Red Hat Acquires Netscape Server Products

KrisWithAK writes "According to a press release, Red Hat is acquiring parts of the Netscape Enterprise Suite including the directory server and certificate management system. I am definitely looking forward to more open source competition with OpenLDAP!"

I didn't read RTFPR

[GenerallyDynamic]

but I too am definitely looking forward to more open source competition with OpenLDAP!

Re:I didn't read RTFPR

>but I too am definitely looking forward to more open source competition with OpenLDAP!

Call me a troll, but IMO this is EXACTLY the damn problem with open source stuff... Instead of everybody working to make a good something, everyone and their dog is trying to out-do the other teams.

Yes, it does help innovation. But not when the stuff they're working on isn't cross-compatible. We should see implementations of the same stuff competitions, not I'm-gonna-do-something-else competitions.

No wonder people are fleeing Linux to buy Macs.

What';s wrong with OpenLDAP?

[tcopeland]

I've used it to replace some Netscape stuff - it was part of a big Weblogic->Oracle->Solaris EJB app.

OpenLDAP seemed to work fine, although maybe it was because we weren't really loading it up too much...

Re:What';s wrong with OpenLDAP?

[KrisWithAK]

It simply depends on the project for which you are using a LDAP server. A project that I am interested in starting would require dyanmic changes to schema as well as security. At least for dynamic security changes, this is implemented in the Netscape directory I believe. On the other hand, you can check out Apple's Open Directory project that has patches for OpenLDAP.

Re:What';s wrong with OpenLDAP?

competition is always good, not because we are talking about Open Source software, shouldnt be a direct contender to the task.

Re:What';s wrong with OpenLDAP?

[Penis_Envy]

Amen. I have nothing against openldap, and have used it in the past, but the sheer ease of managing iPlanet/Netscape/Sun's DS is wonderful. Dynamic schema updates, dynamic aci updates, dynamic anything. All server configuration can be managed through LDAP. Great stuff.

Re:What';s wrong with OpenLDAP?

[LuSiDe]

Widely acknowledged fact: OpenLDAP performs extremely slow. I don't have any real benchmarks though.

Re:What';s wrong with OpenLDAP?

Widely acknowledged fact: the fefe.de guy doesn't have the faintest clue what he is talking about. Having used openldap with hundreds of thousands of entries, being queried constantly by a mail server (sendmail, maildrop and courier imap/pop), there is nothing wrong with its performance or scalability. Most likely, fefe man did something wrong, like in all his bullshit.

Re:What';s wrong with OpenLDAP?

Google for "cds sds benchmark" and you'll find that today's OpenLDAP is significantly faster than SunOne under heavy load.

Also, iPlanet/SunOne/Netscape are *not* totally dynamic - many changes that you can make using LDAP require a server restart before they actually take effect.

And OpenLDAP 2.3 will have fully dynamic reconfiguration.

Netscape Enterprise Server? Really?

[jea6]

I didn't even realize there still was a standalone Netscape offerring. We migrated from Netscape to iPlanet to Sun Web to Sun Java One (or something like that). Anybody out there stick with the Netscape product?

Re:Netscape Enterprise Server? Really?

[Penis_Envy]

Netscape Directory Server 6 was basically a fork of the iplanet DS 5 product, where Sun carried on the 5.x versioning.

Very very similar products, both good.

Re:Netscape Enterprise Server? Really?

[cbelle13013]

I was a webmaster at a law firm that was using the Netscape server stuff up until I left this past February. Its hard to be diplomatic in a large law firm when you tell the IT Directory that the website will never be "cutting-edge" as long as they are running an ass-backwards webserver. When I offered up a apache/php/mysql solution, parts of my job were quickly taken away from me. Thank god I'm out of there.

Re:Netscape Enterprise Server? Really?

[Slaveway]

I didn't even realize ..... Anybody out there stick with the Netscape product?

I know Safeway Grocery stores use a Netscape solution for all store communication.

Re:Netscape Enterprise Server? Really?

[Ford+Prefect]

Anybody out there stick with the Netscape product?

I've fairly regularly seen little Netscape 'N' logos as the favourites icon in Safari. I can't imagine anyone intentionally setting it to such a thing, so are they from Netscape servers where the icon is still set to the default?

Re:Netscape Enterprise Server? Really?

[rihock]

For some time AOL has maintained the Netscape Directory Server (NDS). When Sun and AOL split up iPlanet, the directory was at 5.0 (iPlanet 5.0). Sun developed 5.1 then 5.2 off of the code base and greatly imporved the product. AOL (I won't call them Netscape) took the 5.0 code and applied a couple patches to it and called it NDS 6.0. It EOL'd at 6.11 when AOL laid off all the developers in Mountain View. It's comparable to Sun/iPlanet Directory Server 5.1

The directory server, either Netscape/AOL or Sun kicks every other LDAP into the dust on scaleability and performance. I've implemented over 10 million users (active for email, calendar and portal) on 2 masters and 4 consumers (over 15% concurrency)

Re:Netscape Enterprise Server? Really?

[falconed]

Anybody out there stick with the Netscape product?

Yep. The US Department of Defense has an enterprise license agreement with Netscape for their browser, directory, and certificate authority products. DoD's public key infrastructure is implemented with netscape's CA and directory products.

Re:Netscape Enterprise Server? Really?

Yep. If you suggested PHP and MySQL to me I'd strip you of your responsibilities too.

Re:Netscape Enterprise Server? Really?

Umm, mostly true, except the part about AOL laying of Directory developers, and EOLling the product - they did neither.

Ease of LDAP.

"I am definitely looking forward to more open source competition with OpenLDAP!"

I'm looking more for an LDAP that's easy to setup and run.

Re:Ease of LDAP.

Novell eDirectory - makes every other directory service (including MS AD) look like a toy.

Re:Ease of LDAP.

[LnxAddct]

Then this is definitly for you. Red Hat, as with all things, will open source this. A lot of people say bad things about Red Hat, but they do alot for the community, they just don't try to take the spotlight. I mean how cool is their patent policy? Any patent they get ( which is always for defensive purposes) can be used by any free software project without worries.
Regards,
Steve

Re:Ease of LDAP.

[0racle]

Active Directory ;) It has all those nice mmc config apps.

Re:Ease of LDAP.

[Trolling4Dollars]

You said that wrong. Let me help:

I, for one, welcome our new LDAP overlords!

With that said, let me also say that I've been working with Sun's iPlanet Directory server since they acquired it from Netscape. It's used for our iPlanet mail suite. In a word, it sucks ass. The intial migration from Netscape Directory server 3.x to iPlanet's directory server was a nightmare. The documentation on the schema layout for mail was non-existent. (Still is as far as I know) There were no migration tools. I just had to dump the Netscape Directory server data to a huge text file. iPlanet support then told me to go through this file by hand and edit or remove any of the lines that didn't apply or had the wrong format. !!!! WTF!? I spent months of late nights pushing the file back and forth between OpenVMS and Solaris just so my boss could use DCL and EDT to make most of the changes needed. The migration actually took me about a year and a half and there is still detritus floating around the LDAP directory. I now have a better understanding of the user account portion of iPlanet's schema, but no thanks to Sun. iPlanet sucks. I can only hope that Redhat will do a better job with what they've acquired.

One last bit to my rant:
Sun STILL has portions of the old Netscape administration tools in the iPlanet suite. This wouldn't be a problem except for the fact that they still kind of work. Enough to damage LDAP data. According to their support they told me to NOT use those tools. THEN WHY THE HELL ARE THEY STILL INCLUDED!!!!??? Crap. Pure crap.

Re:Ease of LDAP.

First, migration from 3.x? That product was end of lifed like 6 or 7 years ago...

Second, the directory server is a great product (probably one of the few great products left unscathed by Sun).

The problems you are seeing are Sun's failure to integrate the iPlanet products well, which only got worse with JES 6.0 - For instance when they added pmdf to the messaging server and changed to the 5.x schema, they broke all the Messaging user admin in Console, and never fixed them or came up with reasonable replacements (Delegated Admin - puleeaze; identity server? don't even get me started...). In JES 6.0, they don't document their new schema again, but this is a messaging/cal problem, not a DS problem. No one bought many of their products, so now they make install all interdependent (messaging and cal depend on identity, which depends on their lousy web or app server, etc). Sun has made a major mess of what used to be pretty good, easy to use products.

In any case, take out the messaging and cal products, and directory is actually very good, very fast, very flexible.

Re:Ease of LDAP.

In Soviet Russia, tired old joke overlords welcome you!

Re:Ease of LDAP.

Speaking as someone who was once an expert at using both EDT and DCL, I recommend you learn gawk (GNU awk).

Editing huge ldifs from the command line is a breeze with gawk. Thank you Mr. Robbins!

Re:Ease of LDAP.

[Lennie]

MS AD is a toy. :-)

Re:Ease of LDAP.

[stor]

I just had to dump the Netscape Directory server data to a huge text file.

An .ldif file?

I had to do this for an openldap 2.0->2.2 upgrade for a client. Edit the .ldif by hand to get the attributes and objectclasses right.

Note: it wasn't entirely OpenLDAP's fault, this client had schemachecks off and had some (plenty of!) bogons lurking in his LDAP server.

OpenLDAP is one of those pieces of software that you understand *why* it's complex *after* you've been through hell working out what's what and finally grokking most of the important stuff. Most stuff is pretty straight-forward if you understand some key concepts but it's certainly not a "plug-n-play" sort of experience.

Cheers
Stor

Looks like a good fit.

[kensai]

However a couple of questions.
1. How does the Netscape Directory Server compare to OpenLDAP?
2. Are the two interoperable?

Re:Looks like a good fit.

[Plake]

Developers from Netscape started LDAP. From the looks of the Directory Server it does.

Here's the feature guide for Directory Server 6.21.

Re:Looks like a good fit.

[Penis_Envy]

1. Netscape DS compares very favorably. It has multi-master replication, and its performance is far above that of openLDAP. OpenLDAP is opensource, though, and very flexible. Netscape has to be paid for, and it's (if I recall) per-seat licensing. Sun's DS is per-entry licensing. Sun's DS and Netscape's DS are very similar, being forks of iPlanet's DS.

2. Yes, sort of. Some forms of replication can work, and both are standard ldap servers. As far as I know (I haven't used openldap for a bit) openldap cannot understand Netscape/iPlanet/Sun Directory server's new replication.

Re:Looks like a good fit.

[prowley]

Sun's DS and Netscape's DS are very similar, being forks of iPlanet's DS.

While you are correct, the iPlanet DS was actually a rebranded Netscape DS to begin with.

Re:Looks like a good fit.

I wrote quite a bit of the Netscape Directory Server code. It's great to see the positive comments here. Thanks !

It'll also be amusing to see my code open-sourced.

Re:Looks like a good fit.

[Penis_Envy]

Right, 4.x was netscape's directory server. The fork I was specifically referring to was the fork of DS 5, which was drastically different from the 4.x code that was originally netscape's. As far as I know/knew, the 5.x version was an iPlanet effort.

Re:Looks like a good fit.

Some of my code is in there as well, but not the most recent one :-)

I'll be amazed to see it open-sourced anyway.

Re:Looks like a good fit.

1) On Sparc hardware today's OpenLDAP is faster than the Sun/Netscape server. On AMD/Linux the performance is astronomical. Google for "cds sds benchmark" and see for yourself. The Sun/Netscape technology is old news. OpenLDAP is still innovating and improving at a rapid pace.

2) To large extent, yes. Having written code for both, I can say they're even binary compatible at the plugin level.

Re:Looks like a good fit.

[amper]

This is somewhat misleading. The fact is, LDAP was originally conceived/promoted by people at the University of Michigan, who eventually went on to work for Netscape. Being as Netscape was one of the earliest (and possibly most visible and productive) supporters of LDAP, it's easy to see how one might assume that Netscape "invented" LDAP.

AOL already uses it.....

[ARRRLovin]

....it must be good!

