Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat Opens Netscape Directory

Posted by samzenpus on from the it's-good-to-share dept.

suezz writes " Eweek is running a story that Redhat is releasing Netscape Directory (LDAP) under the GPL - this is huge at least from my point of view. I know of at least two huge companies that have standardized on Netscape Directory for their web applications."

53 of 229 comments (clear)

  1. This was an expensive ordeal... by coop0030 · · Score: 5, Interesting

    Red hat paid $20.5 million for this LDAP. Will they get that in return? Is it possible with this type of software?

    1. Re:This was an expensive ordeal... by coop0030 · · Score: 4, Informative

      I forgot to mention this in my first post...but if enough customers purchase this by April 30th, Red Hat will have to pay an additional $2.5 million.

      Goodness, that is a lot of money.

    2. Re:This was an expensive ordeal... by Anonymous Coward · · Score: 4, Insightful

      $20M is not a lot of money in Silicon Valley, especially for an enterprise product. Probably nothing compared to Netscape/iPlanet's development costs.

      Plus, after years of hotair, RedHat just became credible Windows alternative for internal applications. cheep.

    3. Re:This was an expensive ordeal... by LnxAddct · · Score: 5, Insightful

      In the short term no they wont make this money back right away, but in the long term they'll make it back a thousand fold. Anyone who has ever tried to setup and configure OpenLDAP knows that its not worth it and will send you to a mental hospital fairly quickly. Netscape Directory (or whatever they're calling it now) is not only extremely easy to configure, but it was designed by brilliant engineers. Back a few years ago the engineers were claiming that one typical server running Netscape Directory could handle 200,000 clients. I haven't looked at the code yet, but according to some Red Hat enginneers that I've talked to that have seen it, they confirm that this is probably possible and were generally extrememly impressed with the code quality. Netscape Directory is high quality from its core all the way out to its exterior with easy configuration, how often do you see that in any environment(commercial or open).

      I know that a few of the Fedora devs commented on how they also got a whole bunch of additional code that they hadn't even asked for but came along with Netscape Directory that they are still trying to figure out what to do with. In a worst case scenario, they'll just open source it and let the community find uses for it (Red Hat open sources everything they do, they even allow any open source projects free use of any patents they may hold, patents btw are only held as legal defense). This a great advancement for the community and should allow many more businesses to start migrating to linux. Back to my original point though... this will allow many more companies to switch to linux, whether it be Red Hat or some other distro it doesn't matter. Overall it will increase linux's marketshare and as a result make linux more popular leading more businesses to look at it as an alternative. A good percentage of those businesses will probably become Red Hat customers so everyone wins.
      Regards,
      Steve

    4. Re:This was an expensive ordeal... by NixLuver · · Score: 5, Informative

      Actually, I'm aware of an installation where a single (fairly robust) sun box is running at 200GB db size and 32 million LDAP entries on SunOne (descendant of the Netscape code). It sucks, but it works. Let's be honest - even the NS directory server is a nightmare to set up beyond the most rudimentary schema. Easier than OpenLDAP, true, but *easy*?

      --
      Thinking outside my Head
    5. Re:This was an expensive ordeal... by ehvoy · · Score: 2, Informative

      An active directory-killer is something Linux has needed--that is, one that is easy to set up, and has that MS-like integration. I wonder if they'll include integration with BIND/. Looks like Red Hat is going head-to-head with Microsoft to control the corporate LANscape.

      Now the CIO knows he/she can buy Red Hat "Professional" :) and Red Hat "Server 200x" and set up a "Domain" with it.

    6. Re:This was an expensive ordeal... by askegg · · Score: 2, Informative

      Novell eDirectory has been available on Linux for sometime and has features Netscape, OpenLDAP, Active Directory and Sun One lack.

      Now that Novell own SuSE I except eDirectory to be the number one Linux LDAP compliant directory available.

      --
      I don't make predictions, and I never will.
    7. Re:This was an expensive ordeal... by kjs3 · · Score: 2, Insightful

      I'm familiar with a SunOne install with somewhat more than 32 million users on a Sun cluster about to go into production for a major cellular provider (in pilot for something short of a year). My impression is that you're comments are spot on correct.

    8. Re:This was an expensive ordeal... by KarmaMB84 · · Score: 3, Insightful

      Configuring anything for serving 32 million user on a cluster isn't going to be pretty ;)

    9. Re:This was an expensive ordeal... by hyc · · Score: 2, Interesting

      Sun has backpedaled on Linux so many times; if anyone still considers using SunOne on Linux today they've got to be a complete and total moron.

      (Leaving aside the obvious question of using SunOne for anything at all...)

