[SATLUG] Active directory vs Linux

Justizin justizin at siggraph.org
Sat Dec 23 13:48:15 CST 2006 

On 12/23/06, Thomas Cameron <thomas.cameron at camerontech.com> wrote:
> On Fri, 2006-12-22 at 13:34 -0600, Justizin wrote:
> > On 12/22/06, Thomas Cameron <thomas.cameron at camerontech.com> wrote:
> > > On Wed, 2006-12-20 at 18:07 -0800, samuel detal wrote:
> > > > How can I create a network in a active directory alike structure?? is it possible or in this aspect Windows is better than Linux....
> > >
> > > Not exactly AD, but you can use Fedora Directory Server, which is a
> > > newer (and MUCH better) release of the Netscape Directory Server.
> > >
> > > http://directory.fedora.redhat.com/
> >
> > OpenLDAP also shares a history with FDS -
>
> Wrong.  OpenLDAP and Red Hat/Fedora Directory Server are from non-common
> codebases.  They adhere to the same standards, but they go about it in
> different ways.
>

I consider this to be rather authoritative:

http://directory.fedora.redhat.com/wiki/FAQ#How_is_Fedora_Directory_Server_different_from_OpenLDAP.3F

> > the main point of difference
> > between these two is a theoretical debate over the nature of
> > multi-master replication.  The developers of OpenLDAP, for some pretty
> > sound reasons, depending on your implementation, maintain that
> > multi-master replication can destroy the reliability of an LDAP store.
>
> Which is why the Netscape developers (who now work at Red Hat) coded a
> highly reliable multi-master design.  RHDS provides highly reliable
> time-based conflict resolution and very fast replication.  It also
> provides for read/write and read-only replication (master and slave).
>

Two-stage commit?

> > For instance, let's say you have some websites connected to your LDAP,
> > and one allows people to update their mail address, while others send
> > mail, say order status, based on this value.
> >
> > With Multi-Master replication, it's possible for the second site to
> > fail to pick up the change from the first site, whereas with single
> > master replication, while having less attractive failover potential,
> > if there were a directory problem, it would be clearer because the
> > e-mail would refuse to save.
>
> In large environments, most of my clients don't let any apps actually
> talk to the master.  It's all through the slaves.  Any master-master
> replication would happen "above" the layer where the apps talk to the
> directory.
>

That's immaterial - if I talk to a slave and its' master is out of
sync, it's out of sync, piling slaves on top of replication nodes does
not make replication faster.

> > Again, this is something where you'll have to make choices.  I'm
> > betting Google uses Multi-Master replication based on their
> > master-less network topology.
> >
> > > If you need a commercially supported version of this product, see Red
> > > Hat Directory Server at http://www.redhat.com/software/rha/directory/
> >
> > Yes and what's fun is even if you have a license for umpteen RHEL
> > machines, you have to purchase a separate support contract for
> > FDS/RHDS, afaik.  Even if you don't care about money, this can really
> > slow your project down.
>
> RHDS support is available via a subscription, just like RHEL.  And
> unlike many competing commercially-supported LDAP server (think Sun
> One), Red Hat charges a per-server subscription as opposed to a per
> object rate.  Compared to pretty much any other commercially supported
> directory on the market, it's cheap - list price for RHDS master is
> something like $13,500, no matter how many objects you have.
>

I wonder if that's more than we pay for Oracle, which packages an LDAP gateway..

> > I've decided to bypass caring about the difference in replication for
> > time being, at ACM, by pointing our OpenLDAP at an Oracle 10g storage,
> > though I'm not entirely excited about it.  BDB has major deadlock
> > issues which arise in svn and I'd prefer never to see that happen to
> > my directory.
>
> So quit messing with OpenLDAP and fire up FDS or RHDS.  It's easy, the
> interface is straightforward, and it's time-tested.  When Netscape was
> bought by AOL, the server products languished.  Red Hat bought the
> server product line and got the staff at the same time.  Interestingly,
> the vast majority of the Netscape staff have stayed at Red Hat.  They're
> a pretty incredible group of folks.
>

I hear similar things about the OpenLDAP folks..

Afaict, RHDS/FDS are still using BDB, which has serious deadlock
issues.  I cannot for the life of me come up with another alternative
to SQL RDBMS for storing LDAP data, as inappropriate as it is.

At least from where I sit, it's not a clear-cut decision..  I'm not
convinced that RedHat has done any better at multi-master replication
than anyone else.  I do know that PostgreSQL can do some pretty neat
stuff with slony these days.

-- 
Justizin, Independent Interactivity Architect
ACM SIGGRAPH SysMgr, Reporter
http://www.siggraph.org/

More information about the SATLUG mailing list