I hope they can advance enough to make some real competition for Microsoft Active Directory. I know a huge reason Windows shops never consider an alternative is because the AD GPO allows for some very granular management of AD resources.

Re:AOL already uses it.....

[Etyenne]

What does GPO have to do with LDAP, except being both part of AD ?

Re:AOL already uses it.....

[ARRRLovin]

It's a method of management. I was speculating as to whether Redhat would explore development of a similar mechanism.

Re:AOL already uses it.....

[Penis_Envy]

Well, the iPlanet/Netscape/Sun Directory server can already integrate itself into AD networks, so that may very well be a possibility.

What would be interesting is combining this with Samba (which I believe speaks LDAP), and creating a free, open-source implementation of Microsoft's network management system, front and back.

Re:AOL already uses it.....

[ARRRLovin]

Couple what you said with an "Exchange-like" mail/collaboration solution and you could completely emulate an AD environment.

Re:AOL already uses it.....

[Penis_Envy]

Do you mean like opengroupware.org?

But mainly I was referring to the network management portion.

Re:AOL already uses it.....

See XAD.

Re:AOL already uses it.....

[WompPetrovski]

Ha! That's a laugh. Yeah I remember the days when AD came out. It had to be patched so many times before it could even fit the LDAP standard. Oh that's right, Microsoft thought it would change the 'top' object. Not to mention other things.

I personally am a Netscape/iPlanet/Sun ONE/Sun Java Station person. The only thing that peeves me is how often they change the name of the product.

Give me Sun anyday over Microsoft!

That's still around?

[mcc]

Seriously? I thought the Netscape Enterprise product line fizzled out back when people thought selling pet food on the internet was a good idea.

Do you mind if I ask, how worthwhile are these products to Redhat? What kind of state are they in? How recently have they been updated, are they still in active development or just maitenence mode? Does anyone still use them? And do they offer any worthwhile features or functionality not already available in free products?

Re:That's still around?

[Penis_Envy]

For me, the Directory Server product is very very interesting. If they could offer up some of the multi-master replication to openLDAP, or the Active Directory integration, big headway could be made in enterprise environments in the Directory Server space.

That's the only thing of interest to me, personally. I think apache's web server eclipsed them a while ago.

Re:That's still around?

[lilmouse]

And how much *did* RedHat pay for them? That's the real question!

--LWM

Re:That's still around?

I can't say much about the NES, but iPlanet/SunONE/JavaWS is still kicking and used by the die-hard Sun folks. Works well, and has a pretty well thought out hybrid thread/process model for handling requests. Only problem is that it costs money.
If the Netscape Dir server is anything like the Sun one, it should be pretty solid.

Re:That's still around?

[maxume]

The news.com piece states that they paid less than 25 million. It also states that 'The acquisition includes a team of fewer than 50 programmers' without being more specific. It also says that HP uses at least some of the stuff Redhat bought.

Re:That's still around?

[LnxAddct]

If you've ever had to use openLDAP then you will never be happier once RH releases this. The features are limitless, but two things off the top of my head are that it has a significant improvement as far as speed and system resources go, and also it has good, advanced replication. It's easy to use and just an all around good architecture. Try it out when its released, it will speak for itself. Personally, I'm more interested in the Certificate Server.
Regards,
Steve

Re:That's still around?

[kjs3]

We use it where I work.

We run iPlanet on several hundred web servers and have a SunONE pilot looking to cover around 25 million users. iPlanet stuff seems to be smooth; SunONE has been...challenging.

As I understand, tho, what RedHat got isn't the new stuff we are using.

Re:That's still around?

[rpresser]

Seriously? I thought the Netscape Enterprise product line fizzled out back when people thought selling pet food on the internet was a good idea.

Selling pet food on the internet *is* a good idea, or at least a profitable one.

Re:That's still around?

[Electrum]

We run iPlanet on several hundred web servers and have a SunONE pilot looking to cover around 25 million users.

I have no idea what you are doing, so I don't know if this would help, but if I needed dozens or hundreds of web servers I would use Zeus Web Server. It's the best web server on the market and designed for high traffic, clustering and easy administration.

I use Zeus and because of it I don't need dozens of web servers.

Re:That's still around?

[rihock]

After the iPlanet split, AOL continued to develop Directory and CMS (CMS is awesome BTW).

For RedHat, it means they can compete in the enterprise directory market. Sun's services run on Linux as well as Solaris for x86, so RedHat needs these to maintain any kind of competitive stance. Its a good buy for them since AOL isn't doing anything with the products.

Re:That's still around?

HP used to have Netscape LDAP servers, but not anymore. They have nearly completed their migration to AD.

Re:That's still around?

[kjs3]

I think the key thing you said was "I have no idea what you are doing".

Thanks for the suggestion.

Re:That's still around?

The following two postings are fairly accurate and should answer some of your questions: http://linux.slashdot.org/comments.pl?sid=123844&t hreshold=1&commentsort=5&tid=110&mode=thread&cid=1 0401313 http://linux.slashdot.org/comments.pl?sid=123844&c id=10405918

Does OpenLDAP even work?

[Offwhite98]

I have tried ever few months to set up OpenLDAP using newer releases with instructions on their website and it never would work. I always had some issue with the DBM libraries or the commands in the tutorial were inaccurate and not current with the updated command-line options. It goes to show that no matter if the software actually works, if the documenation is not at least half decent the software is still incomplete.

I have maintained Netscape/iPlanet LDAP servers before and they may not be perfect, but they worked. Perhaps a good open source LDAP server will help LDAP become a viable alternative to Windows Directory or other authentication systems.

I thought I read about a Java LDAP server once, but never looked into it much.

Re:Does OpenLDAP even work?

[stratjakt]

OpenLDAP works great for me and plenty of others. You must not be very good with computers.

Re:Does OpenLDAP even work?

[stratjakt]

How is that a troll and the OP "Interesting"?

Of course OpenLDAP works, that guy is just an incompetent dope if he can't get it working.

Hell, it practically worked out of the box on Gentoo, the only thing to really setup was SSL/TLS.

Re:Does OpenLDAP even work?

[Etyenne]

It work fine. Use the package for your distribution, don't try to compile it yourself if you are unsure about what to do. The man page seem to reflect the current command-line options, I don't see much problem here.

LDAP in general and OpenLDAP in particuliar is a complex subject. The initial learning curve is pretty steep. Good luck with it.

Re:Does OpenLDAP even work?

[gunnk]

I can respond to that with an enthusiastic YES, it does work.

We use it to authenticate our email and calendar users (from two different servers). I'm migrating us off our OLD Netware servers (damn lean budget years!) to Samba and am setting Samba to authenticate against it as well, finally giving our users a single userid and password for all our services.

OpenLDAP is lightweight (size and CPU-wise), robust, and reliable. It's also really easy to set up if you use the version included with your distribution. You can also replicate the server to give yourself good fault-tolerance on another piece of hardware.

RedHat has good online documentation on their website in the RHEL Reference Guide that should help explain things to you a bit.

Re:Does OpenLDAP even work?

[pe1chl]

The server works. Sure it requires some study of the documentation and some trial and error, but I have been running the OpenLDAP server at work for years, and it never caused a problem after the initial configuration.

What I think is a real problem: the lack of a user-friendly tool to maintain the database.
Some open source tools exist but they are too low-level. E.g. they operate on the level of "add record" and "add attribute".

What you need is a tool that can be user-configured, and comes with panels for typical configurations (that can be altered).
You want to have panels for "maintain a person record" or "maintain an organizational unit record" that present input fields at the level a helpdesk person can understand (like "username", "full name", "telephone number" etc) and that get validated as whole and updated in the LDAP server when the panel is submitted.

I have not yet seen such a tool in the opensource LDAP world.

Re:Does OpenLDAP even work?

[ElForesto]

Do yourself a BIG favor and get some books on LDAP. If you don't, it's like trying to translate Klingon into Arabic using a poodle as your interpreter. I once tried setting up an LDAP server for a shared address book before I had any clue what I was doing, and I learned to regret that exercise in frustration.

Re:Does OpenLDAP even work?

[KrisWithAK]

Although it displays the attribute name, which sometimes isn't descriptive "enough," you might want to check out JXplorer, which I use.

Re:Does OpenLDAP even work?

Stating "You must not be very good with computers" on the basis of someone's experience with one application certainly sounds like a troll to me. Your follow-up "that guy is just an incompetent dope if he can't get it working" isn't convincing anyone that you were misunderstood.

The longer you stay in this business the less you point your finger at the other guy unless you know all the facts.

Re:Does OpenLDAP even work?

[hey!]

Oh, OpenLDAP works fine.

The main problem is with the "do one thing well" philosophy, which is generally laudable from a technical standpoint but sometimes leaves users needing more. Most people don't need just a directory server, but a set of specific directory services built on the directory server. With time and patience you can build what you need. But if you don't have the time or the patience, then you need to look elsewhere.

This pretty much characterized my own foray into using OpenLDAP, which was more successful than yours but not entirely successful. I read some books, I mucked around with schema, and eventually I got a few linux boxen authtenicating against it and was able to hook up my mozilla address book to it. However, it was still pretty raw to administer, and overall I didn't have a system that met my needs, which was to reduce the administrative burden on some of the less technical people I work with.

Re:Does OpenLDAP even work?

[bigman921]

JavaLDAP was originally written by our founder. It's still available, but not activly developed.

Re:Does OpenLDAP even work?

[pe1chl]

From what I see in the screenshot, it is just another "regedit-like LDAP explorer".
This is NOT what I need. And not what the average user needs, I think.

What I need is a program that displays complete panels with all information about a certain object (maybe on more than one tab) that allows editing on the object level.

Just consider a simple, very typical case: a new employee joined the company, you want to add a person record.
Do you want to type a DN, add the record, then one by one open all kinds of attributes, and enter data for them? NO.
What a normal user would want is something like the "User manager" found in Windows. Select the action "add person", get a panel, enter data like fullname, username, telephone number, location etc. and click ADD. Insert all data in the LDAP server in one go.

Is that really too much to ask?? All the opensource LDAP editors I have seen work on that attribute level instead of the more sensible record level.

Of course there is even more: not only I would want to enter data for a person at once, but also I would want to enter data once and put it in more than one attribute. Controllable by some configuration like a template.

Example: you enter Firstname, Middle, Lastname in 3 fields.
Attributes inserted in the LDAP record: Firstname, Middle, Lastname but also a "cn" consisting of the above three.
Or: you enter the user-id, and additionally a "mail" attribute is automatically added as @.

This is what you need to have an LDAP directory operating in a company, and have it maintained by ordinary helpdesk personnel or a secretary, instead of an LDAP hacker.
The lack of such a tool is a real problem for LDAP usage in an opensource environment.

What I did at work is make some PHP scripts that put up HTML forms that have the above functionality, store the data in a MySQL database, and nightly run a job that reads the database, writes a .ldif file, and loads this into OpenLDAP.

Far from optimal, to say the least. And as it is very specific for our environment, also not distributable as the solution for everyone.
We need something like this, but configurable.

Re:Does OpenLDAP even work?

[SLot]

Sound a lot like GQ. Unfortunately, GQ doesn't appear to be actively maintained.

Re:Does OpenLDAP even work?

[otis+wildflower]

However, it was still pretty raw to administer, and overall I didn't have a system that met my needs, which was to reduce the administrative burden on some of the less technical people I work with.

This is the key. You can spend lots and lots of time monkeying around with schemas, supported versions, integration into samba, etc. But it wasn't easy, and I couldn't trust the work to someone else.

That's why Novell can kill if they keep the per-user price low enough. Easy administration and integration into packages, 3rd party module support, etc.

At one point at one company, I had samba, postfix, apache, addressbooks, inn, and proprietary stuff all using a single LDAP source. postfix used LDAP groups as mailing lists, so if you mailed 'dev@corp.com' it would send mail to every member of posixGroup 'dev'. I had to create a separate web page for users to change their passwords so the sambaNTpassword crap would be updated appropriately, but it worked. There was single username/passwd for every IT resource at the company (30 people).