      --
      -- *My* journal is more interesting than *yours*...
    10. Re:This was an expensive ordeal... by hyc · · Score: 2, Insightful

      Yet another mindless raving rated as "Insightful" - where do you guys get this stuff?

      The above post is a stream of empty claims and not even a hint of factual support. How can you rate someone saying "I haven't looked at the code yet .. it is high quality from its core to its exterior" as *Insightful* ?? There is ZERO insight here.

      Nobody here knows what kind of server the Netscape guys were talking about, what those 200,000 clients were doing, or what the directory data looked like. We have No Insight into what that claim means.

      But you can look here http://www.symas.com/benchmark.shtml and see charts derived from documented benchmark procedures that You Yourself can repeat and verify, showing that Netscape's performance drops off FASTER than OpenLDAP's as the number of clients increases. You want INSIGHT - doing systematic tests and publishing the tests so that others can verify the results is how you get it. Not by factless gushing from a fanboy who has never seen the code in question.

      --
      -- *My* journal is more interesting than *yours*...
    11. Re:This was an expensive ordeal... by opos · · Score: 2, Informative

      But RedHat is not in Silicon Valley. In Raleigh-Durham , $20M is a lot of money. This investment is an interesting move to opening up more resources for the open source community

    12. Re:This was an expensive ordeal... by askegg · · Score: 2, Informative

      Not true. Novell eDirectory has been proven to scale to at least 1 billion objects in 2000. Administration involved breaking the users into 4 groups of 250,000 each and replicating them between the servers. With Novell's management tools, this is trival.

      --
      I don't make predictions, and I never will.
  2. What's ND have that OpenLDAP doesnt? by stratjakt · · Score: 4, Interesting

    I think this is a good thing, I'm just honestly curious, having messed around with OpenLDAP, and never really doing much with ND.

    What's the major differences, feature-wise not philosophy-wise (no Free vs free vs Open vs open rants).

    --
    I don't need no instructions to know how to rock!!!!
    1. Re:What's ND have that OpenLDAP doesnt? by bernywork · · Score: 5, Interesting

      From TFA:

      single-authentication, user-identity management and multimaster replication. Also, centralized phone book, employee locator and org-chart tool.

      I would also suggest that the speed complaints that people have with OpenLDAP wouldn't be there.

      --
      Curiosity was framed; ignorance killed the cat. -- Author unknown
    2. Re:What's ND have that OpenLDAP doesnt? by {X-Frog} · · Score: 5, Interesting

      I didn't really use both a lot, but I tried to set up an Open LDAP server with some modification to the default templates, it was a fucking HELL to make it works!

      Netscape Directory is sooooooo but soooo easy to install, manage (with a little gui if you want), replicate. It's really important in a big environment with thousands of users and hundreds of servers that really on ldap servers! I would never do that with OpenLDAP!

    3. Re:What's ND have that OpenLDAP doesnt? by Temkin · · Score: 3, Informative



      Speed, and certain enterprise features like multi-master replication if I remember correctly. It's been a while since Netscape dropped off everyone's radar, and I know they continued work on it after iPlanet broke up.

      You can compare them using SLAMD. www.slamd.com

    4. Re:What's ND have that OpenLDAP doesnt? by Doktor+Memory · · Score: 5, Interesting

      OpenLDAP is basically an LDAP toolkit. You've got your LDAP server, client libraries, command-line tools... but that's it. What you build with it is up to you, and you're starting from scratch each time pretty much.

      Now, that isn't necessarily a bad thing in and of itself, but when you're trying to bootstrap a real, useful corporate directory service from scratch, it's a hell of a learning curve.

      Netscape/SunONE Directory Server was less hacker-friendly, but it would take you from zero to a functioning directory in about 30 minutes, not including hiring a temp to type in all of the corporate info.

      It had its quirks, and I worry about the codebase being a bit... rotted these days. But I'm happy to see it hitting OSS-land. A little competition for OpenLDAP can only improve matters.

      --

      News for Nerds. Stuff that Matters? Like hell.

    5. Re:What's ND have that OpenLDAP doesnt? by LnxAddct · · Score: 4, Informative

      Netscape Directory is very very fast and very very easy to install and configure. After using OpenLDAP, I'm sure everyone can agree that it is not worth your sanity just to configure a program:) Netscape Directory makes this all easy, it integrates well and is highly efficient. As I said in another post, the Netscape engineers who coded this (very bright guys) claim that one mid to high end server running Netscape Directoy can handle 200,000 clients. This is a huge gain for linux in enterprise.
      Regards,
      Steve

    6. Re:What's ND have that OpenLDAP doesnt? by Panoramix · · Score: 4, Informative

      Fwiw, I did install a Netscape Directory Server on a HP-UX 11 machine, not that long ago. It was reasonably straightforward, except in that I had to install a number of OS patches and muck around with kernel parameters.

