LDAP Servers Summary

Last modified 23 Apr 2021 10:24 +02:00
OpenLDAP OpenDJ / Wren:DS 389ds Active Directory eDirectory

Connector

LDAP

LDAP

LDAP

AD (LDAP)

eDirectory

midPoint support

Works.
Supported out-of-box. Included in all midPoint subscriptions.

Works.
But due to the change in ForgeRock open source strategy it supported only for midPoint subscribers that got their subscription before December 2016.
(see note 1 below)

Works.
But only partially tested. Extra subscription is needed to support this resource.

Works.
Supported out-of-box. Included in all midPoint subscriptions.

Works with limitations. Extra subscription is needed to support this resource.

Details page

OpenLDAP

OpenDJ

389 Directory Server

Active Directory

eDirectory

LDAP standard compliance

[.green]#good compliance
#

good [.green]#compliance
#

some compliance issues

really BAD standard compliance

bad standard compliance

Entry ID Attribute

entryUuid

entryUuid

nsUniqueId

objectGUID

GUID

Account activation

none
(see note 3 below)

ds-pwp-account-disabled

nsAccountLock

userAccountControl

Group membership shortcut

memberOf (with overlay)

isMemberOf

memberOf

several

Livesync support

modifyTimestamp
(see note 4 below)

Retro changelog

Retro changelog - with limitations
(see note 5 below)

Active Directory DirSync control

none

referential integrity

yes (with overlay)

yes (with plugin)

yes

yes

License

OpenLDAP Public License

OpenDJ: Formally CDDL, but otherwise commercial.
Wren:DS: CDDL

GPL

Commercial

Commercial

Issues

Cannot disable accounts.
Difficult to manage.

OpenDJ: Licensing (fauxpen source)
Wren:DS: Small community, maintenance may be problematic.(see notes 1 and 2 below)

Very old technology (fork from iPlanet Alliance).
(see note 6 below)

Way too many issues to list

Many

Notes

  1. OpenDJ server was fully supported in the past. However, OpenDJ maintainer (ForgeRock) has changed its open source strategy. Therefore we are no longer allowed to get recent versions of OpenDJ for testing. Therefore we cannot make sure that recent OpenDJ versions work with midPoint. So, even though OpenDJ server is likely to work well with midPoint, it is no longer officially supported.

  2. Wren:DS is a fork of OpenDJ. Wren:DS is freely available under the terms of CDDL license. However, the Wren:DS development community is very small. There is almost no new development. However, Wren:DS may be supported with midPoint, if this is negotiated in the subscription contract.

  3. OpenLDAP has no easy way to disable an account. There are some workarounds that are using the ACI mechanism. But as far as we know there is no really good solution for this.

  4. OpenLDAP livesync support is currently available only by using the modifyTimestamp attribute. The approach generally works, but this is the minimal support possible. This method cannot detect deleted accounts. There is an option to implement livesync by using OpenLDAP syncrepl mechanism (RFC4533). However, this is not implemented yet.

  5. Livesync with 389 Directory Server (389ds) is using retro changelog method that is similar to Sun/Oracle DSEE servers and OpenDJ/Wren:DS servers. However, 389ds server is using very old version of the retro changelog. Some crucial data are missing. E.g. there is no entry unique identifier (nsUniqueId) of the deleted entry. Therefore the 389ds changelog does not work reliably in case that nsUniqueId is used as entry identifier. The changelog work reasonably well in case that DN is used as primary identifier. But in that case midPoint cannot reliably detect object renames.

  6. Overall, the 389ds is based on very old technology going back to early 2000s and it was only partially (but insufficiently) updated to recent LDAP standards. E.g. 389ds is still using nsUniqueId, while RFC4530 is specifying entryUUID attribute for that purpose. Almost all other LDAP servers have adopted entryUUID. But not 389ds server - albeit the fact that RFC4530 was published more than a decade ago.

Conclusion

This is a very difficult choice. It almost looks like there is no good LDAP server at all. All the servers have serious issues.