But yes, it was a cast-iron bitch to manage.

Re:Does OpenLDAP even work?

> If you don't, it's like trying to translate Klingon into Arabic using a poodle as your interpreter

I always said, shakespeare is better in the original barking. Hard to get all the smells into a book to tell the story it was meant to be told tho...

Re:Does OpenLDAP even work?

[samael]

That's exactly what I want to do - any advice?

Re:Does OpenLDAP even work?

[GreenBugsBunny]

I recommend you read O'Reilly's "LDAP System Administratrion" book.

I've had a few failed attempts at LDAP, but this book really explains the system well. I'm now running openldap on 2 servers, one master & one slave, thanks to this book.

Oh, and it works great!

Re:Does OpenLDAP even work?

[Etyenne]

Yeah, I can feel your pain. I feel the same way and need a similar tool too. However, you have to keep in mind that LDAP object are by definition extensible, and the schema modifiable. This make writing a general-purpose tool pretty hard.

What I did at work is make some PHP scripts that put up HTML forms that have the above functionality, store the data in a MySQL database, and nightly run a job that reads the database, writes a .ldif file, and loads this into OpenLDAP.

I am not quite sure why you have the MySQL step in the middle. You could edit the directory in-place. I know there are pretty good LDAP module for PHP. Personnally, I use Perl's Net::LDAP with good success.

Re:Does OpenLDAP even work?

[tylernt]

I feel your pain. OpenLDAP and the other products may compare at the user-level, but for administration, OpenLDAP just sucks. I have yet to find a good administration tool for it. Maybe one is hiding out there or is being developed as I speak.

Novell sucks because there are some things you can do only in NWAdmin, others you can do only in ConsoleOne. Dumb. That's from Netware 5.1 and 6.0 though, maybe their newer stuff has improved.

Lotus Domino's admin software sucks because everything is buried under 17 layers and if you click the wrong 'X' in the interface, you lose all 17 layers and have to start over. I hate Domino.

iPlanet/SunOne's GUI interface isn't too bad but seems to be really slow, even on a 2GHz server with very few users(?). For advanced config options, you sometimes have to resort to editing a text file (albeit still within the admin GUI), which is one weak point.

AD seems to have got it right with the ADUC and other MMC snap-ins, although if you get in and start messing around with permissions and GPOs you'd better know exactly what the heck you are doing because it's real easy to change things in ways you never expected (or in other words, break AD). The only drawback is, you don't have much low-level control over LDAP attributes and things -- you're just kind of stuck with 'the Microsoft Way' of doing things.

In short, there is no perfect solution. I favor OpenLDAP just because it's OSS but the installation (from source) and the learning curve are both unpleasant. If you're a clueless MCSE-type and just want a quick LDAP directory, I'm afraid AD is the least painful route... if you don't mind clicking a soul-sucking EULA and bleeding ridiculous licensing fees to the Evil Empire.

Re:Does OpenLDAP even work?

[pe1chl]

The reasons for this are twofold:

1. At the time I wrote this, the PHP module could read data from LDAP fine, but it would just segfault apache at any attempt to modify anything.
I have not tried that way recently, probably it has been fixed. In those days Net::LDAP was too slow for use in a cgi-bin, because of the time required to load and initialize. Probably not an issue anymore either.

2. The step between provides the opportunity to merge data from different sources and cross-check it. E.g. we nightly read account data from the Windows domain controller and the Linux passwd file, put that in some tables in MySQL, and combine the data from those tables with the manually-entered data to generetate the .ldif file.

When a good tool would exist, it would probably be possible to do those extra actions in a separate nightly job and update the LDAP database from two places. But as it is now, it is easier via MySQL.

You are right about the schema flexibility. That is why I wrote the tool should be configurable. There should be some configuration file describing the layout of the panel (fixed text and fields), and something that maps the fields to the attributes in LDAP. The mapping should allow things like validation, translation (lower-upper or upper-lower case, for example) and concatenation of fields into attributes.
A tool written in Perl that allows writing the mapping as an external Perl module is probably best.

Re:Does OpenLDAP even work?

[pe1chl]

Yes, this is much more like it.

are they gonna open source it?

[hruntrung]

I read the press release, and they made reference to integrating the products into the Open Source Architecture, but they don't actually come out and say, "we're gonna make it [insert favorite license here]."

Also, is there any reference documentation for the Open Source Architecture? I'd love it, cause as it stands, sometimes open sources like a disorganized mess.

Re:are they gonna open source it?

[LnxAddct]

Everything Red Hat has, does, or buys becomes open source. This is equally true for their patents (which are aquired for defensive reasons). Here is their patent policy. In short, it states that any patents they hold may be used by any free software project without fear of any infringement.
Regards,
Steve

Re:are they gonna open source it?

[Ron+Harwood]

The second article says that they are going to... The press release may say it in marketing-speak...

Re:are they gonna open source it?

So their new CCMs are now open source, too?

Re:are they gonna open source it?

[SCOX_Free]

This isn't a troll, but is cygwin.dll open source? Is it GPL?

Re:are they gonna open source it?

[LnxAddct]

Yep.

Increasing Power of Red Hat

[ZSmitty]

Just two years ago AOL was looking to aquire Red Hat. http://slashdot.org/articles/02/01/19/041215.shtml It's amazing how things have changed. Where AOL once wanted Red Hat to be another Netscape for them, Red Hat is now purchasing parts of Netscape from AOL. Personally, I think its great.

Re:Increasing Power of Red Hat

[doodlelogic]

AOL once wanted Red Hat to be another Netscape for them

Why would AOL want another disatrous investment?

Re:Increasing Power of Red Hat

[DrXym]

AOL has basically stripped Netscape down to the bone. After they got their pound of flesh from Microsoft they weren't interested in maintaining it any more. Whole departments were shitcanned and now it's just a small rump serving up content to Netscape.com.

Which is a shame from AOL's perspective since now their AOL client is stuck with an obsolete browser engine, written by their mortal enemy. They could have gone to Gecko but they chose not to. Oh yes - I'm sure MS will be leaping up and down to add new functionality for AOL's sake - NOT.

The sad thing is there were (and are) AOL products that do use Gecko, including at one stage beta of the AOL client. But rather stupidly they never followed through in any serious manner. If they had shipped an AOL client using Gecko there would now be 25+ million additional non-IE users in the US. Even where they did use it, such as AOL Communicator (a Thunderbird like email client) they basically screwed the pooch by implementing the whole app in C++ and using Gecko just to render HTML mail. How stupid is that given they could have written it in XUL in less time?

AOL just doesn't get it. Technology is for them just the means to stick a big shiny button on the start page. That's as good as it gets. Technical considerations such as standards compliance play second fiddle to marketing and dumb ideas to keep their audience happy. I also reckon there was a lot of infighting between the 'establishment' (who develop against IE) and those who want to try something risky even if it means flux in the short term.

Well that's too bad for them. Their customer base is dwindling - sick of the monolithic client, sick of the AWFUL email, sick of the incestuous links, and sick of the pricing. These days I reckon all but the most helpless of their users would be happier with barebones broadband, Firefox / IE combined with an email app. AOL is going to find itself in a niche if it doesn't change soon.

Re:Increasing Power of Red Hat

That was a false rumour. Someone leaked to the press that AOL was in talks with RedHat, allegedly to buy them out. RedHat was indeed talking with AOL, but for entirely different reasons.

Re:Increasing Power of Red Hat

> They could have gone to Gecko but they chose not to.

Their mac client *is* on Gecko. They could switch the PC client overnight if they wanted to, but more than likely MS is paying them off to not switch. Sounds like AOL is the one calling the shots here...

Re:Increasing Power of Red Hat

[DrXym]

That's why I said some of their clients do use Gecko. But a more likely scenario is future versions of OS X end up using the KHTML part. After all, why bundle Gecko (8Mb of download) when the machine has a Cocoa component already on it>

On Windows it is a different story. I imagine that the IE browser component is simple enough to flip out (assuming it is encapsulated), but that is only half the battle. The AOL site is probably riddled services and features that rely on MS specific DHTML, ActiveX and whatnot. To switch would require that AOL fixes their content too (and partner sites) *and* support IE for backwards compatibility. Obviously the further down the road things go, with more rich interactive content, the harder that is to do.

AOL has had bad press with buggy releases in the past and are probably paranoid about breaking anything now. Still, that is little excuse for bad coding. If every site and its uncle can code pages that run on any browser then so can AOL.

Please tell me about Netscape LDAP server ACL

[Etyenne]

In the past, RedHat have been open-sourcing pretty much every applications they acquired AFAIK (see Sistina GFS, for example). Thus, I am pretty confident we will soon have a second Open-Source LDAP server from this deal. There is no garatee, but I am looking forward to it.

For those who are familiar with Netscape LDAP server, could you teach me a bit about its ACL management capability ? OpenLDAP, in this regard, is pathetic. The ACL have to be written in some kind of filter language *inside* the config file, which need a restart/reload to take effect. It is very error-prone and basically the part of OpenLDAP that give me the most troubles. How is Netscape in this regard ? Can you define by-object ACL ? How are they stored ? How do you manage them ?

Thanks for you insights !

Re:Please tell me about Netscape LDAP server ACL

[Penis_Envy]

ACL's in iPlanet/Netscape/Sun's DS are wonderful. ACL's can be held in any entry, and take effect immediately. All you have to do is request the aci attribute (assuming you have priveledges) to see the rules. Acl's go so far as to be dynamic, too, taking into account the binding user's DN, being able to create masks, etc.. There are some wonderful features that I hope make it into openLDAP, or heck, if they just open the source of Netscape DS, that'd be incredible.

Re:Please tell me about Netscape LDAP server ACL

[LnxAddct]

Mods: Don't mod me up if you feel the urge to, this is the 3rd time I've said this.

It's Red Hat's policy to open source everything they have. This also is true for their patents which are able to be freely used without fear of infringement by any free software project.
Regards,
Steve

Re:Please tell me about Netscape LDAP server ACL

[Cardinal+Biggles]

For those who are familiar with Netscape LDAP server, could you teach me a bit about its ACL management capability?

It's been a while since I maintained one, but it used to be pretty cool. You can put an ACL-attribute into every entry, and the ACL in that entry then applies to it and all entries below it in the tree. As I recall, the ACL can be in an LDAP search format so you can basically make things as complicated as you want.

IIRC, there was an upper limit to the amount of ACLs you could put in the tree though (I think it was max. 32768).

Integration with the mail server was pretty cool, too. The webmail server sucked though, if only because the install script would create a user webmail in your tree with almost limitless access rights, and it would use those rights to put loads of garbage in your tree...

Re:Please tell me about Netscape LDAP server ACL

[prowley]

Other comments cover most of the features of Netscape DS acl's. One thing nobody mentioned is that ACL's may be applied down to value granularity.

Re:Please tell me about Netscape LDAP server ACL

One nice thing I haven't seen mentioned is dynamic groups. Basically, you can define a group via an ldap URL. For most client apps, this doesn't help (as the client has to process the URL to find members), but ACL's DO use dynamic groups.

So, you can say things like everyone in some branch with an attributes with this value is a member of the group, and apply dynamic ACI's to that.

Re:Please tell me about Netscape LDAP server ACL

[mikemcc]

ACLs are just an attribute of the object. It's really very elegant. For example:

dn: dc=company,dc=com
creatorsname: cn=Directory Manager
createtimestamp: 20020307024738Z
dc: company
objectclass: top
objectclass: dcObject
aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allo
w (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "nis-admin account"; allow (all) userdn
="ldap:///cn=nis-admin,ou=administrators,ou=topolo gymanagement,o=netscaperoo
t";)
aci: (targetattr="userPassword||sn||cn||givenname||tele phonenumber||mobile||pa
ger||title||description")(version 3.0; acl "self update options"; allow (all
) userdn="ldap:///self";)
aci: (targetfilter="(l=SF)")(targetattr="*")(version 3.0; acl "SF Admins"; all
ow (all) groupdn="ldap:///cn=ldap-admin-sf,ou=group,ou=serv ices,dc=company,d
c=com";)

Re:Please tell me about Netscape LDAP server ACL

[Just+Some+Guy]

ACLs are just an attribute of the object. It's really very elegant. For example

You forgot the <smartass> tag. You did mean that sarcastically, didn't you?