      (Btw, what is it with these big proprietary apps that always want to change your kernel parameters? What on earth does Oracle need 2GB of shared memory for? And 64K file descriptors per process? That's beyond ridiculous. That sounds dangerously like extremely sloppy programming inside the product.)

      But I digress. My point is that installing and configuring NDS is not hard, but nothing like "soo but soo easy" either (e.g., a far, far cry from "apt-get install slapd").

      Enabling SSL is a PITA if you don't have the Netscape Certificate Server (which I didn't). I involves all manner of funky maneuvering with OpenSSL and some tools that you have to fetch from some obscure page at mozilla.org.

      Management is more or less the same than with OpenLDAP, which is to say that it mostly depends on how good or bad are your LDAP client tools. In fairness, I hear the Netscape client is nice. I couldn't use it because the damn thing runs on Windows and I was not about to install that in my laptop just to see a stupid LDAP client.

      Replication is probably better than OpenLDAP, though I haven't yet a chance to try it on either one.

      As for big environments with many users and clients, until today I would have gone with OpenLDAP (or, if a PHB just had to see a lot of money spent in this, with Novell or Microsoft's directories). That's because nobody had source code to NDS and it was all but discontinued from the vendor. You don't want to find yourself in a position where you know there's a bug in the software, but you can't fix it and your vendor won't because they discontinued the product (and are pretty much out of business themselves, anyway).

      Anyway. This is good news, certainly. Though I mostly hope there are parts and components that can be salvaged into slapd.

    7. Re:What's ND have that OpenLDAP doesnt? by ocelotbob · · Score: 2, Interesting

      I'm not an oracle dev, but I imagine that given oracle's reputation, they want the server to just work, regardless of load spikes, etc. There could be some unforseen time when you need 64k files open, like doing a massive modification to your database layout. Oracle just wants to make sure that it can do crazy things like that ahead of time, without having the system crash.

      --

      Marxism is the opiate of dumbasses

    8. Re:What's ND have that OpenLDAP doesnt? by kauttapiste · · Score: 4, Informative

      Well, throwing some features off the top of my head:

      * multi-master replication (up to 4 servers)
      * very, VERY extensive plugin interface
      * useful access logging and log file analysers
      * SNMP reporting
      * configuration under cn=config branch (updatable over LDAP)
      * you can take backups by sending commands over LDAP

      And it's fast as hell, compared to OpenLDAP.

    9. Re:What's ND have that OpenLDAP doesnt? by hyc · · Score: 3, Interesting

      re: multi-master - like the SprintPCS guy said a few posts over - prone to failure and database corruption, utterly useless in an enterprise deployment.

      re: plugin interface - OpenLDAP supports both the (incredibly inefficient) Netscape plugin interface and its own (incredibly fast) plugin architecture.

      re: logging - "useful" is a subjective term. Since you don't explain what this means, it's difficult to comment further on it.

      re: SNMP reporting - you're right, this is lacking in OpenLDAP, and for IT purchasers going down the checklist of "must haves" this can be a problem. The NetSNMP package is an easy solution here, especially with all of the information provided by OpenLDAP's cn=monitor. I know of several commercial OpenLDAP deployments where this was an issue at first, but integrating NetSNMP allowed the OpenLDAP deployment to proceed.

      re: cn=config - This is implemented in OpenLDAP 2.3. And it doesn't require a server restart to make new plugin settings and other changes take effect, unlike Netscape/SunOne.

      re: backups via LDAP-initiated commands - this topic actually came up on the openldap-devel mailing list recently. The conclusion was that it was a band-aid Netscape needed for their lame replication mechanism.

      re: fast as hell - OpenLDAP 2.1 beats Netscape into the dirt. OpenLDAP 2.2 is even faster, and scales to large numbers of clients even better. If you still believe Netscape is faster than OpenLDAP, you haven't used a recent release of OpenLDAP.

      --
      -- *My* journal is more interesting than *yours*...
    10. Re:What's ND have that OpenLDAP doesnt? by krady · · Score: 2, Informative

      Try setting up a proper security architecture for it using SASL and/or TLS to support samba and pam SSO.

      I know LDAP very well and have worked with many different servers but trying to find the exactly correct version of openldap to support properly secured passwords for samba manager and root in the DIB was a nightmare. I eventually gave up and had to go back to the security requirements phase to get around it.

      As for hoping to train up the less experienced admins on the system, I was pretty sure that would never be possible.

    11. Re:What's ND have that OpenLDAP doesnt? by DG · · Score: 2, Informative

      Yeesh....

