Subscribe, It's Free
Letters to the Editor
If you don't know the players, making a purchasing decision for an emerging technology can be little more than a coin toss. Clarify your options -- and cut through the hype -- with Cameron and Kathryn's incisive profile of the leading LDAP directory server vendors and their products. (2,400 words)
udging by our reader response mailbox, this is definitely the year of the directory. Our introduction to the Lightweight Directory Access Protocol (LDAP) in the July issue of SunWorld inspired more reader comments than any other piece we've done. As thanks for all your questions and corrections, this fall we'll publish two follow-up articles on LDAP. This month, we begin with a review of the directory server software released by those providers most closely linked with Sun hardware -- Innosoft, MessagingDirect, the Sun-Netscape Alliance, and the OpenLDAP Project.
Buying an LDAP server
Because LDAP defines a client/server data management system (DMS), a working LDAP system must have an LDAP server and client. These days, vendors largely distinguish themselves by the robustness, performance, and manageability of their server, and while Novell and Microsoft also have LDAP stories to tell, they're quite different from those we'll describe here. The point for now: Competition usually takes place between servers, while client-side utilities and software development kits (SDKs) are more "commoditized."
Lighting up LDAP: A programmer's guide to
directory development. Read the whole series!
Innosoft offers performance and service
Innosoft, founded in 1987, claims seniority for its directory technology. Since the company's inception, its engineers have coauthored more than 40 of the Internet Engineering Task Force (IETF) requests for comments (RFCs) that have standardized the Internet. Along with its own LDAP solutions (first released in 1994), Innosoft acquired Critical Angle Inc., a software company known for its directory expertise, in early 1998. Among the employees this acquisition brought to Innosoft was Mark Wahl, editor of the LDAP version 3 (LDAPv3) RFCs.
Innosoft competes with Netscape in the areas of performance and service, and because the LDAP domain is still so juvenile, performance is a difficult area to gauge. This means, among other things, that products frequently improve dramatically from one release to the next, and that quantitative measurements are unusually sensitive to environmental details -- schema organization, server tuning, hardware, and so on. The only practical first step a conscientious engineer can make in assessing performance is to explicitly identify his own requirements, then run experiments with evaluation copies of different LDAP servers. The field is still too poorly standardized to generalize tests run by someone else.
Our experience roughly supports Innosoft's claims: Innosoft bests Netscape in performance enough to satisfy such global-scale customers as MCI, Reuters, and Xerox. In particular, installations "can support thousands of concurrent clients and process over 500 search operations per second on low-end x86 hardware," according to Innosoft Marketing Manager David Knapke.
Innosoft also has an interesting portability profile. While Netscape has historically offered its products across a broad range of platforms -- its directory server, for example, is available for Windows NT, BSDI Internet Server 3.0, and Reliant Unix 5.43 -- Innosoft sells directory products for several platforms Netscape doesn't cover. Innosoft's historical success with research and educational organizations explains its commitment to OpenVMS. It also has strong offerings for x86 Linux and Solaris, unlike Netscape.
In contrast to Netscape, where support conversations have a "corporate" feel and working programmers are generally protected from outside distractions, customer calls to Innosoft can be quickly escalated, allowing technical service inquiries to connect with working engineers.
All vendors offer added values for their core directory servers, but Innosoft particularly emphasizes its proprietary "fallback multimaster replication" for high-availability installations. It also has management agents transported by either HTTP or SNMP, an LDAP proxy server for load-balancing and penetrating corporate firewalls, a gateway or "connector" to X.500, and a DirectoryPortal line. The latter integrates LDAPv3 and XML in a package aimed at the many commercial projects modeled on portal successes.
MessagingDirect: Committed to open standards
The MessagingDirect M-Directory Server is like most directory products in that it embeds the Sleepycat datastore, supports LDAPv3, is available for a range of platforms, incorporates several proprietary caching algorithms to improve performance, and has an impressive client list. MessagingDirect distinguishes itself, though, by the depth of its commitment to open standards -- M-Directory Server enables simultaneous usability by completely integrating both X.500 and LDAP interfaces. Its bundled Enterprise Directory Manager (EDM) for configuration of directory servers supports both GUI and command-line use, which makes it simultaneously easy to use and entirely scriptable. MessagingDirect also offers a Connectionless LDAP (CLDAP) server based on RFC 1798 for very high performance lookups.