I replaced NIS with OpenLDAP on a small network and have a lot of love for it, but your example looked like a Sendmail config file rewritten as APL macros piped through Perl with a couple of trips through Babelfish. That is, I recognized a few words but have no freakin' idea what you were trying to say.

I sincerely hope Netscape provides some good competition to OpenLDAP, because I'd like to think I'll never have to try to understand what you just wrote.

Re:Please tell me about Netscape LDAP server ACL

[redhog]

Do you have any inheritance down the tree using that type of ACLs?

Re:Please tell me about Netscape LDAP server ACL

[Tet]

I replaced NIS with OpenLDAP on a small network and have a lot of love for it, but your example looked like a Sendmail config file rewritten as APL macros piped through Perl with a couple of trips through Babelfish.

And that is why I'm still using NIS. The wire protocol for LDAP may well be very efficient. But LDAP in general, and OpenLDAP in particular, is a nightmare to configure, and I just don't have the time to beat in into submission. NIS is up and running in 5 minutes, and requires essentially zero administration on a home network.

Re:Please tell me about Netscape LDAP server ACL

[Penis_Envy]

How is it not elegant? The only interface you need to the directory to manage it and use it is via LDAP, and changes take place very quickly, with no down time.

The filters make a LOT of sense, he put some simple ones in there, but you get the hang of it:

aci: (targetattr != "userPassword") version 3.0; acl "Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)

If the target attribute is not "userPassword", (then a version number, and a description) then allow read, search, or compare, and then an ldap uri that says "anyone". Basically, anyone can read, search, or compare, so long as it's not ther userPassword attribute.

The ldap uri could be a specific user, or a group. What is so complex about that? If you would like a click-box interface for it, there is one, too. Personally, this interface is very nice (I think) as it's simple to write clients for it, and automate changes when needed. It's the same idea that mysql uses (feel free to correct me if I'm wrong) where permimssions and users are stored in the db too.

Re:Please tell me about Netscape LDAP server ACL

[noselasd]

ACLs are just an attribute of the object. It's really very elegant. For example:
[snip] strange characters... [/snip]

Please tell me there is a GUI admin utility allowing you to set ACLs !?

Re:Please tell me about Netscape LDAP server ACL

[prowley]

Do you have any inheritance down the tree using that type of ACLs?

yes

Re:Please tell me about Netscape LDAP server ACL

There's a Java GUI app for this.

Re:Please tell me about Netscape LDAP server ACL

[kris]

ACLs are just an attribute of the object. It's really very elegant.

Elegant is not the word I'd like to use for something that puts things into a permanent store that are not even in first normal form. You have aci records of the form

aci: (targetattr="userPassword||sn||cn||givenname||tele phonenumber||mobile||pa
ger||title||description")(version 3.0; acl "self update options"; allow (all
) userdn="ldap:///self";)

Please give the LDAP query that lists all DNs that have aci's related to the user "nis-admin".

Re:Please tell me about Netscape LDAP server ACL

[glitch23]

I have a slightly old copy of Netscape DS if u would like to try it out. It's free,just email me. The copy is for windows. If u need antoher version I believe I just got it from netscape's site somewhere. bmccombs at ma dot rr dot com

Re:Please tell me about Netscape LDAP server ACL

[arkane1234]

On a home network.

Once you go beyond just you, you have to worry about security concerns.

Re:Please tell me about Netscape LDAP server ACL

[noselasd]

Ofcourse, Java. They HAD to do it.
*sigh*

What's the point?

[DogDude]

I don't understand what Red Hat is trying to do. It's ancient software. The brand "Netscape" is now. They already sell a competing product.
The schizophrenia that Red Hat is displaying makes Sun & Oracle look sane by comparison.

Re:What's the point?

I think if you have ever struggled through openldap, then installed and had to manage a Netscape/Sun/iPlanet/JES/SunONE directory server, you wouldn't ask this :)

FWIW, even Netscape's 4.x directory server was top notch. Netscape's current directory server is based on the iPlanet 5.x server, which Sun's directory server (currently at 5.2 in the current JES product) is also based on, and there has not been a lot of significant functional changes to the product since the split (at least not on the Sun side).

Sun vs. AOL

[Zardoz44]

Correct me if I'm wrong, but I though Sun owned the Netscape server products and rebranded them as SunOne/iPlanet (now Sun Java system?)? Why does the article say that these technologies were purchased by AOL?

i.e., Sun Downloads

Re:Sun vs. AOL

[Penis_Envy]

iPlanet was a join Sun/Netscape venture. AOL bought Netscape, thus Netscape's Directory server. When the iPlanet venture was dissolved, AOL had the directory server, which was one of the things Netscape brought to the iPlanet experiment. I don't recall the details, but I think they forked the code when iPlanet was absorbed into Sun.

Re:Sun vs. AOL

[danuary]

...All of which means that Red Hat did NOT just buy all of the fun and interesting products that iPlanet produced -- Messaging/Calendar/et al are actually useful, mature, stable products -- but instead bought a stable LDAP server whose codebase probably hasn't changed much in several years.

Re:Sun vs. AOL

[prowley]

Sun purchase them, and entered into deal where the products would be co-developed. Part of the deal was that both AOL and Sun had rights to all products. So when that co-development ended, both parties continued to develop their forks.

Re:Sun vs. AOL

[prowley]

but instead bought a stable LDAP server whose codebase probably hasn't changed much in several years.

Wrong. The Netscape DS has been in active development since Netscape started developing it in the mid-90s.

Re:Sun vs. AOL

[Penis_Envy]

I think you're kind of missing the point. There are very good open-source alternatives for the other solutions that iPlanet had (with the exception of Calendaring, I think) such as Postfix, qmail (my favorite), exim, and sendmail (if that's your bag) among others as an MTA. Courier (again, my favorite) and Cyrus (again, among others) work great for IMAP/POP. Why waste money buying yet another mail server with so many excellent options?

What was lacking (no offense to openldap, again, it's great) was an enterprise Directory server with enterprise features (multi-master, fast replication, ease of maintenance, protocol support, not to mention multi-platform support fo r everything under the sun) to tie all the stuff together.

Netscape's Directory server might not be "fun and interesting" to you, but it's quick, easy to manage, and overall very good. I think it makes perfect sense. I think they're trying to build a viable platform for just about anything.

Re:Sun vs. AOL

[Temkin]

such as Postfix, qmail (my favorite), exim, and sendmail (if that's your bag) among others as an MTA. Courier (again, my favorite) and Cyrus (again, among others) work great for IMAP/POP. Why waste money buying yet another mail server with so many excellent options?

Because these are toys compared to S1MS. The S1MS MTA is a multithreaded hydra. I've seen it saturate 30 CPU systems doing SMTP relay... literally 100's of messages per second relayed.... Cyrus/Postfix/Exim only dream about the kind of scalability S1MS has. Sendmail isn't even in the running.

...and no I don't work for a spammer.

Re:Sun vs. AOL

[Penis_Envy]

Last I heard, cyrus was just for IMAP. Did you mean qmail?

Toys you may say, but source is to be had. I don't think it's an issue, personally. It seems that yahoo does pretty well with qmail. Things can be tuned, and different designs can be used.

Perhaps postfix/exim/qmail wouldn't run as well on 30 cpu systems (wouldn't know), but that doesn't mean they aren't viable as enterprise servers. As far as messaging goes, 8-way boxes are about as big as I've used (and they've been very adequate), and they've been to handle millions of users.

Re:Sun vs. AOL

The following two postings are fairly accurate and should clear up many public misconceptions. http://linux.slashdot.org/comments.pl?sid=123844&t hreshold=1&commentsort=5&tid=110&mode=thread&cid=1 0401313 and http://linux.slashdot.org/comments.pl?sid=123844&c id=10405918

competition?

Isn't the core of the directory server OpenLDAP? Sure looks that way with the iPlanet version. So how can there be competition when the Netscape/iPlanet product is a value added product?

Re:competition?

[zoo]

I worked with the NSCP LDAP server extensively, and I believe the heritage of that server is a rewrite of the codebase than OpenLDAP evolved into (done by the original authors), with an understanding of what went wrong with the slapd code.

So they look very similar from an external point of view, excepting the features that were added to NSCP (the replication code has always been more advanced than OpenLDAP, for one).

After several years working with NSCP Directory Server, I've had a hard time using OpenLDAP. It's just much less flexible. I suspect that if the NSCP code goes to an appropriate open source license, that this will more or less spell the end of OpenLDAP. What features OpenLDAP may have over NSCP will quickly be migrated.

Re:competition?

[prowley]

No. The common fork for both is the original Michigan DS.

Don't forget the Certificate Management System

[KrisWithAK]

I found the press release interesting because of my interest in using LDAP. But don't forget about also getting a solid certification authority. Anyone have any comments about existing open source CAs?

Re:Don't forget the Certificate Management System

I use XCA http://www.hohnstaedt.de/xca.html and find that it suits my needs fine. I manage between 20-30 certificates with it.

Re:Don't forget the Certificate Management System

I did not post the following, but I found it to very accurate and can give you more background into the current status of these products. http://linux.slashdot.org/comments.pl?sid=123844&t hreshold=1&commentsort=5&tid=110&mode=thread&cid=1 0401313

Netscape Servers

[HexaByte]

This is, IMHO, a good thing. I tried to get a couple of Netscape Servers up and running last year. The Directory Server was a snap, but the Messaging Server had problems. Since it hasn't been update since Sun abandoned the IPlanet joint venture, we tried to use various plugins and hacks to keep it from being used as an open relay, or getting spam floods, but no luck. We ended up abandoning the project, but we may be re-doing it in Open Exchange.

Re:Netscape Servers

[bdelbono]

but the Messaging Server had problems. Since it hasn't been update since Sun abandoned the IPlanet joint venture, we tried to use various plugins and hacks to keep it from being used as an open relay, or getting spam floods, but no luck. We ended up abandoning the project, but we may be re-doing it in Open Exchange.

Not quite true. The Messaging component is by far the best part of this solution. We still continue to use iMS 5.x (iPlanet Messaging Server from Sun). By default there is no open relays and it supports RBLS. The iMS 5.2 p2 version also supports SpamAssassin/Brightmail. Much of the code for this platform comes from PMDF http://www.process.com/ and these people "know" mail servers.

The stability, security and scalibility of this messaging server is amazing!!! In fact, bigger ISP's (such as Shaw, still continue to use iMS on their backend mail servers).

The messaging server contains:

- SMTP Server (this was mainly from code from pmdf)

- Web Server (this is a stripped down, yet quite powerful version of the Netscape/Sun (iPlanet) Web server which runs ME (or Messaging Express). It's the webmail component of this platform. Extremely fast, efficient and can run circles around any PHP/JAVA webmail solution.

- Mail Store (this is derived from work on cyrus imapd). There are many utils that allow you to backup, manage, and export users (which are kept in the LDAP db)

If given a choice, I would pick iMS (or in this case Netscape/Redhat's OpenSourced solution anytime!!). If you browse around to the public mailing list archives located at http://ims.balius.com/, you'll see folks who have mail volume of over 10 million email/hr.

This is by far the most fantastic piece of software which has really never been marketed properly.

Re:Netscape Servers

[Penis_Envy]

True, but we already have excellent open-source MTAs out there, so I think it's smart that RH didn't buy iMS. I did like the web interface, though. Very pleasant. It's good to hear Shaw is still using iMS.

Re:Netscape Servers

[HexaByte]

Not quite true. The Messaging component is by far the best part of this solution. We still continue to use iMS 5.x (iPlanet Messaging Server from Sun). By default there is no open relays and it supports RBLS. The iMS 5.2 p2 version also supports SpamAssassin/Brightmail. Much of the code for this platform comes from PMDF http://www.process.com/ and these people "know" mail servers.