      I ran a major Netscape Directory server installation at a major US automaker. As far as I know, it's still running there. Started at 3.0, and was on 5.x when I left.

      Netscape's internal replication did indeed suck for a while, where the biggest failure was the inability to emancipate a slave directory and make it a master if the master puked.

      I got around that through the brilliantly elegant feature that Netscape had the OpenLDAP did not - the replication ChangeLog was availible via LDAP. I actually wrote a program called replicator.pl - that's right, in PERL! - that handled all our replication and made multi-master happen. Later on, when we bought this upstart young German automaker, that program did real-time replication with real-time schema translation between their directory inrastructure and ours.

      An early version of that program is availible online - it was GPLed - and I have the code for the most up-to-date version if anybody wants it.

      Later on, the internal Netscape->Netscape replication got solid enough to the point where it could be relied on, and replicator.pl was phased out except for where schema translation was required.

      As for the plugin interface, we actually wound up using this. I'm not going to say what for... but it had to do with the way a certain bit of very important information from the mainframe systems got tied into the directory. We had a "oh shit!" moment, I dove into the plugin documentation, and less than an hour later we had a working solution that solved the problem COLD. Saved our collective asses. You might think it horrible, but it solved the problem.

      And as far as speed goes, Netscape handled everything we threw at it. Where eDirectory would just give up and cry, Netscape would go blasting through serving data. It was an awesome bit of work. The Java console sucked, but the server itself was awesome, and Netscape's support was pretty good.

      Now I wanted to try OpenLDAP, but the configuration and installation was a PITA, it didn't support Netscape's ACL syntax, nor would it support ACL updates over LDAP, the replication changelog wasn't availible over LDAP, and whenever I breached these subjects on the OpenLDAP lists, all I ever got was aggressive and nasty grief. People tellling me how what I wanted OpenLDAP to do was stupid.

      Whatever. Good on RedHat. I fully expect those speed improvements will migrate into Netscape's server (God Bless the GPL!) and then the world will have speed, ease of use, and hopefully, a more polite developer base all rolled into one place.

      DG

      --
      Want to learn about race cars? Read my Book
  3. From a user perspective by Dancin_Santa · · Score: 4, Interesting

    How does this improve my user experience?

    How can using ND make my life, as a user/administrator/purveyor of exotic animals, easier?

    I think that is a useful question to ask any time a "new" feature is presented.

    1. Re:From a user perspective by 0racle · · Score: 4, Insightful

      Ever used the Active directory on Windows? I mean a properly created one in a larger organization. Had to search for an email address of someone in another branch or division? Ever had to log into another machine on that network? Search for printers on another floor?

      Well, you can actually do that and more with any LDAP server.

      --
      "I use a Mac because I'm just better than you are."
  4. Comparison by rsax · · Score: 4, Interesting

    I know this story is going to prompt people wanting to know how the Netscape directory server compares with OpenLDAP. I've never used the Netscape one but what I would really love to know is how does it stack up against Novell eDirectory? eDirectory isn't open source but the licenses are damn cheap, the first 250,000 licenses are free. Any LDAP experts care to share their opinions?

    1. Re:Comparison by Kartoch · · Score: 2, Informative

      To add a bit of complexity in this question, I heard that guys from Samba are developping their own LDAP because they are not satisfied with OpenLDAP. Does anyone has more informations/opinions about it ?

      --
      Ceci n'est pas une signature.
    2. Re:Comparison by deviator · · Score: 4, Interesting

      I have to say that while I've not worked with ND, Novell eDirectory (formerly NDS) is a technically brilliant tour de force. It's a really amazing package; multimaster replication; multimaster schema changes; extremely efficient over slow links, unbelieveably secure (and has some really sophisicated extensible authentication systems), works on every platform under the sun, the APIs & developer tools are extremely mature, scales like crazy and runs super-fast, and like the previous poster said, it's CHEAP.

      Anything else, to me, is a weak imitation--but I guess as long as your directory speaks LDAP all is well. Unless it's Active Directory--which is really just a set of "nested" domains with automated trust relationships. And that part makes it a huge pain in the ass to maintain. (The trick to this is to throw an AD domain into eDirectory and have eDirectory manage the whole thing - it is so flexible it can manage _other directories._)

      NDS has always "just worked" - move, rename & merge tasks are super-easy. How does ND handle all of this?

    3. Re:Comparison by ScytheBlade1 · · Score: 4, Interesting

      It does indeed look like that they're building their own LDAP server. I'd have to search the mailing lists for reasons as to why, but if it's the same quality as their current products, it won't be a let down.

