Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: Custom LDAP Server

  1. #11
    gjhorne Guest

    Default

    I am so pleased to have fallen on this dicussion. I am about to expolore this for a hosted site of mine. I use the fedora directory service at the core of my ASP infrasturture. I have recently ported Sun's Open Federation (OpenSSO) product to succesfully use the Fedora directory (in the full way as though it were Sun's DS) as it is so close to what I would class as version 5.1x of Suns LDAP (aka NeiPlanet, Netscape) directory service. OpenLDAP by comparrision is like comparing a horse drawn cart to a sports car and calling it a vehicle too.

    Fedora as an install gives me multi master replicas, filtered replication, timestamped attribute changes, replica chaining and referals, proxy user access for connection pools, schema sychronization so I can change the schema on the fly and it will sync with other replicas AND scalability. I get proper access controls and not some poxy set that may differ from server to server. In my work I have built some of the largest ldap's out there. (multi-millions). Fedora is pretty solid and I would not want to go forward with the Zimbra product unless I can successfully port, cludge, trick Zimbra to work with a real directory service. OpenLDAP just don't cut it for me! I would rather choose another product to host than be forced to use pieces that won't scale with my architecture.

    Is there a plan to work on this in development or as a community group. I am certainly up for work on this. I am happy to do all the schema stuff etc.

    I am curious what SASL stuff Zimbra uses that would not work with Fedora DS or Cyrus-SASL?

    Do they do ldap adds, modifies, deletes etc with the Netscape java classes or SUN's JNDI classes?

    Do they use connection pooling? Do they do a bind on each user for authentication or a compare as a diffent user agains userPasswd?

    I have to get into this big time over the next week. If anybody is making progress or facing unsumontable obsticals I wiuld really like to know.



    Regards
    Graham

  2. #12
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    Hi

    Openldap isn't _that_ bad! Lots of work has gone into it to make it faster and more scaleable, and it absolutely the de facto standard these days thus is has far better support and compatibility. In terms of Zimbra, I would have thought OpenLDAP is the least of it's scalability problems - there are lots of other big opensource chunks in there too, although perhaps the flexibility of multimaster would be a big help to clustering.

    FDS is a great bit of software but is has a small dev team improving what is essentially the old Netscape DS code - ie _very_ old code. Sun ONE DS nee iPlanet branched a long time ago from this code and has been developed, tested and used in very very large environments. As this is going to be opensourced I would be inclined to do as someone suggested on this thread and concentrate on making Zimbra generically compatible with any LDAP backend rather than specifically port such a quirky software. The main problem with FDS is the archane building mechanism and dependencies - I have gone through the pain in the past of 'porting' it to Solaris and IIRC debian as an exercise, at which point I switched to different software and never looked back - it's a pretty horrible experience.

    WRT to SASL, Zimbra has added an extra auth mechanism into the Cyrus tree, apart from being a bit out of date there's no reason it can't be used with FDS or any other software, after all that's the whole point of SASL

    I am certainly very interested in contributing to this effort, there are some great DS products out there that would fit the bill, I'd be interested in trying to use SunONE. The biggest problem at the moment is the lack of svn tree. There's no point developing at the 'source code' level of zimbra at the moment because you can't track their source, every release you have to start again or go through the pain of diffing your old tree and carefully patching the new, making sure all your changes are what you intended in the new tree.

    Zimbra has and is doing a great thing for opensource messaging/groupware, but combination of it's licence, dual product and lack of source tree is starting to make it look less like opensource and more like a commercial proprietary product that allows people to view it's source code - big difference.

  3. #13
    gjhorne Guest

    Default

    Honestly I could not agree more. And the correct answer is to make ZCS ldap agnostic. I use the fedora product in my enviroment because 1. Multi-master replica. 2. Filtered-replication.

    I agree with the complexity of the code (I am ex-Novel,sun/iplanet) having specialized in directories for about 12 years now. I cringe when I see many implementations of directory for scalability and longivity of the data as the core repository. That aside, I am using FDS as the core repository in my infrastructure but have not bolted myself to a product. My ASP (not quite launched yet) will deliver identity management as a service.

    I have an SVN service that I could make available without using my internal VPN. I could either open it with Cisco VPN client access or use https externally with authentication. (There is some security behind watching and checking). If that would help others I would consider that for the project.