Maybe I didn't make myself clear: The NETSCAPE version (not IPlanet) has those problems. Once Sun abandoned the joint venture, they continued to update their version, but Netscape's version lapsed into "unsupported software hell" and didn't have those features.

We looked into the IPlanet version, but the current version only ran on Solaris, and we were running Linux.

Netscape Directory Server...

[MadMorf]

I was responsible for a pair of Netscape Directory Servers, version 6.1 IIRC, at a former employer.

They were relatively trouble free, much more so than some of the other "Netscape" products (Calendar Server)...

Once in awhile they would hang, without any sort of error indication, no log entries or the like, which made troubleshooting them very problematic.

The management interface was a Java app, which seemed fairly primitive,compared to NDS/eDirectory which I have used for about 9 years and AD which I have used since late 2000.

Overall, I'd say my experience with Netscape Directory Server was positive, but it really could use some updating, if it hasn't been already...

open Virtual machine (for java, C# python perl)

[johnjones]

it Would be good if redhat concentrated on a free and open virtual machine spec

then we would not have to worry about all the nightmare of java / mono / interpreters

then we would be free

I know there is parrot but larry et al are slow nowadays redhat could get java or C# through GCC and life would be nicer

regards

John Jones

Re:open Virtual machine (for java, C# python perl)

How is mono not free and open?

Re:open Virtual machine (for java, C# python perl)

[Alan+Cox]

There are a lot of patent questions around mono, mostly when you go beyond the core language spec. There are lot of patents around java too but at least IBM owns most of them.

For the moment Red Hat has been extensively involved in things like the GNU java compiler. That has an additional advantage over a virtual machine - it can generate native code so you can program in java and get sane memory consumption and performance, while jits generally only achive one of the two (or neither usually)

The significance of this...

[Pivot]

is that now the best LDAP server in the marketplace in terms of functionality (4 way clustering, complete in-tree ACL support, enterprise level scalability) now becomes available as open source. The iplanet offering comes with a per entry licensing fee of about $1 (less if you need more than one million entries). Our company actually went out and bought Sun servers to avoid this, since Solaris includes a decent number of entry licenses per server. Now we can deploy on linux servers instead without the licensing hassle. Another nail in the Sun coffin...

Re:The significance of this...

[hendersj]

Novell eDirectory supports ACL support in the tree and always has, and it scales to the largest enterprises in the world. Clustering support - it doesn't do that, but it supports replication of the database, so clustering it is largely a moot point. As I understand it, the LDAP interface can be clustered.

"Best" is very much in the eye of the beholder....

Re:The significance of this...

Yes it does seem that sun is going the way of BSD and Gentoo... down the road to oblivion.

Re:The significance of this...

[rihock]

Actually, the Sun Directory Server 5.2 is better than Netscape's in many significant ways- the replication is better, performance is better, etc. It can be deployed on Linux as well as Solaris x86. You could acquire Sun Directory Server via JES licensing which is cheaper for smaller organizations and gives you better support.

Re:The significance of this...

Well, i don't run RedHat but i'm interested in GFS and this. My way of thinking is: if RedHat is financially supported, the open source community gets quality software. OTOH, i won't support RedHat financially, but RedHat is a good player.

Re:At least read the FAQ...

how do you build "man" if you cannot "man" the "How to build the man"

Pure LDAP ? I think not

[stratjakt]

Neither Novell, Netscape nor OpenLDAP properly support the WidaNus GAPE extensions.

Calendar Server

[anthonyclark]

So whatever happened to Netscape's calendar server?

Way back, I installed it at an R&D facility; the client worked across platforms (solaris and windows) and provided an alternative to the nasty exchange lock-in.

Is there *any* alternative to Exchange now?

Re:Calendar Server

[MadMorf]

Is there *any* alternative to Exchange now?

GroupWise.

I was a GroupWise/WordPerfect Office administrator for about 10 years...
One of my employers replaced it with Netscape Messaging Server (A mistake IMHO) and another replaced it with Lotus Notes (Another mistake).

My current employer uses Exchange, for which I am the admin.

Outside of the obvious problems with Outlook, Exchange isn't all that bad, but GroupWise is still better.

I have had GroupWise servers which hadn't been rebooted in years...That's really NetWare's reliability shining through...

Re:Calendar Server

[Temkin]

It became iPlanet CS, which became SunONE CS and is integrated into the Sun JES stack. It now includes an Outlook connector.

http://wwws.sun.com/software/products/calendar_s rv r/home_calendar.html

Re:Calendar Server

[Greger47]

So whatever happened to Netscape's calendar server?

If I'm not entierly misinformed, it ended up with a company named Steltor who developed it further under the name CorporateTime. A year or two ago they in turn got bought by Oracle and it's now called Oracle Calendar. It's still actively developed.

/greger

Re:Calendar Server

[danpritts]

http://meetingmaker.com/

Meeting Maker is a semi-reasonable cross-platform alternative to exchange for calendaring. They support the mac well, and they have a java/web client. They have a (motif) solaris client for the older versions which they never ported to linux, i think that this has been discontinued with the current version. However I think they have something more coming with the upcoming product.

You can make the windows client work in Wine, and the web/java client works standalone with a 1.3.1 JVM.

The server runs on windows, mac, solaris, and linux.

It originally was a mac product.

There is also something called Corporate Time, I'm not really familiar with it.

Re:Calendar Server

CorporateTime is an app purchased by Oracle a year or two ago and developed by a company called Steltor (dunno if they're still around). It uses a stand-alone client (clients for Windows, OS X, and Linux via Motif) as well as web-based and WAP-accessible clients. (We use it where I work -- few problems with it, other than I can't change how my name is displayed =X )

Re:Calendar Server

[rihock]

Sorry, Sun makes a great alternative to exchange. With Sun Messaging Server, and Calendar deployed it works better, and cheaper than exchange. With the outlook connector you can use it with Outlook as well. Sun also offers a unified web client that brings calendar, mail and address book together in one web interface (much better than OWA).

For proof, I did an implementation for over 1 million users of calendar, directory and messaging. Its run on three 6800's (two for messaging, one for calendar, all domained and clustered) and has, yes, this is true, only 2, yes 2 admins.

Try that with exchange!

Re:Calendar Server

[fender-bender]

Steltors CorporateTime is an excellent product. I have seen it being used in lot of universities and its functionality matches with any of Exchange, Groupwise or Lotus.

Re:Calendar Server

meetingmaker is great if you have less than a few hundred people - it just doesn't scale.

I'd look elsewhere if I were you. . .

A smart move

[IGnatius+T+Foobar]

This is a smart move on Red Hat's part. It's clear to them that in order to remain competitive in the enterprise space, they have to have a "middleware stack" (as the industry has been calling it). Sun has SunOne/N1, Microsoft has ADS, and of course Novell has NDS/eDirectory which is soon to be a major Linux product. It would have quickly become a big gap in Red Hat's offering.

By acquiring this software, Red Hat immediately improves the value proposition of their platform. By open sourcing it, the software can quickly gain mindshare and installed base. Imagine what would have happened if Novell had done this in, say, 1999. There'd be NDS everywhere, and Active Directory wouldn't have nearly the penetration it does today.

Re:A smart move

Now if RHEL could actually burn DVDs instead of just claiming to burn DVDs, we'd be all set!

Re:A smart move

[hendersj]

Novell eDirectory has been on Linux for some time now....The first release was with NDS 8 (which was spec'ed only for RedHat systems) which was available in 2000, and may have been released in 1999.

Re:A smart move

[ostiguy]

But is it really smart if IBM makes all the money on consulting deployments of it? I guess I am still not sold on how these pure play linux companies will make money

Re:A smart move

[sloanster]

Novell has NDS/eDirectory which is soon to be a major Linux product.

Soon to be? edirectory runs really well on linux, in fact our onsite novell guy told me that they are seeing better performance in their labs from edirectory on suse linux than they are from edirectory on solaris...

But agreed, linux needs an inexpensive and easy to use directory server in order to gain significant ground in small and medium businesses.

And...that's a good thing, no?

[eer]

Had to look...Google's never heard of it, either...so, ya got me...

Re:And...that's a good thing, no?

Maybe it's heard of 'wide anus gape' ?

pGina

[lavaface]

You may be interested in pGina; it's a nifty, opensource, project that allows you to bypass Microsoft's authentication schemes and replace it with something like LDAP. Works like a charm! We're still working out the kinks of the roaming profiles with the ftp plugin though. Anyone interested in cross-platform authentication should check it out.

oops . . .forgot link

[lavaface]

here ya go

Re:oops . . .forgot link

Yeah, you're really bad with A tags.

pGina.

Finally....

[Russ+Steffen]

Maybe Netscape DS will finally work with RHEL3. Up to now it was RHEL 2.1 only.

Re:Finally....

Yes it will, very soon.

always preview

[lavaface]

Link

Re:always preview

Thanks a lot for this link, sounds just like what I need!

Re:always preview

[SirTalon42]

Having some trouble today I see

Re:always preview

[lavaface]

Indeed : )

Shot across the bow to Novell/SuSE

[mosel-saar-ruwer]

I didn't even realize there still was a standalone Netscape offerring. We migrated from Netscape to iPlanet to Sun Web to Sun Java One (or something like that). Anybody out there stick with the Netscape product?

This is a direct challenge to Novell/SuSE and Novell Directory Services [or eDirectory, or whatever they're calling it this week].

Red Hat must have realized that they needed a directory offering to compete in the enterprise.

That gives us four major directory vendors:

1) Novell/SuSE/Ximian/Novell Directory Services
2) Microsoft/Active Directory
3) Sun/Sun One [iPlanet] 4) RedHat/Netscape Directory Server

PS: Now that the Netscape browser has devolved into Firefox, and the enterprise stuff has been sold to Red Hat, does Netscape still exist as an independent company [other than some "portal" site on the web]?

PPS: And are there any /. CPAs who'd care to calculate AOL's return on investment from the Netscape purchase?

Re:Shot across the bow to Novell/SuSE

[zurab]

This is a direct challenge to Novell/SuSE and Novell Directory Services [or eDirectory, or whatever they're calling it this week].

When I used NES (not Nintendo!) on Netware it worked great with NDS. My first thought when reading this was it would have been a better fit for Novell. And that was before MS did the same with IIS/AD.

Re:Shot across the bow to Novell/SuSE

[GarfBond]

PS: Now that the Netscape browser has devolved into Firefox, and the enterprise stuff has been sold to Red Hat, does Netscape still exist as an independent company [other than some "portal" site on the web]?

The answer is no. I wasn't even aware that Netscape still had server products; I thought part of the AOL/Netscape merger was that all of those were sold off to Sun as iPlanet.

July 2003 was when all Netscape browser developers were fired from AOL, and AOL now has no relationship with Mozilla other than history.

Basically the only things left of Netscape now are Netscape.com portal and a brand name.

Re:Shot across the bow to Novell/SuSE

[nexex]

netscape ISP!

Finally linux for CertServer and Calendar Server?

[Forget4it]

Netscape and then Sun stopped just when they were getting the plot. The Calendar Server has a backend that does the conflict resolution inc case of double-booking. It is time to integrate that with Mozilla Calender client. The Certificate Management system played nice with LDAP and but had a top-heavy administration server. It was a nice web-based GUI that an CertAuthority might be delegated to use. It will be a big win for OSS if these servers can now supported in linux - Sun were never going to do that properly. my 2 cents

3rd Party Source code to be removed.

[xyleen]

AOL has 21 days to remove all 3rd party source code from the builds of all of the products Redhat is acquiring. One of the key components of Enterprise Mail server is the Mail Transfer Agent (MTA).

The MTA is written by Innosoft International (www.innosoft.com). So the question is will they be leaving out a vital component of the mail server or will they just have to give away the MTA as well.

Re:3rd Party Source code to be removed.