According to MessagingDirect VP of Marketing Randy Richel, Messaging Direct is unique in at least two other regards: First, it offers source code licenses to its products at a surprisingly modest cost; and second, its server products have Tcl/Tk support. One consequence is that these products are dramatically extensible and scriptable, which enormously simplifies automation of such routine tasks as content validation and auditing.
MessagingDirect is perhaps best known for its strategic partnership with Sendmail Inc., because it supplies sendmail with POP3 and IMAP technologies and has plans to commercialize an LDAP-sendmail connection.
There is currently no trustworthy, single metric for performance, and it's very hard to compare licensing and support costs between different vendors. License fees can depend on the number of host servers, prospective and simultaneous clients, server hardware, and often on category of licensee -- educational institution, government, and so on. As with performance, you'll generally have to do your own research to estimate software prices usefully. Among the commercial vendors, MessagingDirect seems often to have the least expensive fees.
Richel is particularly proud of the M-Direct scalability demonstrated on large SGI servers for such customers as Texas A&M University and Mailboxes Etc. MessagingDirect also has a professional services team with expertise in sizing and specifying hardware and software solutions. As with Innosoft and Netscape, several MessagingDirect engineers have significant IETF credentials.
OpenLDAP progressing rapidly
For email transfer and HTTP service, open source products sendmail and Apache have emerged as sustainable market leaders. In this regard, LDAP's market is more like the relational database market, where commercial vendors such as Oracle and IBM dominate. However, the OpenLDAP Project seems to be gaining fast.
Kurt Zeilenga, owner of the Net Boolean Inc. consultancy, launched the OpenLDAP Project just last summer, with version 1.0 released in August 1998. While that LDAP server was useful for special applications, it was also fragile, poorly documented, and generally demanded arcane wizardry for installation and operation. Improvements over the last year inspired Zeilenga to say, "I am amazed every day at how hard our volunteers work ... OpenLDAP 1.2 is a robust and stable LDAPv2 implementation. OpenLDAP 2.0, the project's LDAPv3 implementation, is currently available for 'alpha' testing."
We've found that version 2 of OpenLDAP is adequate for many first projects, but version 3's enhanced functionality makes it the right choice for enterprise-scale work. (We'll explain the differences between versions in Part 3 of this series.)
Zeilenga acknowledges that commercial "vendors have worked hard to optimize their software for speed and scalability. We are doing a lot of work in this area and foresee significant gains to be made in the near future." However, OpenLDAP currently has an advantage over commercial offerings due to the flexibility of its backend. Interfaces are freely available for a variety of datastores, including the Berkeley and GNU database managers.
The OpenLDAP Project has the reputation of being very sophisticated in its source code version control and fault-tracking systems, functions that appear to be very efficient. Zeilenga's customer-orientation also is refreshing. In our conversations, he repeated, "I think the LDAP community will be the long-term winner. OpenLDAP exists to fulfill the needs of its users. As we close the gap on feature support (which we will), this will spur further advancement by vendors ... OpenLDAP was invented out of need, it exists out of need, and it will continue to be enhanced and maintained out of need." Zeilenga's also realistic enough to recognize that OpenLDAP's biggest deficiency is "probably our documentation. We need to attract more technical writers to our volunteer team, or attract funding to produce better documentation."
Oracle fills in its product line
Oracle offers an LDAP gateway for the Oracle relational database management system (RDBMS). Its strategic position is easy to describe: if you're constrained by a nontechnical dimension to store directory information in Oracle, you should buy the Oracle LDAP gateway; if not, use a specialized LDAP product. The mismatch between Oracle's RDBMS and LDAP is great enough that the best LDAP servers will always outperform Oracle's gateway.
Sun allies with Netscape
SunWorld reader Kevin Streater rightly questioned why the first part of this series gave no mention to Sun Directory Services, which comes free with Solaris 7. The answer is simple: the long-term prospects for Sun Directory Services were cloudy. They've since become clearer.