    To reiterate - The goal should be to make ZCS directory service agnostic and thus allow the customer to chose whether to integrate (leverage) the existing user data within an existing repository or to use a repository of choice (that suits the customers identity management goals) without the need for messy meta or sychroniziation tools. Do you agree with that statement? Are their others who would like to participate in such an outcome? How would Zimbra feel about this? Are they considering this eventuality in their roadmap? Would we be reinventing the wheel somehow?

    Regards
    Graham

  4. #14
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    You might like to send an email to the address on this page with your proposal/ideas.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #15
    gjhorne Guest

    Default LDAP Core schema changes

    Just some preliminaries and I now have installed a 4 server enviroment (VMware ) with 1 ldap master, 1 ldap replica, 1 server with store etc and a seperate server with mta.

    After the install I went into use slapcat to spit the database out to ldif (everything not just what someone wants you to see) and I started to find funny (VERY NOT FUNNY) changes to the core schema. Haven't worked out how tragic this is but I get a bad feeling here as userPasswd and uid are two of them. I have spent most of my professional life working in directories and identity related fields. Directory design for scale and performance, identity management, security, user store sychronization. Fixing the crap from some bonehead who has adjusted the core LDAP schema for his purpose whatever and now can't make it work well across the empire. ####heads who have decided to create their own schema becaue they could.

    Another nasty is the Zimbra requirment to search the directory as an anomymous user. I have never met a medium or large company yet who would allow anonymous access to user data no matter how inoxious it may seem such as mail, cn, sn, givenName or title.

  6. #16
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    I have an SVN service that I could make available without using my internal VPN. I could either open it with Cisco VPN client access or use https externally with authentication. (There is some security behind watching and checking). If that would help others I would consider that for the project.
    svn tree must come from zimbra themselves. starting a new svn tree is like forking the code - the opposite to what we need. we want the official svn tree reopened so we can develop against a tracked tree. 3rd-party development of zimbra is extremely difficult/time consuming without this, which is why I keep banging on about it in the vain hope zimbra might fix it, and probably why there is very little community development at the moment.

    To reiterate - The goal should be to make ZCS directory service agnostic and thus allow the customer to chose whether to integrate (leverage) the existing user data within an existing repository or to use a repository of choice (that suits the customers identity management goals) without the need for messy meta or sychroniziation tools. Do you agree with that statement?
    You're confusing two seperate issues here. The first issue is making Zimbra directory agnostic. The second issue is allowing non-zimbra use of the zimbra directory server, either in the zimbra controlled DIT or outside of it on a seperate DIT. The two issues do not have to be dependent of each other and are valid, and indeed important seperate goals.

    Making Zimbra directory agnostic shouldn't be a big deal - most LDAP is done inband through standard protocols, the difficult bit will be making the OpenLDAP-specific script stuff generic, and possibly handling the implementation differences in how LDAPv3 protocol is interpreted.

    Allowing non-zimbra use of zimbra DIT is a much bigger issue, if you think about it how do you deal with schema changes, nonstandard class and attribute design etc? This has always put people off using zimbra to control other systems, eg. Samba. Currently I use an entire FDS instance just for Samba and have zimbra do external auth against that - a messy kludge. Recently Greg from Zimbra has pointed us in the right direction with his Samba zimlets and setup. It's worth analyzing and discussing how this has been implemented and how this method can be extended to other systems.

    After the install I went into use slapcat to spit the database out to ldif (everything not just what someone wants you to see) and I started to find funny (VERY NOT FUNNY) changes to the core schema. Haven't worked out how tragic this is but I get a bad feeling here as userPasswd and uid are two of them. I have spent most of my professional life working in directories and identity related fields. Directory design for scale and performance, identity management, security, user store sychronization. Fixing the crap from some bonehead who has adjusted the core LDAP schema for his purpose whatever and now can't make it work well across the empire. ####heads who have decided to create their own schema becaue they could.
    Well no, core schema should never be altered but are you sure it has been? I haven't looked at the zimbra alterations, but make sure it's not just differences in OpenLDAP versions. OpenLDAP has a long history of point-release schema fixes that makes life fun. It's entirely possible zimbra places old schemas against updated versions of OpenLDAP without tracking them correctly (pure conjecture, just guessing).