The MTA was innosofts for political reasons mostly. When the Netscape Server division was merged into iPlanet, its products were in general far superior to Suns so the Netscape codebase was used for all products. Sun had just purchased Innosoft (who also had a directory offering btw) and I believe using their MTA was throwing a bone to Sun so that at least some of Sun owned code got used.

Re:3rd Party Source code to be removed.

Enterprise server is their web server, not their Messaging server...

Re:3rd Party Source code to be removed.

[PhilipPeake]

Not entirely correct. The Netscape MTA was garbage - really! The Innosoft MTA was the only part of SIMS worth keeping. It is complicated to set up compared to the old Netsacape one, but then isn't any competent MTA?

Also remember that ther Netscape MTA had horrific memory leaks, and the "solution" they adopted to fix that was that an MTA process would handel N transactions, then kill itself and fork off a new MTA instance.

There are fairly big chunks of third party software in all of the products as they existed at the Sun/AOL split (except maybe calendar). it will be interesting to see just how much is left after stripping that out, and how feasible it is to get the products up and running again with anything like the previous functionality and reliability.

Re:3rd Party Source code to be removed.

[Thr34d]

The MTA code is not considered 3rd party as it was part of the collaborative effort between Sun and Netscape.

Something 3rd party would be the verity code in the webserver.

Re:3rd Party Source code to be removed.

[xyleen]

They are all so derned confusing.
Between the 17 name changes to the suite itself, and the 10 different parts of the suite!

Directory services and possibly SSO?

[zerofoo]

Wow, this might be the beginning of something that i've been looking for since I started using linux years ago..

A single place to manage all my users and computers. Novell and Microsoft have done it very well. Hell, Apple even has a better way to manage users and computers than PAM and OpenLDAP on Linux.

Maybe this is the final admission that single sign on cobbled together by using PAM and OpenLDAP is not the solution that corporate IT guys want.

-ted

OpenLDAP vs Netscape's LDAP server

[Sxooter]

About three years ago (admittedly, my knowledge is pretty old now) I tested and compared the two. The Netscape LDAP server used up a huge chunk of memory, even sitting idle, and could handle only a few authentication's / searches per second on our dual P-III 750 machine with 1 gig ram. The memory usage, if I recall correctly, was about 50 megs per process (not shared mem, individual memory usage by the way) with a default of something like 5 of them running.

OpenLDAP used about 20 megs of memory total, ramping up to 50 to 100 megs under heavy load. It could handle about 30 to 40 auths / searches a second.

Worse for the Netscape server was that it would just plain stop working after an hour or so of heavy load testing.

We went with OpenLDAP, and wrote our own edit screens for it since at the time it came with nothing very useful to a user (only ldapadd, etc... command line stuff).

After about a year of only handling the web server it was on we pointed our Peoplesoft implementation at it, which proceeded to increase our load from one auth every couple of seconds to about 10 auths a second. Other than the slightly larger number of openldap processes running, we never really noticed the load.

Hope that helps anyone looking at the two. I certainly would hope the Netscape server has gotten better, but everything I've read about it since then seems to say it hasn't.

Re:OpenLDAP vs Netscape's LDAP server

I can confidently say that you mis-configured the Netscape Server. The Netscape Server has always been a lot faster than OpenLDAP, even while doing more stuff (like multi-master replication - which openLDAP cannot, and doesn't seem to want to do).
The Netscape DS does not require or use multiple processes - it is a multi-threaded server. If configured correctly it will scale into the millions of entries, and 100's operations per second. For most deployments (and the server was pretty much sold into Fortune 500 environments exclusively) this server doesn't even break a sweat. It is also btw coded to scale well up to 4 processors.
Since around the 3.1/4.0 versions it has been the fastest Directory Server of any and all comers, period. It is also one of the most standards compliant and the most stable servers. I recall at a DS meet, Kurt from OpenLDAP had a pretty mean test suite designed to break directory servers which they (obviously) had coded to pass. That test suite broke every vendor in the room (and that means every major DS vendor) to varying degrees except the OpenLDAP and Netscape servers - and this was post iPlanet. Active Directory for example, managed to get through only a few minutes of a test suite that lasted about an hour.
I have always been an admirer of the OpenLDAP product since they produced a good product with comparitively fewer resources. However, it is not (perhaps not yet) in the same league as the Netscape DS when it comes to scaling.

Re:OpenLDAP vs Netscape's LDAP server

I can confidently say the grandparent post is correct. Netscape has some features openldap doesn't have, but in the performance and stability departments, openldap wins hands down. When I did some testing (~8 months ago or so) openldap was almost twice as fast, and used less RAM. It also didn't get hung under extended periods of heavy load. Netscape needed restarted a couple times during our testing.

Re:OpenLDAP vs Netscape's LDAP server

And I can confidently say you mis-configured it too. For example if you did not adjust cache settings at all - you were running a mis-configured server.
Let me just point out that this is an enterprise class server. You don't install it out of the box and expect it to be perfectly configured for your environment. You don't expect it to run at its best when competing for resources - it is designed to make full use of the machine, because you should really only install it on its own machine which has been configured to make it run at its best.
Noone who knows what they are doing could configure those servers and get those results.

Re:OpenLDAP vs Netscape's LDAP server

Don't believe this. Post your test. Netscape Directory Server can handle 1000's of bind operations per second.

Netscape Directory Server has _never_ needed more than one process, so I don't know where you get your five processes from.

The memory used is in caches, the size of which is configurable. The default should result in a working set size of a few megs, not 50.

Re:OpenLDAP vs Netscape's LDAP server

[cant_get_a_good_nick]

1) You can do multiple master with OpenLDAP if you read the configure file, but it's probably alpha quality code, and I wouldn't recommend in production. It does seem to "want to do" just hasn't polished the code.
as an aside, we run multiple master, and a lot of our breakage comes from this.
2) OpenLDAP is multithreaded as well, not multiple processes.

The big issue we've found (and we run both) is complexity. OpenLDAP is a simple daemon, vs. netscape/iplanet is more of an environment, with a config directory server and an admin server besides your base server. With OpenLDAP, it's easier for me to wrap the daemon with a restart loop, we haven't done this yet with netscape, too many internal pieces, and I think we'd break the admin server if we did.

Re:OpenLDAP vs Netscape's LDAP server

Your experience is out of date. OpenLDAP 2.1 is at least 10 times faster than Netscape 4.1 and about as fast as 5.0. Since OpenLDAP 2.2, OpenLDAP has been the fastest LDAP server around. Most people aren't aware of the vast improvements in OpenLDAP because RedHat still (to this day) only bundled OpenLDAP 2.0 with their distros, and yes, OpenLDAP 2.0 is dog slow.

I think RedHat made a mistake, spending hard cash on inferior technology. Oh well.

Re:OpenLDAP vs Netscape's LDAP server

10 times faster doing what ?

Post your tests please.

Re:OpenLDAP vs Netscape's LDAP server

I haven't used Netscape, but have considerable experience with OpenLDAP. My experience suggests OpenLDAP still has some growing up to do in the performance department. My guess is that this primarily relates to the default use of Berkeley DB for the backend. There are two issues with this. One is the impedance mismatch between the structure of LDAP data (hierarchical, multi-valued fields, etc.) and the simple key->value design of BDB. The other issue is concurrent access. I have to be very careful with my LDAP update routines, to make sure they block each other. If they don't, multiple update processes jam the database so hard I have to rebuild it from scratch. I'm hoping I have time in the coming weeks to experiment with using a SQL backend rather than BDB, to see if it addresses any of these issues. Can anyone else add some perspective here?

I sure appreciate everything Kurt has done for us. But if RH releases these tools with a free software license, I will certainly welcome the competition. It's good for everyone, including OpenLDAP, if the codebase becomes freely available.

Re:OpenLDAP vs Netscape's LDAP server

1) You can do multiple master with OpenLDAP if you read the configure file, but it's probably alpha quality code, and I wouldn't recommend in production. It does seem to "want to do" just hasn't polished the code. as an aside, we run multiple master, and a lot of our breakage comes from this.

Interesting, I got the impression Kurt actually didn't want to do MMR. I never noticed this in their road map whenever I looked.

2) OpenLDAP is multithreaded as well, not multiple processes.

My point was that the grandparent mentioned multiple processes - clearly something is up with that.

The big issue we've found (and we run both) is complexity. OpenLDAP is a simple daemon, vs. netscape/iplanet is more of an environment, with a config directory server and an admin server besides your base server. With OpenLDAP, it's easier for me to wrap the daemon with a restart loop, we haven't done this yet with netscape, too many internal pieces, and I think we'd break the admin server if we did.

You don't need to wrap anything, the Netscape DS has its own watchdog. The things you find too complex (and there is nothing intrinsically wrong with that conclusion when considering your own deployment) are just some of the things that allow the server to scale while maintaining central management. BTW, the config directory is actually the same directory in a single server instance - it only becomes significant when you have more then one server deployed where you might decide to deploy a config DS that only does config.

Re:OpenLDAP vs Netscape's LDAP server

The Netscape DS uses the Berkley DB too. There is nothing wrong with that, in fact it scales just fine - you simply (or not so simply as the case may be) have to treat it right. Back in the day, many of the performance improvements to BDB came from or at the the request of Netscape DS engineers.

Re:OpenLDAP vs Netscape's LDAP server

Yeah, using SQL will make things worse not better.
BDB has concurrency control that works just fine for a DS (after all , it was developed intially _for_ the Netscape Directory Server).

You do need to pay attention to the details,
and also have a formidible battery of concurrency
tests in order to ship a quality product.

Note that probably 100 times as much $$ has been
spent on Netscape DS over the years than on OpenLDAP. For the investment made, OpenLDAP is
great.

Once the code is opened, someone can go count
the lines of code in both. It'll be an interesting
comparative analysis project for someone's PhD ;)

Re:OpenLDAP vs Netscape's LDAP server

Not my results.

Stanford University's

Re:OpenLDAP vs Netscape's LDAP server

[kauttapiste]

What the hell are you talking about? It sounds like you had some serious issues with your Netscape configuration. Normally you run Netscape DS in only one process, and it multi-threads itself when it receives requests. Memory consumption is pretty much what you said, 60Megs per process, but it doesn't grow very much (a few megs maybe) even under heavy load. This is what I've experienced under HP-UX anyway (HP ships the DS with some modifications, though).

Performance seems brilliant to me. On a dual processor HP-UX we got excellent performance results. On a directory consisting of some 20k entries the DS could server some 15k searches per second! Inserting went pretty fast too, some 40 entries per sec. This shows the way LDAP servers are optimised, btw! And the searches were not at all trivial (don't remember the filter right know, though).

So anyway, I think Netscape DS is a good server, fast and reliable. And it's very extensible too, if you know how to write plugins! ;)

Re:OpenLDAP vs Netscape's LDAP server

[Sxooter]

The Netscape DS does not require or use multiple processes - it is a multi-threaded server.

You are aware of the fact that older Linux kernels (remember it was three years ago) showed threads and processes the same, right?

The DS I tested was the iPlanet one, btw, so I don't know if that's an issue or not. Around V 4 or so if I recall correctly. I'd be more than willing to try the newer version but a: I don't work there no more, and b: Lyle Lanley has sold them on Microsoft technology...

Re:OpenLDAP vs Netscape's LDAP server

[imroy]

You are aware of the fact that older Linux kernels (remember it was three years ago) showed threads and processes the same, right?

Only kernel 2.6 (released december 2003) changed that behaviour. I think the internals are still mostly the same (i.e threads are just processes with special relationships) but the /proc interface changed. Whereas before each process/thread had its own directory under /proc (e.g /proc/18027/), now only the parent processes are listed like that. Each now has a 'task' sub-directory which contains the directories of the child threads e.g /proc/9796/task/9811/. This stops simple programs scanning /proc and making incorrect statistics about memory usage. OMG! how is netscrape using more memory than i have in my machine?

Re:OpenLDAP vs Netscape's LDAP server

[Sxooter]

If you're both so confident, how about a post with your uid, not anonymous. I'm not saying either of you are right or wrong. Just that if you're sure of what you're saying why AC?

