Fedora directory users - Apr 2006 - How interhangeable are ldap server?

We have a windows app that uses an LDAP server for authentication.

For our clients that don''t already have an LDAP server we provide FDS.
However many of our clients already have an LDAP server (AD, Novell, IBM,
Oracle).

How interchangeable are LDAP servers?  Are we likely to be able to just talk
to any server, or will we need custom code for each?

In addition to authentication we plan to create and assign roles, and
possibly use a small custom schema.

Any information or pointers to information on this would be appreciated.  I
couldn''t find anything via Google.

Thanks,
-Mont

> For our clients that don''t already have an LDAP server we provide
FDS.
> However many of our clients already have an LDAP server (AD, Novell,
> IBM, Oracle).
I guess the answer is it depends. Does you application use standard
LDAPv3 methods and operations? Does your application use some wrapping
APIs or classes?

I doubt you''ll need much custom code for the basics.
But you''ll need to be aware of vendor-specific features and schema, and
not rely on those in your app, if you want it to work the same on any 
server.

Mont Rothstein wrote:
> We have a windows app that uses an LDAP server for authentication.
>
> For our clients that don''t already have an LDAP server we provide 
> FDS.  However many of our clients already have an LDAP server (AD, 
> Novell, IBM, Oracle).
>
> How interchangeable are LDAP servers?  Are we likely to be able to 
> just talk to any server, or will we need custom code for each?
>
> In addition to authentication we plan to create and assign roles, and 
> possibly use a small custom schema.
>
> Any information or pointers to information on this would be 
> appreciated.  I couldn''t find anything via Google.
>
> Thanks,
> -Mont
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

The short answer is that the directory server integration portion of our app
is not yet written, I should have said "will use".

The app is written in C#.NET, so we''ll be using some sort of .NET
wrapper.
We had not planned on writting raw LDAP.

-Mont

On 4/14/06, Felipe Alfaro Solana <felipe.alfaro@gmail.com>
wrote:
>
> > For our clients that don''t already have an LDAP server we
provide FDS.
> > However many of our clients already have an LDAP server (AD, Novell,
> > IBM, Oracle).
>
> I guess the answer is it depends. Does you application use standard
> LDAPv3 methods and operations? Does your application use some wrapping
> APIs or classes?
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Just to be clear, when you say "much custom code" do you mean none if
I am
careful, or a little?  This can obviously be a big difference since even
testing a small number of changes against all the LDAP servers we might have
to talk to could be a large task.

Thanks,
-Mont

On 4/14/06, George Holbert <gholbert@broadcom.com>
wrote:
>
> I doubt you''ll need much custom code for the basics.
> But you''ll need to be aware of vendor-specific features and
schema, and
> not rely on those in your app, if you want it to work the same on any
> server.
>
> Mont Rothstein wrote:
> > We have a windows app that uses an LDAP server for authentication.
> >
> > For our clients that don''t already have an LDAP server we
provide
> > FDS.  However many of our clients already have an LDAP server (AD,
> > Novell, IBM, Oracle).
> >
> > How interchangeable are LDAP servers?  Are we likely to be able to
> > just talk to any server, or will we need custom code for each?
> >
> > In addition to authentication we plan to create and assign roles, and
> > possibly use a small custom schema.
> >
> > Any information or pointers to information on this would be
> > appreciated.  I couldn''t find anything via Google.
> >
> > Thanks,
> > -Mont
> >
> >
------------------------------------------------------------------------
> >
> > --
> > Fedora-directory-users mailing list
> > Fedora-directory-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Mont Rothstein wrote:
> Just to be clear, when you say "much custom code" do you mean
none if
> I am careful, or a little?  This can obviously be a big difference 
> since even testing a small number of changes against all the LDAP 
> servers we might have to talk to could be a large task.
It''s a bit like the situation with RDBMS servers, but quite a bit
better
(because the on-the-wire protocol and a significant proportion of schema
are standardized).
The differences primarily are in things like how to create indices, extend
schema (those are different for each server). Many applications don''t
need
to do those things, and they tend to ''just work'' with all LDAP
servers.

If you''re serious about your product''s quality I _would_
advise doing some
testing with every LDAP server that you intend to claim support for.

Active Directory is often the most oddball. Many of the other LDAP
servers share a common heritage and therefore the differences are
less pronounced.

Thanks for the insight.

Unfortunately in a small company it doesn''t always come down to how
"serious" you are about quality, but I harsh reality of limited
resources.  We would of course choose to test every LDAP server out
there (because our clients will surely have them all), but that will
not be a reality in the near future.

We will be actively using and testing FDS and AD, so hopefully if we
work with those two generically we won''t get bit by one of the others.

-Mont


On 4/14/06, David Boreham <david_list@boreham.org>
wrote:
> Mont Rothstein wrote:
>
> > Just to be clear, when you say "much custom code" do you
mean none if
> > I am careful, or a little?  This can obviously be a big difference
> > since even testing a small number of changes against all the LDAP
> > servers we might have to talk to could be a large task.
>
> It''s a bit like the situation with RDBMS servers, but quite a bit
better
> (because the on-the-wire protocol and a significant proportion of schema
> are standardized).
> The differences primarily are in things like how to create indices, extend
> schema (those are different for each server). Many applications
don''t need
> to do those things, and they tend to ''just work'' with all
LDAP servers.
>
> If you''re serious about your product''s quality I _would_
advise doing some
> testing with every LDAP server that you intend to claim support for.
>
> Active Directory is often the most oddball. Many of the other LDAP
> servers share a common heritage and therefore the differences are
> less pronounced.
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>