Earlier this year Sun and Netscape combined to create the Sun-Netscape Alliance, a strategic partnership providing enterprise-class software and services based on technology from both entities. The Alliance's directory server product, for example, is almost entirely derived from the Netscape Directory Server. Sun-derived functionality mostly appears in the "Directory Extensions for Solaris" package, which includes the Network Information Services (NIS) gateway and Remote Authentication Dial-In User Service (RADIUS) server. This package will ship with the Sun Easy Access Server as well as Solaris 8.
The Alliance Directory Server is also noteworthy as the Alliance's first collaborative product. Born at release 4.1, it replaces 4.0 of the Netscape Directory Server and 3.1 of Sun's Directory product.
We have two strong impressions of the 4.1 Directory Server. First, it's going to take a few months for both vendors and customers to learn the vocabulary. Just as questions about SunOS versus Solaris still pop up, Alliance representatives will have a lot of practice answering questions about who, exactly, is doing what. iPlanet is the brand for Alliance products, but the iPlanet Web site still labels the product the "Netscape Directory Server" as of late August. Only dedicated and well-informed prospective customers will be able to make much progress at this time.
The Alliance is tilted heavily in the direction of "new economy" ecommerce. While the Alliance picks up Netscape's support for such programmer conveniences as source and binary SDKs for C, Java, and Perl, the iPlanet Directory Server isn't available for x86 Solaris. On the other hand, it's good to see that the Alliance has added (Red Hat) Linux to Netscape's platform range. Internal enterprise application development is secondary to selling to ISPs and ASPs. Rather than focusing on the engineering community, which has been a traditional stronghold of goodwill for Sun, the Alliance emphasizes integration with other services. Its directory server is now bundled with the Sun Internet Mail Server (SIMS). The Alliance also plans customizations based on a metadirectory product, which will facilitate integration with enterprise resource planning (ERP) products such as those PeopleSoft sells.
There's enough technical strength in the iPlanet product to support these strategic deals. Michael Mullany, Alliance director of product management for directory and security products justly asked us to love iPlanet for its plugins, which is to say the iPlanet directory server exposes a proprietary architecture, making it possible to define pre- and post-operation routines to customize server access. The server now supports all of LDAPv3, except for technical aspects of mod_dm(). Search filter performance is good, and the server implements advanced password and dynamic access controls that large-scale users like Ford and Lehman Brothers find useful. Moreover, the Alliance employs the people who "wrote the book" on LDAP. Just as Netscape was largely founded by the University of Illinois team that first programmed Mosaic, it also hired the authors of the first reference LDAP implementations and the first published references.
Perhaps most important for the Alliance's target markets is the success of its professional services organization, which has broad experience in implementing turnkey solutions that respect the bottom line. Netscape may have been the leading vendor of directory products, but for the Alliance, LDAP is just one element in its aim to hit far higher on the "value-added" hierarchy.
Making a decision
Which LDAP server is right for you? Your circumstances should simplify the decision greatly. If you need source code, consider Innosoft or OpenLDAP. To maintain a relationship with your existing ecommerce vendor, turn to iPlanet or MessagingDirect. Don't worry too much about a suboptimal decision though; all the servers stay close to published standards, so if you have to change vendors someday, porting your data and code will be relatively straightforward.
Looking forward and back
The first article in this series recommended recent Web browsers as handy LDAP clients for beginners. As we explained earlier, RFC 2255 describes a URL pattern, "LDAP://". Communicator 4.61 does not support this protocol on at least some versions of Unix. We're still working to inventory exactly which different releases work properly. Your choices: upgrade to a more recent release; move to a client platform that is better-supported by Netscape; or wait for Part 3 of this series, where we'll further explain programming client-side LDAP applications. We'll also demystify the rudiments of LDAP schema design.
About the author
Cameron Laird and Kathryn Soraiz manage their own software consultancy, Network Engineered Solutions, from just outside Houston, TX.
Advertisement: Support SunWorld, click here!
|Resources and Related Links|
|Tell Us What You Thought of This Story|
If you have technical problems with this magazine, contact email@example.com