Re:OpenLDAP vs Netscape's LDAP server

You are aware of the fact that older Linux kernels (remember it was three years ago) showed threads and processes the same, right?

Yes I am. I pointed that out because multiple processes matter (the implication being inefficient use of resources), whereas threads do not - it's pretty much a meanless comparison to say one server had more threads than the other, especially when that is configurable.

Re:OpenLDAP vs Netscape's LDAP server

Because I'm a coward! Actually, it has more to do with politics than anything. Sometimes it is useful to say things without attribution simply because you don't want to deal with any ramifications. Of course AC is open to abuse, but I don't think I have done that.

Re:OpenLDAP vs Netscape's LDAP server

Not my results.

I believe that is called heresay. I did a quick shufty of your link but I don't see any specific test cases, nor a performance comparison, however the actual link shows Stanford had issues with their NS deployment. Quite unusual issues I might add, and from the date of deployment I would guess they were running either NS 3.1 or 4.0. It could be they were real issues that resulted from replication code - and if they were I am sure they have been fixed, I don't recall their case however.
Of course, you also need to comapre the two using like machines, not the case here either.

Re:OpenLDAP vs Netscape's LDAP server

[Sxooter]

Yeah, I understand. It's just nice to be able to look somebody up and see what else they've posted lately / ever on the subject. And to recognize them later when you see them again.

Re:OpenLDAP vs Netscape's LDAP server

[Sxooter]

Oh, OK, so I take it that for threads, the memory used that looks like it would be private for a process is actually probably shared as well, so the total usage was just whatever the biggest thread looked like?

Hmmm. That's nice to know (if I got it right) but again, our big issue was that it just died during stress testing. One of those things where the process is alive and running, but no longer answers on the LDAP port.

Since almost all of our input was scripted, having a nice GUI didn't mean a lot. Other than a web based group editor, and a few admin utils, everything else came from HR so all we wrote were simple update / filter apps for those.

As a PostgreSQL user, I'm quite familiar with the phrase "Did you performance tune that?" and I likely would have tried performance tuning it if it didn't just die on me so much. I always figured if it died under load in one configuration, it was just a matter of increased load in another configuration to kill it. I know that's not always the case.

Anyway, I've rambled enough.

Re:OpenLDAP vs Netscape's LDAP server

I'll go out on a limb and say the problem you had may have been cacheing. Linux likes to use up memory for optimizing disk access - in general Linux likes to use all your ram to run as efficiently as possible. The Netscape DS has individually configurable database and entry caches. By default these caches are in use and set to some reasonable figure that on most OS's will produce reasonable default performance. They really do need to be tuned, and in the case of Linux they should probably be tuned down to almost nothing - or do whatever it takes to make linux be more conservative about its memory use.
Basically I believe you experienced what happens when you make the NS directory server fight for resources with the operating system - the operating system wins and the DS ends up page thrashing to get to its caches, where the data is cached in Linux disk caches anyway - double caching != twice as fast.

I forget...

is this a good thing or bad? With the way RedHat has been changing their business to only paid products. Instead of the old days when you could download their ISO images of their latest release. It might not be as good for open source any more as it was in the hay days of RedHat..

Apache?

[emil]

Will Red Hat dump the Apache webserver over the new noxious licensing?

OpenBSD has done so (by halting with an old release).

Re:Apache?

[hexene]

Apache License 2.0 is free enough for Red Hat, and also free enough for the FSF and most Debian folk too. The license was under development for years -- why didn't OpenBSD voice their opinion on the relevant Apache mailing list whilst it was still in beta?

My only question -

[sloanster]

Will it be supported on platforms other than red hat linux?

Hopefully redhat will do the right thing here and not pull a microsoft... I'd love to run their product on suse linux, just as there are those who would want to run it on solaris...

Re:My only question -

[LuSiDe]

From the RedHat press release

[...]

The products to be acquired are derived from the Netscape Enterprise Suite and include Netscape Directory Server and Netscape Certificate Management System. Red Hat plans to start marketing these products as part of its Open Source Architecture over the next 6 to 12 months

[...]

"We believe the acquisition of these Netscape assets has tremendous long-term strategic value for the open source industry and Red Hat Enterprise Linux subscribers," said Matthew Szulik, Chairman and CEO at Red Hat.

[...]

Given RedHat's past (they always open sourced their or bought proprietary products and the use the patents only for defensive tactics as bound by their 'social contract') i'd say: you bet! A recent example is GFS which they bought from Sistina. This got GPLed and is being ported to Debian.

Re:My only question -

Open source, right ?
You go build it for the other platforms (or paysomeone to do that for you).

Re:My only question -

I'm almost positive there will continue to be support for HPUX, and most likely there will be support for Solaris (and Windows for most products). Most of the products are fairly portable, having been built in the past on DEC unix, IRIX, AIX, etc., so I would expect to see ports to "exotic" OSes after the open sourcing.

Poor Timing?

[suwain_2]

They shouldn't have announced this today. Their stock is down today, apparently as a result of an analyst meeting.

Release the bad news, then drop the good news a day or two later. ;)

Re-re-reinventing the wheel

[invisik]

Geez people! Novell has this already done for us in an enterprise-grade package on multiple platforms. eDirectory! Don't waste time re-inventing everything when it's already there.

-m

Re:Re-re-reinventing the wheel

[Penis_Envy]

I think you're missing the point.

Odds are good that RH is going to open-source this product (eventually) and should strengthen the open source platform quite nicely. It could potentially benefit just as Apache and Linux have.

No! Not the MTA!

[alexborges]

Im shure its a flaunting task to make an mta.

Who cares really!

We have too many mta's to worry about a fsking proprietary one. I would personally print all 30k pages of code and mail it to innosoft with proper instruction of where to stick it!

Let's Make A Deal!

[piecewise]

AOL buys Netscape for $4.2 billion.

AOL sells Netscape for $30 million.

Hmm.. Carry the 4... the 0's... Yep, that's a crap deal. Congrats to AOL and all parties involved.

And everyone was worried AOL would buy RedHat. Oh the irony!

I Welcome Great GUIs

[theManInTheYellowHat]

I used Netscape Server Products in 1997 and they were strong full featured servers which had great GUI interfaces. I am sure that they are even better now.

This is where other comercial products do not typically shine when they are ported to to Linux and if the FOSS group can get this server suite (httpd, news, mail, calendar, proxy, and LDAP) it would be a huge bonus.
Ususally when a commercial port comes to Un*x it is a barebones, edit the configs with vi, sort of thing. Not that that is bad mind you. But seriously the GUI's were slick and easy to use.

Plus they were all consistant in how you deploy and use them. If RedHat can take the GUI's and make a Samba and CUPS config editor then the lions share of server config would become uniform.

Scary!

[asr_man]

At first I read it as "SCO Prominent On 2005 Budgets".

Well, it's almost Halloween.

ldap vs. sql

[mslinux]

Someone please explain how LDAP is different from an SQL database. Just the other day, a friend of mine was telling me how his LDAP server uses an index to speed up searches and I said, 'Ah Hah!!!... it's just like a database." But he said the two differ a lot, but didn't go into the details... how do they differ?

Re:ldap vs. sql

They're pretty much the same.
Except:

LDAP has a standard on-the-wire protocol and
schema for common object types such as people
and addresses. So you can mix-and-match clients
and servers from different vendors and have
a cat's chance that they'll actually work
(try that with a RDBMS).

LDAP has a different data model : a tree of
objects with classes rather than relational
tables.

Directory Servers are typically optmized for
read performance wheras RDBMS are optimized
for OLTP workloads. For the kinds of apps
that use the Directory this is typically
a performance win (e.g. 1000's of queries
per second are easily handled).

Directory Servers have simple concurrency
models, which makes them more efficient for
simple lookup and modify operations than a
RDMBS which has to worry about all manner of
fancy locking and transaction isolation stuff.

That's pretty much the basic differences.

Re:ldap vs. sql

[prowley]

Yes a Directory Server is a database. However, whereas a SQL server is a general purpose database engine, an LDAP Directory Server is typically optimized for read speed at the expense of write speed. Other highlights include a hiarchical tree structure to store entries and extensive standard schema for many object types.
Essentially, LDAP directories fill niche roles, one of which is as an address book server, another is authentication services. In their niche, DS deployments are unequalled (and no, slapping an LDAP protocol interface on a SQL engine doesn't cut it.) One guiding principal is if you have 70/80% reads to 30/20% writes - a directory server may be a better option for your application. There are other considerations, but that is beyond the scope of this blah blah blah...

Re:ldap vs. sql

[Lennie]

LDAP doesn't have tables, it's a tree of object's with properties.

you can search it as following:
give me all persons, with these properties in this part of the tree (for example a department).

(yes you could do something similair in SQL too, I can't think of a good example right now)

things are named like this:

Person=TestPerson,OrganizationalUnit=Sales,domai nC omponent=company,domainComponent=us

and the query language is quiet a bit different. :-)
(actually I think SQL is more pleasing to the eye)

Re:ldap vs. sql

[kris]

Yes a Directory Server is a database.

A database that is not even in 1st normal form.

Other highlights include a hiarchical tree structure to store entries and extensive standard schema for many object types.

And primary keys called "dn"s (distinguished names) that reflect the tree structure in a kind of path, so that when you move objects around in the tree, the dn changes. You'll have to change all other attributes that contain this dn as a value in order to keep the tree consistent. There are no mechanisms in LDAP that help you to do this, i.e. there are no constraints.

But that isn't really a problem, because you wouldn't want to use dn valued entries anyway - LDAPs query language has no join operation at all, so in order to resolve a mail alias object containing dn valued entries for the rhs of the mail alias, you'd be forced to program that resolution in a loop by hand on the client side. For each client supporting it.

In order to minimize dn volatility, you end up flattening your tree structure, for example by putting all users into the same level just below "ou=users,dc=example,dc=com". Which has the added benefit of making a lot of queries easier and faster. You know, LDAP has tree structures just like XML does, but the LDAP query language does not have axes the way XPath has. You would not have been able to leverage the tree structure in LDAP queries anyway. There is no way to formulate "find me all machine objects that have person objects at some level above them where the person is at management level" in term of the LDAP query language. It would be trivial in XPath.

And that is just before you start to think about missing bulk replication protocols, language variants of attribute values or the internal structure of Netscape aci attributes.

LDAP is the single worst designed database structure you can come across. It is not "not in normal form", it is the anti-normal, a complete deviation.

Re:ldap vs. sql

[LWATCDR]

"One guiding principal is if you have 70/80% reads to 30/20% writes - a directory server may be a better option for your application."

So LDAP would make a better backend for slashdot than say MySQL?
Most websites that use a database are mostly read and very few writes.

Re:ldap vs. sql

[prowley]

You are quite right, LDAP makes a terrible SQL server. Don't deploy it when that is what you need.

Re:ldap vs. sql

[prowley]

Perhaps. Larger news sites than slashdot have used Netscape DS to serve articles. That does not mean it is suited to slashdot though.

Re:ldap vs. sql

[prowley]

A fuller reply since the parent post is getting modded up.

Yes a Directory Server is a database. A database that is not even in 1st normal form.

1NF through nNF apply to relational databases. They are the guidelines for relational database designers to follow so that they create reasonable relational tables. X.500 and it's cousin LDAP make no claim to being relational protocols. Your comment is as relevant as saying it's a database that does not support SQL.

Other highlights include a hiarchical tree structure to store entries and extensive standard schema for many object types. And primary keys called "dn"s (distinguished names) that reflect the tree structure in a kind of path, so that when you move objects around in the tree, the dn changes.

There you go again. Primary and secondary keys are concepts used in relational databases to describe properties of particular data fields - whether you will retrieve a single row or multiple, serve to provide for relations. In LDAP, there are no keys, the purpose of a distinguished name (DN) is to uniquely describe an entry such that it can be uniquely referenced - whereas in relational DB's a primary key gives you the means to search for particular row in a particular table, a DN tells you exactly where an entry is. It does have a hiearchical property, and yes that should be used with care, just like relational DB's should be designed with care - so much care there are formalized rules to guide the unwary (those normal forms again!)