    4. Re:Comparison by alistair · · Score: 3, Insightful

      I have used both and run both in production at a major corporation.

      In many ways eDirectory is far more sophisticated. It is more close to a true X500 directory and it has some very sophisticated tools for data replication and management. The admin console is streets ahead of the old Netscape Java Console for starters and the APIs are very well developed. It is very easy do do operations such as prune and graft on the Novell Directory than on the typical standalone LDAP directories (Open LDAP, SUN ONE) where you have to essentially delete and recreate the entry rather than just modify the base DN.

      One key differentiator is replication strategy. eDirectory and Microsoft AD are genuine multi-master directories, you can configure them to accept updates anywhere and the data then replicates among the cloud of replicated servers. Open LDAP and Netscape's LDAP are have pyramid structure replication, you update a master, it updates slaves and these can update further consumer servers. This approach can have some advantages if you want to secure updates and be able to take a consistent snapshot of your data at a particular point in time.

      Speed is also an issue. I feel that SUN ONE is currently the leader in raw search speed, Netscape produced a very fast server on the same database backend and a suspect Novell is a little slower as it is more feature rich. You will probably only notice this if you are making in excess of 20 searches per second to your box.

      So I would advise people to check out eDirectory. Novell have a great history of making some superb product which they then do their upmost to keep secret from paying consumers. If it is free it could well meet most of your needs, especially as the console makes it very easy to set up and populate with sample entries.

    5. Re:Comparison by ian13550 · · Score: 2, Informative

      Wow -- you should not talk about Sun ONE because you obviously don't know what you are talking about. What version of Sun ONE did you use? 4.x from 1999? You information is not correct at all and badly outdated.

      As of iPlanet 5.1 (before re-branding) you could do 2 way multi-master replication (with schema replication, etc etc etc) and with Sun ONE 5.2 (post-rebranding) you can do true attribute-based multi-master replication.

      eDirectory has a MAJOR fault where the thread processing a BIND attempt goes to sleep for 3sec to prevent brute force password attacks. In a high traffic environment, 3sec is a damn eternity. Oh yeah, the morons at Novell decided that this is hardcoded into the product and cannnot be disabled

      AD is a total joke. Don't even talk about using it in a *real* production environment. Most of the shit is badly documented and is not used by serious retail consumer sites.

      You are 100% correct that the eDir replication robustness is the best in the business. If you are serious about a true multi-datecenter environment that is replicated in real-time over a WAN -- eDir is great. Also, the eDir admin console is light years ahead as well -- but who the hell ever uses the GUI to admin a production Directory server??? Sun ONE has EVERY command available via the command line -- and some that the GUI can't even comprehend.

      For pure read speed -- not many products can touch Sun ONE when properly tuned (allidthreshold, indexes, etc).

    6. Re:Comparison by alistair · · Score: 2, Informative

      Hmmm, don't know what I am talking about, 7 years running a team of 8 people implementing a global LDAP service for a Fortune 500 Company, beta tester for SUN ONE versions 5.1 and 5.2 (including being the only person to submit a P1 bug on the 5.2 version) speaker at the RSA Conference Europe on Identity Management in 2003 and accepted for 2005, sorry if I need to dig out my cluestick.

      With eDirectory and AD, you can update any server and each server then replicated globally. Each have their own mechanism for reconciling conflicts as changes move across the cloud, each with their own drawbacks (although Novell's is more customisable IMHO). However, in theory, you can have 1000 servers all accepting updates.

      When Innosoft launched their DS 5 as was, they took the lead with what they called either failover or standby master. This is the code that SUN bought to build DS 5, and also because they didn't have Smith and Howes who were their lead architects on the iPlanet Directory and gained Mark Wahl, who I think still works for them.

      With DS 5.1 and 5.2 you still have failover or standby masters, with 5.2 you can have 4. SUN rebranded these as Multi Master in response to marketing critisism from MS and Novell. However, it is not true multi-master in the sense of eDirectory or AD, most installations use one master for writes and the 2nd/3rd/4th as failovers. There is a two phase commit between masters before updates are sent to hubs and consumers with NO conflict resolution, which you abolutly need if you are running multi master over slow WAN links or the link between masters breaks while both masters are up and you need to reconcile them when the network link returns.

      Everything else you write is 100% correct, for all my production environments I use SUN ONE 5.2 SP3 and I think they are the fastest on the planet, serving over 1000 searches per second on very cheap Linux hardware (lots of indexes and allids at arount 20% of entry size).

      Consoles do suck but people have to lean somewhere, we have written a Web based interface to SSH to command line that manages our global SUN ONE servers but people have to start somewhere and Novell's is much better than SUN ONE.

