Chapter 7: LDAP Directory-Server Administration

Open-Source Software

There is no thing such as the "right choice" for LDAP server software. Many vendors offer LDAP server applications. Which one to choose? The choice depends on:

• The environment you are working in: The hardware platform and operating system (or systems) you are using may limit your options in choosing an implementation.

• The experience and the professional background of the technicians setting up directory services: Whether you use in-house talent or hire a consultant, the person in charge of the implementation will have a bias based on past experience. A consultant with experience using a particular implementation will work more efficiently when using a familiar product. The same thing holds for the operating systems. An administrator who is familiar with UNIX may not be able to work in NT.

This chapter is not intended to recommend a particular product, nor do I think a textbook is the right place to advocate for one solution over another. Moreover, computer technology changes so quickly that, by the time you read this book, the product landscape may be very different. If you need guidance in choosing the right software, you should look for an LDAP mailing list and send an e-mail to the group. In this section we will briefly review the reasons why you should at least consider using an open-source solution.

The open-source solution available at the time of this writing is OpenLDAP, available from the Web site www.openldap.org. OpenLDAP is a mature and very flexible product. In its current version, it is stable and can thus be used in a production environment. OpenLDAP has been developed and is maintained by a group of people that includes the authors of the LDAP standard. OpenLDAP is considered to be a reference implementation of LDAP, and it implements the LDAP (v3) protocol. It allows replication, but not multimaster replication. OpenLDAP is designed in a very flexible way that allows you to compile and configure it to meet your exact needs. The access to the actual data repository is clone by a back-end. In the compilation phase, you can choose from a number of back-ends, including lightweight database management (LDBM), Berkeley database (BDB), relational database management system (RDBMS), Perl, or Shell repository. OpenLDAP also allows you to let the LDAP server act as a proxy. The proxy feature, called "meta back-end," offers a powerful rewrite engine configurable via regular expressions. OpenLDAP supports all security features necessary for sensitive data and can be used together with open-source software implementing security layers, such as OpenSSL (Secure Sockets Layer protocol), Cyrus SASL (simple authentication and security layer), or Kerberos.

Another good reason to choose open-source software is the possibility of code inspection. If you have the experience and the need to ensure that the software does not include unwanted "side effects," an open-source product is the correct choice. Governmental agencies are increasingly requiring the use of open-source software. Implementations that are subject to software validation could also require the use of a software product that can be verified by inspecting its code.

OpenLDAP is well documented and offers, via a large number of mailing lists, the opportunity to get help quickly and even for free. There are many consultants familiar with OpenLDAP, so you also have the option of commercial support.

Finally, LDAP is free, and you do not have to pay license fees. In a project with a small budget, this can be an important issue. Also, if you intend to distribute your software with an LDAP repository, it is a big advantage to use an open-source implementation. The open-source solution also frees you from administrative issues regarding licenses.

That is enough advocacy for open-source software. Now we will address the administration issues of LDAP.