Between November 2003 and May 2005, I was working on the rather mammoth task of evaluating my department’s environment, analyzing and auditing our infrastructure services, seeing if we could migrate from NIS to LDAP, and then evaluating LDAP server software, writing tools to perform the migration, writing tools to maintain data consistency between NIS and LDAP (for those things that couldn’t use LDAP yet), and writing tools to administer LDAP and integrate it into our environment.
Software evaluation at the time was fairly quick: I looked at eDirectory and SunOne, both of which (at the time) allowed you to store some obscene number of objects under a no-cost license. I chose OpenLDAP at this time because it was libre software with a pretty active support mailing list.
I spent the next year learning the intricacies of OpenLDAP: which back ends might benefit my deployment, how to configure that back end, why my distribution vendor chose not to use the recommended back end (forcing me to build from source), keeping up with the rather frequent upgrades (which the support list folks demand you do, lest you be heckled rather than supported), figuring out how Access Control Lists work, figuring out why some operations were so slow while others seemed blazing fast (this goes back to choice of back end and its configuration), and the list goes on. Over the course of a year, I probably upgraded OpenLDAP 3 times, upgraded the back end at least two times (one was the advent of Sleepycat BDB 4.0, if memory serves), and began to feel like there was no end to the tweaking. I feared I’d be pigeonholed into being solely an “LDAP Admnistrator” instead of a system administrator.
Then, on June 1, 2005, Fedora Directory Server (and Red Hat Directory Server) was released to the world. It wasn’t yet completely open source, but they announced that they were committed to open sourcing the bits that weren’t yet open in the coming months. I downloaded and installed the server, got on the support IRC channel, and imported all of our data in a couple of hours. By September, just three months later, it was in production, and I haven’t looked back.
I also haven’t become a full-time LDAP administrator. Though I’m the “LDAP guy” in my department, the server tends to need just about zero tweaking, and it’s easily as fast, if not faster, than our old NIS setup. However, the feature list of the software is a relatively minor reason for my sticking it out. In fact, I have some issues with Fedora Directory Server: it uses NSS to manage certificates (which is a personal pet peeve that I probably just need to get over), it doesn’t log to syslog, and its graphical interface can be somewhat clunky (leading me and others to share tools to completely bypass its use).
I’m sure to get flamed for this, but a significant part of my thinking in sticking with Fedora Directory Server was that it lacked just about all of the baggage of OpenLDAP. Namely, incomplete, unorganized documentation, and a community that was, and is, quick to wallop newbies, and redirect or outright reject questions to the mailing list. It’s almost as if the community has morphed over the years into a few hardcore, OpenLDAP-using buddies who could care less if anyone else is actually able to do useful things with the product.
In contrast, the Fedora Directory Server has huge, enormous, steaming wads of documentation, a wiki that has a huge amount of more task-specific documentation written by those in the community who waded through one project or another and lived to tell about it, a mailing list that is extremely user-friendly, and even an IRC channel where you can talk directly to some of the folks writing the code, who are an immense help, and whose wisdom often makes it into the published wiki documentation for all to benefit from.
So, in short, Fedora Directory Server is a blazing fast directory server that supports multimaster replication (should you choose to use it), hot backups and restores, access control changes (and many other changes) without a server restart, running multiple instances on a single machine, and it stores its entire configuration in the directory itself, making it completely manageable using the LDAP protocol itself. If you’re a GUI fan, there’s also a graphical interface that lets you do everything from adding new users, to adding new objectclass and attribute definitions, to managing certificates and viewing logs. What’s more, with its PassSync utility, it can synchronize passwords easily with an Active Directory server.
Also, Fedora Directory Server is now completely open source, and has been/can be built on just about any Linux distribution, in addition to Solaris, HP-UX, and even Windows.
I urge you to give it a try!