  5. This has huge potential by EvilStein · · Score: 4, Interesting

    I've used OpenLDAP and Netscape Directory Server. NDS is a *very very very* cool product. It's easy to use, scales like there's no tomorrow (it was the backend for a lot of the older Netscape Netcenter sign on functions) and it's nice & documented. (I still have books for it)

    Red Hat releasing it under the GPL is a good thing, any way that you look at it. Cool product, "big name company" supporting it, and oodles of applications that can already use many of its functions.

    Now, if someone would slurp up Netscape Calendaring Server and release *that* under the GPL..
    If the Netscape SuiteSpot Server suite still existed and was under the GPL, there's your Exchange-killer right there.

  6. Now if only it had Hula's calendaring and email by gnatware · · Score: 5, Interesting

    Can RH possibly integrate the http://hula-project.org/ into this roll out? I would really like to have THE non-M$ directory/email/calendaring system running for my school district: single sign-on and email accounts for teachers, staff, students, parents... with Mac OS X Server directory delegation, Kerberos, etc.

    A killer kombination for Open Source.

    1. Re:Now if only it had Hula's calendaring and email by 10Ghz · · Score: 2, Insightful
      Guess what : Apple Mac OS X is actually replacing GNU/Linux in some area now :


      And Linux is replacing Apple somewhere else. So what's your point? OS X replaced Linux in some university? Run for the hills! The world is coming to an end!
      --
      Lesbian Nazi Hookers Abducted by UFOs and Forced Into Weight Loss Programs - -all next week on Town Talk.
  7. Enterprise Solutions by kjs3 · · Score: 3, Insightful
    This isn't particularly big news for the SMB market, but for the enterprise market, this is a huge open source win. Quality, scalable, enterprise capable LDAP solutions are a hot topic in all of the Fortune 500 sized companies that I deal with, and ND has a track record of being able to play ball there.

    Now if they would only open source Netscape calendaring...

    1. Re:Enterprise Solutions by lactose99 · · Score: 2, Informative

      Now if they would only open source Netscape calendaring...

      Did RedHat get rights to Netscape Calendar? I thought that was all sold to Steltor as Steltor CorporateTime before it all got gobbled-up by Oracle and became Oracle Collaboration Suite's Oracle Calendar. The only reason I know this is because my company was a legacy Steltor CorporateTime customer and we recently completed an upgrade to Oracle Calendar as support was about to expire on the Steltor product.

      If Netscape Calenedar was open-sourced, perhaps I could better-understand the proprietary database backend used with it.

      --
      Fully licensed blockchain psychiatrist
  8. Sun Directory Server vs. Netscape Directory Server by mrbill · · Score: 2, Interesting

    Isn't Sun's Directory Server based off this as well? I thought they'd acquired all the old Netscape stuff back in the Netscape/iPlanet days.

  9. Where are they now? by fce2 · · Score: 2, Informative

    Where are the other bits of software that once was Netscape Suitespot?

    Netscape Calendar was not actually developed by Netscape, but was a version of CS&T's CorporateTime system. CS&T later renamed to Steltor, and is now part of Oracle, CorporateTime forming a large part of their colloboration suite.

    Both Netscape and Sun got copies of everything when iPlanet split. Sun still develops and sells them, first as Sun ONE, now as Java Enterprise System. Netscape tried to keep development going for a while, but it kind of stagnated (much in the same way that the Netscape browser stopped moving after the AOL aquisition).

    Redhat also got Certificate Server and Enteprise Server (the web server) as part of their deal, see http://www.redhat.com/software/rha/netscape/ for more.

    So where is the other Netscape software? I'm mostly talking about Messaging Server, which is an awesome piece of software, and Collabra Server, which .. isn't. Presumably they're still kicking around in a CVS in the depths of AOL somewhere. Anybody else know anything?

  10. Proper replication by Nailer · · Score: 2, Funny

    Asides from Multi master replication (OPenLDAP onyl allows a single master), Netscape directory server solves the 'OpenLDAP being fucking retarded, and holding ACLs to objects in the directory OUTSIDE the directory, therefore replicating objects before their access controls' issue.

  11. LDAP is lightweight by Sufood · · Score: 4, Interesting
    It's all very well and good to have a lightweight directory system as part of your operating system. However, if Red Hat wants it's identity management system to be more than a lightweight, it should consider asking Netscape to implement more features of the X.500 Directory standard.

    The problem with LDAP is that adding the 'L' (lightweight) to the 'DAP' (directory access protocol) removed many features including, most noticably, proper distribution of data over multiple servers and proper chaining of requests.

