpenLDAP code has supported
multi-master replication and in-tree access control since 1999, very
shortly after the Project began. The design for dynamic reconfiguration
started in-house at Symas in 2002. The point wrt MMR and in-tree access
control is that the Project actively discourages their use, not that the
features don't exist in OpenLDAP.

The debates on the mailing lists going back all those years clearly show
that none of this is a new consideration. We simply don't believe that
the claimed benefits justify the risk. The point about load-balancing
writes is totally specious, and anybody who pushes that factor is just
deluded. High availability / SPOF arguments at least have some
theoretical basis, but as easily as you can say "we've never had a data
conflict problem with MMR" I can say "we've never had an SPOF issue with
standby master" and moreover, we can state with 100% certainty no
conflicts are in our data.

The use of in-tree access controls violates some basic principals of
good security design. I.e., good security comes from a top-down policy
design. Once you have the design, you need to be able to verify that the
deployed rules actually implement that design. With the centralized ACL
rules, you can mathematically prove that your deployment matches your
policy. With distributed controls that are subject to arbitrary
modification, you cannot make any definitive statements about the
security state. The key point that people miss in building distributed
systems is that you need *centralized* control, while providing
*distributed access* to those controls, otherwise manageability goes out
the window.

> Fedora is not what I would call a "specialized" LDAP server, it's
> just a full-featured, standards based, general purpose, high quality
> LDAP server. OpenLDAP is, in contrast, very specialized, having a lot
> of different types of backends in the recent versions. You can do
> some really tricky stuff with OpenLDAP that you can't do with Fedora,
> if you need that sort of tricky stuff in your architecture.

That's a very interesting way to spin things. OpenLDAP is a
full-featured, standards based, general purpose, high quality LDAP
server, that happens to include a number of powerful extras. You make it
sound like the enhancements in OpenLDAP make it unsuitable for general
use, which is untrue, since those enhancements are all modularized
features that can be ignored if unneeded.

> And the main difference for a new person like yourself is the amount
> of available documentation. Fedora is professionally and extensively
> documented, whereas OpenLDAP documentation is very scarce and terse.

Yes, the OpenLDAP documentation is sparse, and this is a fatal flaw.
Yes, what documentation exists is terse, and this is a vital strength.
Nobody likes to spend time wading thru docs, and there's nothing gained
from saying in 5 sentences what can be stated in only one. Certainly we
need to work on expanding the scope of the documentation to cover the
numerous holes. But good documentation is concise and to the point, and
the docs I've written are precise. There may be a problem with imprecise
readers, who skim and skip over things when every single word is
crucial, but that's not our fault.

I'm not here to attack FDS. I have nothing but respect for the team
working on it today. But the fact that OpenLDAP developed under
different conditions, with a different philosophy, is just that -
philosophical difference.
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/

More information about the Fedora-directory-users mailing list