LDAP Servers Summary
| OpenLDAP | OpenDJ / Wren:DS | 389ds | Active Directory | eDirectory | |
|---|---|---|---|---|---|
Connector |
|||||
midPoint support |
Works. |
Works. |
Works. |
Works. |
Works with limitations. Extra subscription is needed to support this resource. |
Details page |
|||||
LDAP standard compliance |
[.green]#good compliance |
good [.green]#compliance |
some compliance issues |
really BAD standard compliance |
bad standard compliance |
Entry ID Attribute |
entryUuid |
entryUuid |
nsUniqueId |
objectGUID |
GUID |
Account activation |
none |
|
|
|
|
Group membership shortcut |
|
|
memberOf |
several |
|
Livesync support |
modifyTimestamp |
Retro changelog |
Retro changelog - with limitations |
Active Directory DirSync control |
none |
referential integrity |
yes (with overlay) |
yes (with plugin) |
yes |
yes |
|
License |
OpenLDAP Public License |
OpenDJ: Formally CDDL, but otherwise commercial. |
GPL |
Commercial |
Commercial |
Issues |
Cannot disable accounts. |
OpenDJ: Licensing (fauxpen source) |
Very old technology (fork from iPlanet Alliance). |
Way too many issues to list |
Many |
Notes
-
OpenDJ server was fully supported in the past. However, OpenDJ maintainer (ForgeRock) has changed its open source strategy. Therefore we are no longer allowed to get recent versions of OpenDJ for testing. Therefore we cannot make sure that recent OpenDJ versions work with midPoint. So, even though OpenDJ server is likely to work well with midPoint, it is no longer officially supported.
-
Wren:DS is a fork of OpenDJ. Wren:DS is freely available under the terms of CDDL license. However, the Wren:DS development community is very small. There is almost no new development. However, Wren:DS may be supported with midPoint, if this is negotiated in the subscription contract.
-
OpenLDAP has no easy way to disable an account. There are some workarounds that are using the ACI mechanism. But as far as we know there is no really good solution for this.
-
OpenLDAP livesync support is currently available only by using the modifyTimestamp attribute. The approach generally works, but this is the minimal support possible. This method cannot detect deleted accounts. There is an option to implement livesync by using OpenLDAP syncrepl mechanism (RFC4533). However, this is not implemented yet.
-
Livesync with 389 Directory Server (389ds) is using retro changelog method that is similar to Sun/Oracle DSEE servers and OpenDJ/Wren:DS servers. However, 389ds server is using very old version of the retro changelog. Some crucial data are missing. E.g. there is no entry unique identifier (nsUniqueId) of the deleted entry. Therefore the 389ds changelog does not work reliably in case that nsUniqueId is used as entry identifier. The changelog work reasonably well in case that DN is used as primary identifier. But in that case midPoint cannot reliably detect object renames.
-
Overall, the 389ds is based on very old technology going back to early 2000s and it was only partially (but insufficiently) updated to recent LDAP standards. E.g. 389ds is still using nsUniqueId, while RFC4530 is specifying entryUUID attribute for that purpose. Almost all other LDAP servers have adopted entryUUID. But not 389ds server - albeit the fact that RFC4530 was published more than a decade ago.
Conclusion
This is a very difficult choice. It almost looks like there is no good LDAP server at all. All the servers have serious issues.