    Another nasty is the Zimbra requirment to search the directory as an anomymous user. I have never met a medium or large company yet who would allow anonymous access to user data no matter how inoxious it may seem such as mail, cn, sn, givenName or title.
    To the outside, absolutely, in fact I remember whining very early on in these forums about the same issue. However, because the main zimbra LDAP runs on standard port 389, it restricts certain attributes through ACLs and allows the rest through for GAL access. Personally I don't feel this is a very good way of doing this, it would be much nicer for instance to move main LDAP tree to a nonstandard port as is done with SQL, and then expose the GAL and personal addressbooks on the standard port on a much restricted LDAP tree.

    Any company should block 389 to the outside world. Internally as long as ACLs are reasonable it is often considered acceptable to allow anon binds - I have seen some large companies do this.

  7. #17
    djve's Avatar
    djve is offline Senior Member
    Join Date
    May 2007
    Location
    San Mateo
    Posts
    68
    Rep Power
    7

    Default

    Before claiming Zimbra has changed a default schema (I don't have access to check) I'd diff the schema files from OpenLDAP and Zimbra. While I'm not going to do it here I'm pretty sure any changes will be confined to additional schemas supplied by Zimbra.

    I'd also point out that it appears on a default ZCS installation LDAP only replies to the machine it's on, not external requests. So if deployed to a DMZ I'd still expect the firewall(s) to block any LDAP or LDAPS request from outside of a company.

  8. #18
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,196
    Rep Power
    9

    Default OpenLDAP, FDS, and SVN

    Hey folks,

    A few comments on this thread (*) (**)--

    (a) OpenLDAP supports filtered replication, if what is being referred to is using a search filter to limit what data gets replicated out. It has since OpenLDAP 2.2 (using syncrepl).

    (b) OpenLDAP 2.4 will have both MMR and HA master support.

    (c) Scalability -- OpenLDAP is flat-out the fastest, most scalable open-source directory server out there I've seen, and outdoes any non-opensource directory server I've benchmarked it against. I've worked on 150 million+ entry servers, and every other product tested flat out failed.
    Symas benchmarks has some example benchmarks, as well as Howard Chu's Scalex presentation.

    (d) As others noted, the FDS code-base is very old, and its database backend is quite frankly unreliable -- It and the old OpenLDAP LDBM backend came from the same place. There are a number of reasons OpenLDAP (i.e., Howard Chu) wrote the back-bdb and back-hdb backends, which have data integrity checking.

    (e) OpenLDAP 2.3 added support for back-config, which allows on-the-fly configuration changes. OpenLDAP 2.4 continues the development of back-config with full schema change support.

    (f) Zimbra's schema changes are all in the Zimbra schema files.

    (g) I'm working hard on getting the SVN tree made possible. I'm hoping within the next month or two, we'll have our SVN sync in place.

    For things that people feel FDS has that OpenLDAP doesn't, I encourage them to at least file an ITS on the issue. Outside of the admin gui, however, there's not much I've seen that OpenLDAP doesn't already have, or have in a more fully flushed out form.

    (*) My opinions are not necessarily shared by Zimbra, Inc.
    (**) I'm a member of the OpenLDAP development team.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  9. #19
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    Hi quanah

    I remember your name well from back in the days I used to lurk on openldap list. Fantastic to see you are part of the Zimbra effort, great news.

    (b) OpenLDAP 2.4 will have both MMR and HA master support.
    Woah! How long was I asleep, did hell freeze over?

    Thank you for working on the getting the svn tree back to us, look forward to it.

  10. #20
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,196
    Rep Power
    9

    Default

    Quote Originally Posted by dijichi2 View Post
    Hi quanah

    Woah! How long was I asleep, did hell freeze over?
    No, Howard Chu found how to implement MMR via SyncRepl, addressing many of the concerns Kurt had about implementing MMR via the method FDS/Netscape/SunOne/iPlanet use.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. initializing ldap...FAILED(256)ERROR
    By manjunath in forum Installation
    Replies: 39
    Last Post: 06-07-2013, 10:27 AM
  2. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 06:45 AM
  5. Error 256 on Installation
    By RuinExplorer in forum Installation
    Replies: 5
    Last Post: 10-19-2006, 09:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •