Best choice for production LDAP?

["Tillinghast, Andrew P." <at...@conncoll.edu>]

This seems a straight forward question but looking back through the archives I don't see it asked in the last year - in October there was a similar question but not quite what I want to know.


I need to set up a production LDAP solution and I'm looking for guidance on the version of apacheDS to implement.

First of all the last version that was marked as "Stable" is 1.0.2 from May of 2007, all the 1.5.x versions are identified as "unstable" - Usually production and unstable aren't a good combination.

I completely understand that the 2.0.0 milestone releases are beta - also not usually good for production.

Unfortunately, for a production implementation there are features missing from the 1.5.x versions that I consider extremely important, specifically multi-master replication.

Besides stability of a beta release the other key issue I see with the 2.0.0 releases is that the documentation is still sparse, completely reasonable for a beta version but will make implementation more of a challenge.

I'm leaning towards ApacheDS because the product is Java based, seems to have a great feature set, and I've had a good history with Apache projects, but I'm willing to look at switching to another LDAP solution if ApacheDS isn't ready for our needs.


To give an idea of our production needs:

We are a high education institution with about 2,500 Staff, Students and Faculty.
We have approximately 30,000 alumni that continue to have access to various systems through CAS.
We are completely revamping our IAM implementation from AD, Custom scripts and CAS to a central Identity vault (where we see apacheDS in the system) fed by SPML from our ERP, integrated with Grouper, CAS, Shibboleth, Federated Identity, Kerberos and Guest registration through OpenRegistry.
Desired to be in production by the 13th of August, and I'm the only technical person tasked with the implementation.




Andrew Tillinghast
Sr. Web Developer
atilling@conncoll.edu
270 Mohegan Avenue
New London, CT 06320-4196
Ph:860 439-5265 Fax: 860 439-2871
P Think before you print
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system.

Re: Best choice for production LDAP?

[Emmanuel Lécharny <el...@gmail.com>]

Le 7/11/12 3:50 PM, Tillinghast, Andrew P. a écrit :
> This seems a straight forward question but looking back through the archives I
> don't see it asked in the last year - in October there was a similar question
> but not quite what I want to know.
>
>
> I need to set up a production LDAP solution and I'm looking for guidance on the
> version of apacheDS to implement.
>
> First of all the last version that was marked as "Stable" is 1.0.2 from May of
> 2007, all the 1.5.x versions are identified as "unstable" - Usually production
> and unstable aren't a good combination.

Stable, meant (back then) that teh API was not supposed to evolve. In 
1.5, the API has evolved a lot betewwn each minor version (ie, from 
1.5.0 to 1.5.1, from 1.5.1 to 1.5.2, etc.

In any case, it has nothing to do with the 'stability' of the server : 
the tests we run are the same, and we don't release unless all the tests 
are passing. The risk for the user is that you install version X 
(unstable), then a version X+1 is released, but in order to upgrade, you 
may have to export the data and impert them again, plus some new 
features have been added, and some other have been deprecated.

But more or less, I can tell that the choice we have made (going for 
stable/unstable versions) was *wrong*. This is why we moved from 1.5.7 
to 2.0-Mx.
>
> I completely understand that the 2.0.0 milestone releases are beta - also not
> usually good for production.
Yep.
>
> Unfortunately, for a production implementation there are features missing from
> the 1.5.x versions that I consider extremely important, specifically
> multi-master replication.
Yep, we do consider that those are missing features.
>
> Besides stability of a beta release the other key issue I see with the 2.0.0
> releases is that the documentation is still sparse, completely reasonable for a
> beta version but will make implementation more of a challenge.
Yep.
>
> I'm leaning towards ApacheDS because the product is Java based, seems to have a
> great feature set, and I've had a good history with Apache projects, but I'm
> willing to look at switching to another LDAP solution if ApacheDS isn't ready
> for our needs.
Totally makes sense. I mean, we could tell you that ApacheDS is perfect, 
and to some respect, this is what many vendors are doing : they market 
their product as version X.Y.Z, and fix bugs on the fly. We don't. We 
prefer going for milestones until we have a production ready server, 
even if it takes years...
Quality rules here.

>
>
> To give an idea of our production needs:
>
> We are a high education institution with about 2,500 Staff, Students and Faculty.
> We have approximately 30,000 alumni that continue to have access to various
> systems through CAS.
> We are completely revamping our IAM implementation from AD, Custom scripts and
> CAS to a central Identity vault (where we see apacheDS in the system) fed by
> SPML from our ERP, integrated with Grouper, CAS, Shibboleth, Federated Identity,
> Kerberos and Guest registration through OpenRegistry.
> Desired to be in production by the 13th of August, and I'm the only technical
> person tasked with the implementation.
Frankly ? Use ApacheDS for tests and development. In production, go for 
OpenLDAP atm.They do have everything, except that it's not Java based.

I would *love* telling you that ApacheDS is what you should use in this 
very limited time frame, but that would be a lie. I'd rather disapoint 
you now telling you that we are not production ready for such an usage 
than letting you discovering it by yourself, and being pissed off on 
august !


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com