You'll have to change all other attributes that contain this dn as a value in order to keep the tree consistent. There are no mechanisms in LDAP that help you to do this, i.e. there are no constraints.

Oh there are most certainly constraints in LDAP, just not the ones you are expecting, because you are expecting it to be a relational database. I wonder what attributes you refer to that contain the DN, I have always found that the unique property of the DN is sufficient to not duplicate it (where is your 1NF if you are doing that?) Perhaps you refer to other entries containing the DN of the entry to be moved. That is a problem so simple to solve, you can automate it - and just to prove it, that is exactly what we did when adding the referential integrity plugin to the directory server. Yes, referential integrity, because despite not being a relational database, you may create certain relations by using DN's as attribute values.

But that isn't really a problem, because you wouldn't want to use dn valued entries anyway - LDAPs query language has no join operation at all,

Bingo! Because join implies relation and as we all know by now LDAP is not a relational protocol.

so in order to resolve a mail alias object containing dn valued entries for the rhs of the mail alias, you'd be forced to program that resolution in a loop by hand on the client side. For each client supporting it.

Or you could do the sensible thing and use a dynamic group which provides you with the information you need to perform one search to retrieve all members of the alias. Static groups are not LDAP's finest hour granted, and dynamic groups do not work the same way as static groups - and that is why the Netscape server supports roles.

In order to minimize dn volatility, you end up flattening your tree structure, for example by putting all users into the same level just below "ou=users,dc=example,dc=com". Which has the added benefit of making a lot of queries easier and faster.

Actually that makes no difference to ease or speed - you are assuming something about the way the server works which you are not qualified to do. It does however help in minimizing maintenance involved in moving entries - but that is because i

[ANSWER] ldap vs. sql

[Medievalist]

LDAP is not a database. SQL is not a database. One is an access protocol, the other is a query language. They serve different needs, but neither one actually specifies anything about underlying database.

LDAP stands for Lightweight Directory Access Protocol. Unsuprisingly, it's a PROTOCOL.

SQL stands for Structured Query Language. Unsuprisingly, it's a QUERY LANGUAGE.

Nearly any database could certainly support both. Neither makes any definition of storage method; LDAP is concerned with communication in a particular format, SQL is concerned with proper specification of a database query.

In practice, data accessed through SQL (which is anything but lightweight) is usually held in large, complex, general-purpose databases. Data accessed through LDAP is usually held in tight, fast, specialized datastructures.

LDAP databases should be optimized for speed of retrieval, since the ratio of writes to reads is very very low. SQL databases do not generally make such assumptions.

Clear?

MS $witcheroo?

[Doc+Ruby]

Now that Red Hat, Novell and Microsoft are all working against IBM Websphere's "integration servers", with everyone's cart tied to the Outlook horse (nevermind the other clients that just fill in the gaps), what's to stop Microsoft from leaving them all in the dust by "upgrading" Outlook to a new protocol, incompatible with the old one? They'd leverage their desktop monopoly, just like they're doing with their IM protocols.

OpenLDAP is compatible with Netscape DS

You can replicate from one to the other. LDAP systems use LDAP to replicate data between databases. Compatibility is one of the goals.

Corporate Web Sites

[roly]

I sometimes look up web sites of large companies/organizations and see they are running "Netscape-Enterprise", usually on Solaris. optus.net.au is an example.

Other than that, for a HTTP server everyones migrated to Apache, and for other stuff, everyones migrated to open source except some companies with deep pockets.

Calendar wasn't Netscape's

The netscape calendar server was just a rebranded CorporateTime calendar server. It's now being rebranded by Oracle, and it still sucks.

I once watched the calendar protocol on the wire ... scary stuff. The server sends the user's password to the client in the clear.

Still Some Places

http://uptime.netcraft.com/up/graph/?host=www.geic o.com

Looks like some enterprise sites are still running it.
Although, they are the low cost provider.
I should know........

Gecko

Group Policy with Linux / OpenLDAP Samba

[Nailer]

You can use group policy with OpenLDAP and Samba 3 with Nitrobit Group Policy.

Re:Group Policy with Linux / OpenLDAP Samba

[lukehatpadl]

Or using XAD.

Inside information

I work on the server products in question, so I will use this opportunity to set a few things straight.

1) History. The Netscape/Sun (iPlanet) joint venture was dissolved in 2001, with both parties retaining intellectual property rights to all the collaborative code. AOL decided to pursue development of several server products, under the umbrella Strategic Business Solutions. In 2002/3, the product list was shortened, a new group was formed (Netscape Security Solutions), focussing on essentially CMS, Directory (NDS), and Enterprise server (NES). See http://enterprise.netscape.com

Netscape Communications Corp is a wholly owned subsidiary of Time Warner. The browser development always has been entirely independent of server development, except for use of the same facilities in Mountain View. We all reported into two completely different management chains. So, browser engineering layoffs and gecko development, while interesting, are largely irrelevent.

2) Sales/Support. Sales and Support are currently fully staffed for these products. Sorry, but these products never really fit into AOL's consumer strategy, that's just the facts of life. AOL just isn't known to be in the business of marketing server software (although they have a great need for it internally). AOL did the right thing for their customers by selling off these products to a company who is more able to give them the development they deserve.

3) Continuing development after iPlanet. Sun had versions of NDS, CMS, NES. Soon after, they shortly killed their CMS development. Sun has indeed done a great deal of development of their Directory Server, but we have taken the product in a different direction.

There has been a lot of development at Netscape in the years since iPlanet. The code bases are very different.

4) Directory Server (NDS). Lots of people are asking "Why not use OpenLDAP?". This is really a question of the size of your deployment. NDS scales far, far better than OpenLDAP, has multi-master replication to provide high availability. These aren't trivial features, and have taken significant development time to get right, with thousands of hours of coding and test case development. Moreover, NDS ships in mission-critical systems as part of HP-UX.

5) CMS - People don't generally know this, but CMS is THE Certificate authority run by the Department of Defense. That's right, DoD has many CA's installed within their organization, and every one is CMS. That's over 10 million certs issued in the last 4 years for one single deployment. So, I found this slashdot comment particularly funny:

I use XCA and find that it suits my needs fine. I manage between 20-30 certificates with it.

Somehow, I think anyone seriously considering more substantial PKI deployments, may consider CMS.

Geotrust is also a huge deployment of CMS - issuing more certs than Verisign, these days. See this link.

CMS supports FIPS approved hardware crypto devices

CMS is Common Criteria certified (http://niap.nist.gov/cc-scheme/vpl/vpl_type.html# cimc) to evaluation level 4 (the highest level possible). You can say what you like about Common Criteria, but the fact is that it takes considerable effort, adds value, and, moreover, is required to sell into the federal government space.

CMS has huge amount of auditing capability.

Not to mention that CMS is just more secure, scalable, performant, and highly-reliable than any other CA out there.

There so much more in upcoming releases.

I never thought I'd see the day...

[amper]

when any of the code developed/enhanced by Netscape would ever see the light of day. As a old-time Netscape Solution Expert, I think this could very possibly turn out to be one of the most important events in computing history.

Still it makes me sad that Apple did not see it's way to buying up Netscape before they got chewed-up, swallowed, and spit out by AOL and Sun. I was saying this way back when Apple was still shipping Apple Network Servers running AIX...well, maybe now we'll see Netscape server products finally running on Mac OS X!

It never ceases to amaze me how shortsighted the technology industry can be.

.

Re:I never thought I'd see the day...

[amper]

It should be mentioned that most of Netscape's products started out as free software:

1. Netscape Directory Server was derived from the UMich LDAP implementation.

2. Netscape Messaging Server started life as Cyrus and Post.Office hacked together.

3. Netscape Collabra Server was an enhanced INN.

4. etc. and of course, let's not forget NCSA Mosaic...

So is Red Hat gonna Open Source all this code?

[mosel-saar-ruwer]

NDS scales far, far better than OpenLDAP, has multi-master replication to provide high availability. These aren't trivial features, and have taken significant development time to get right, with thousands of hours of coding and test case development. Moreover, NDS ships in mission-critical systems as part of HP-UX... People don't generally know this, but CMS is THE Certificate authority run by the Department of Defense. That's right, DoD has many CA's installed within their organization, and every one is CMS. That's over 10 million certs issued in the last 4 years for one single deployment... Geotrust is also a huge deployment of CMS - issuing more certs than Verisign, these days... CMS supports FIPS approved hardware crypto devices... CMS is Common Criteria certified (http://niap.nist.gov/cc-scheme/vpl/vpl_type.html# cimc) to evaluation level 4 (the highest level possible). You can say what you like about Common Criteria, but the fact is that it takes considerable effort, adds value, and, moreover, is required to sell into the federal government space. CMS has huge amount of auditing capability. Not to mention that CMS is just more secure, scalable, performant, and highly-reliable than any other CA out there. There so much more in upcoming releases.

Sounds like a lot of nice code.

So do you think Red Hat will stick to their stated principles and give it all away for free?

Re:So is Red Hat gonna Open Source all this code?

I'm not privvy to Redhat's plans. But if they do, it might take some time. With products deployed within the DoD, there needs to be some strategy to deal with opensourcing a product. It's not something I'd want to do overnight.

For the other products which haven't had a lot of development recently (e.g. calendar server), I can imagine open-sourcing those much sooner.

Re:So is Red Hat gonna Open Source all this code?

Yes. RTFA

Oracle?

[EvilStein]

Oracle Calendar?

Active Directory's little brother ADAM

If you are running Windows XP or have access to a Windows 2003 Server, download ADAM and give it a openminded look. I think you will find that it works very well for application development. The ADAM/adsiedit utility will allow you to quickly interact and begin development and management of ADAM. Multimaster replication, multiple data partitions on a single server, robust authentication and authorization, scalability and expandability.

And in the end if you cannot overlook the fact that you must have a copy of Windows XP or 2003 server to run it, at least you will have a good example of something one of you (or a group of you) can copy when developing or improving an open source alternative.

Re:Active Directory's little brother ADAM

AD is not something to be copied. This is a server where they cannot even get standard schema right, and now that you can actually delete schema (oh my how I roared when I heard about that) nobody wants to because changinhg schema is taboo in AD circles.
If AD does one thing well, it is confining itself to working on Windows.

the inside scoop - Re:Increasing Power of Red Hat

Looks like somebody is confusing server products with client applications. Here is the inside scoop, which the media has never got its story straight. After the AOL-SUN divorce of iPlanet, AOL laid off 500 of it's 700 iPlanet employees and took back it's most wanted 200 people back to its Mountain View campus. This left Sun to scramble with the scraps that AOL left behind. So, when the media reported "Sun kept Netscape engineers," it only meant that Sun hired those people laid off by AOL. This is what the public doesn't know. Guess who were among the 200 people that AOL brought back? There, Netscape server development continued at AOL, powered by the original veteran Netscape developers. As of today, Netscape Directory Server, Netscape Certificate Management Server, and Netscape Enterprise Server, are still under development. If you show these engineers the comments quoted from Keller on the press coverage, they'll probably laugh and say, "I code, therefore I exist, and hence my product exists." If you call these Netscape products "antique software," what do you call Solaris? fossil? Of course, these products still exist because they still have customers, not because AOL has any vision in them. Red Had really has a steal of the century here, thanks to AOL's lack of vision.

Another Option for LDAP Admins

[eldapo]

We've been running iPlanet/Sun Directory for 4 years and its been very reliable (not bad, given that my developers treat it like it's an RDMS and our write ops are way over what any sane admin would allow). I've also worked with OpenLDAP for a couple of years and have been impressed with the latest version's performance, but couldn't justify rebuilding a half dozen servers. The only problem right now is that Sun doesn't really support Linux, which is where we're consolidating most of our enterprise stuff. Now I'll have a viable alternative to consider. Can't wait to give it a try, there's this old Proliant 3000 in the data center ...

Support for RH3

Netscape Directory Server 7 will have support for RH 3.