    Proper distribution and request chaining protools would allow Linux systems and MS systems to share a perceived common user data store. At the moment, hybrid enterprises are forced to support multiple islands of trust in the organization. It also sets the operational limits of the system to an enterprise/employee rather than a global/customer scale solution.

    Still, it's a good thing that Red Hat is implementing a directory based identity management solution. It's a step in the right direction.

    1. Re:LDAP is lightweight by WindBourne · · Score: 2, Interesting

      LDAP has been able to do distribution over multiple servers for some time. The L in LDAP modifies the protocol, not the server software.

      As to directory based ID management, Linux (including Redhat) has had it for eons. You have always had your choice of using kerberos or LDAP or NIS or whatever you like. In fact, I have done some set-ups ~4 years ago where we used LDAP for the ID. It Worked fine.

      --
      I prefer the "u" in honour as it seems to be missing these days.
  12. What do you know, it ain't dead yet... by sillypixie · · Score: 2, Informative

    I feel happy about this.

    I feel that this may be karmic retribution for Sun railroading us into having to use ^$@#%$&ing pkgadd, instead of those lovely tarball installs of yore, where it all installed into a single directory that I could tar up, or simply blow away if it screwed up... ah, the days of control...

    But then, in the short term, the only way that I can see Netscape Directory Server making it into the enterprises that I deal with daily are if it comes bundled or as a dependency for some very well-trusted and established open source app, like maybe a CMS or something such as Bugzilla, or SVN. As an "Enterprise Directory" (ooh aah) it will be a long time before this version could compete, if ever -- everybody wants a stack, these days.

    Still, it could be interesting leverage for the big Sun clients who are actually paying for the SJS Directory Server. I think this is the final stage of the commoditization of the animal that is a directory server... damn, I owe a certain Burton Group analyst a beer now...

    (-:

    Pixie

    --
    don't mess with those geekgrrls
  13. Re:Well... by Craig+Ringer · · Score: 2, Insightful

    Er ... my point was that lots of custom hacking would be required to do with LDAP on *NIX the things that come BUILT IN in AD. I thought it was pretty darn obvious, actually.

    My whole point is that you don't get anything even remotely like Group Policy under any *nix LDAP authentication scheme I'm aware of unless you do a lot of custom hacking.

    AD is pretty awesome, and I'd really LIKE most of the power it offers on other platforms. As far as I'm concerned that's the biggest thing the Windows platform has going for it. That, and it's documented ;-)

    As for AD problems ... what you say is probably true. On the other hand, even quite large organizations often seem to fail to deploy it correctly. A national manufacturing outfit in Australia was bought down for a while because one of their branch offices lost its connection to the WAN, their AD secondary master promoted its self to primary, then the WAN was restored and everything went *splat*. Avoidable? Probably. Need an AD black-magic wizard? Definitely. What's needed is documented somewhere? Without a doubt ... but good luck finding it and understanding it then applying it correctly. The AD admins I've spoken to have all expressed the view that AD is great, but just too damn hard to configure robustly and that it tends to be fragile if not configured exactly right.

    I would ask you to, next time, take the time to ACTUALLY READ MY MESSAGE before flaming me out too much, OK? You've been just as bad as the people you're complaining about.

  14. We used SUN/One for SprintPCS and....... it sucked by dlippolt · · Score: 5, Interesting

    In the development and staging environments it was great. As other posters mentioned you could get from zero to something usable in less than 30 minutes. Everything was as you would expect.

    However... in the -production- environment, with 10's of millions of ldap objects connected to SprintPCS's provisioning systems which were making 1,000+ ldap writes --a minute-- the SunOne system absolutely blew chunks.

    LDAP architects will ask what the hell we were doing with the entire database in one ldap instance rather than partition the dataset, and they'd be right, but we were acting under Sun's direction since at the time we had one of (if not) the largest LDAPs in the world.

    LDAP architects would also wonder why on earth you would ask an ldap server to live under such a write intensive churn, and they'd be right again.

    That being said...

    -- Multimaster replication would never ever work. Most of the time the entire SprintPCS userbase was hanging off one master and less than 4 replication slaves. For several months the entire messaging system was wedged into a single point of failure nightmare. (to be fair, this wasn't all slapd's fault and had 1/2 of the root cause in Sprint Datacenter practices which produced predictable results)

    -- Other posters asked for SunOne Calendar server to be opensourced. My first response is to suggest you have your head examined since that thing would die for absolutely no reason on a regular basis. We actually automated the process of detecting its death and restoring from last night's backup. If you were a SprintPCS customer and your calendar ever seemed screwy now you know why. Of course further reflection suggested opensourcing it is probably the only thing that could help at this point because...

    -- We used to get hotfix builds from Sun which were missing entire sections of the binaries. Whoever was managing the code would forget to use the same compilation flags for hotfixes as original code so we would receive webmail frontend builds which couldn't talk to imap backends, or calendar backends which wouldn't accept connections from calendar front ends.

    -- SOL if you wanted to run more than 4G of memory in slapd.

    Dont consider this post a rant, just let any CIO's/etc. reading this know that this opensource release will probably work great for you if you dont load it heavily (unlike exchange 5x, which would grenade just sitting there)

    On the other hand, if you want to push the performance envelope, pretty much expect it to take alot of time and cause a bunch of headaches -in production-. Get help from people who have pushed the performance of the tools you are considering running.

    Weird mood tonight.

  15. Re:Netscape Directory **IS** OpenLDAP by hyc · · Score: 3, Interesting

    Not since 1999-2000. The overall shape is still similar but the internal details have all been reimplemented by the OpenLDAP Project. Today OpenLDAP is miles ahead of Netscape in terms of performance, scalability, and stability.

    See for yourself:

    http://www.stanford.edu/services/directory/openlda p/history/index.html

    OpenLDAP 2.0 is slow, snail's pace, frozen molasses slow. That's the release that RedHat has bundled for years, up to RH9 and even beyond. It's only in the past few months that anything from them (Fedora Core) has shipped anything newer.

    OpenLDAP 2.1 is over Two Hundred Times faster than OpenLDAP 2.0 and already significantly faster than Netscape 5. OpenLDAP 2.2 is 30-50% faster than OpenLDAP 2.1 and leaves Netscape in the dust. OpenLDAP 2.3 is faster yet.

    --
    -- *My* journal is more interesting than *yours*...
  16. BFD...the IBM LDAP Server has *always* been free by The+Last+Gunslinger · · Score: 4, Informative

    Why is this even newsworthy?

    IBM has licensed its enterprise-class LDAP directory server software free of charge for over 5 years now.

    Yep, free. Go to ibm.com and download it for yourself. Anyone. For any purpose.

    http://www-306.ibm.com/software/tivoli/products/di rectory-server/

    It's currently under the Tivoli brand, going as the IBM Tivoli Directory Server v6.0.

    Not only does it pack all the bells and whistles of other enterprise LDAP directories, such as multimaster and cascaded replication models, but instead of flat files it *includes* IBM DB2 UDB enterprise edition database (also licensed free of charge) for its data storage. I've seen the comparative test results, and nothing touches this solution for performance and scalability.

    It runs on just about anything, too...including Linux on non-x86 hardware.

    And they've always GIVEN it away. Free download.

    So, someone explain again WHY any company of any size would PAY for an LDAP solution, or why RedHat giving away Netscape Directory is big news?

  17. SUN ONE not quite direct descendent. by alistair · · Score: 3, Informative

    This isn't 100% correct. SUN ONE is a merge of the Netscape Code base with the Innosoft Code base they aquired in around 2001. Both Netscape and Innosoft developed their own directory servers based around the Open LDAP reference installation. What made Innosoft more advanced was its capability for several masters (it's not true multi - master in the sense of eDirectory from Novell or Active directory but that is no bad thing).

    SUN aquired the Netscape Code in partnership with AOL and also bought Innosoft. SUNs Directory 4.x servers are the Netscape code, 5.x are Innosoft.

    Having said that I have happily tested both servers with 4 million entries on a fairly small box and run 500K entries in production. We managed uptimes of in excess of a year on some of our 4.x servers running over a million queries a day, not so bad.

  18. Re:BFD...the IBM LDAP Server has *always* been fre by sceptre1067 · · Score: 2, Interesting

    At the bottom of the page is the download link. It does appear to go to a "free" evaluation/beta copy.

    I didn't download it though, so I don't know what the exact terms of use are.

    The fact that there is a "Buy Now" would suggest that the eval copy is for testing but not production. Just a guess though.

  19. Re:I'm sure OpenLDAP 17 will be faster still by DG · · Score: 2, Interesting

    I ran the Corporate Directory for a major US automaker for a number of years.

    We used Netscape's Directory Server. There were hundreds of apps pointing at it, and the main Internet proxy server used it as the authentication service.

    Over a million objects, hundreds of thousands of searches per day. It might crash once or twice per year, and never corrupted anything.

    The management GUI sucked, but it was an outstanding product in all other respects.

    DG

    --
    Want to learn about race cars? Read my Book
  20. Re:BFD...the IBM LDAP Server has *always* been fre by diegocgteleline.es · · Score: 4, Insightful

    Because red hat is not just giving it for free - they've opensourced it. Under the GPL. This means it's really free, we can improve it, port to weird architectures, to freeBSD, etc. We can see the code, not just use it.