Fedora directory users - Jun 2005 - features

Greetings !!

Before going for Fedora Directory Server, I thought of going 
through the feature list to see what all additional features
are supported when compared to OpenLDAP.

Though the feature list and FAQ says about many features
supported by Fedora Directory Server (like multi-master 
replication, nested roles, cascading using hubs etc), they
don''t provide information about some common features that
are supported by OpenLDAP. Some of such features include,
support for SNMP, password hashing, support of LDAP search
filters such as presence, equality, inequality, sub-string, 
approximate and boolean operators, support for consumer-
initiated replication, support for supplier-initiated
replication, support for Digital certificates, support for
XMLDAP gateway and whether the Directory server support
XML for integration with external applications. XML and
XMLDAP are not supported by OpenLDAP too, I believe.

May be most of the above features were trivial to the
Directory Server; but still, I would like to know whether
these features are supported before going for Fedora 
Directory Server.

Can anyone please help ?

Note: I am not a member of this mailing list; kindly put
       a CC to me.

- Dinil

Dinil Divakaran wrote:
>
> Greetings !!
>
> Before going for Fedora Directory Server, I thought of going through 
> the feature list to see what all additional features
> are supported when compared to OpenLDAP.
>
> Though the feature list and FAQ says about many features
> supported by Fedora Directory Server (like multi-master replication, 
> nested roles, cascading using hubs etc), they
http://directory.fedora.redhat.com/wiki/Features
> don''t provide information about some common features that
> are supported by OpenLDAP. Some of such features include,
All of these features and more are documented here - 
http://www.redhat.com/docs/manuals/dir-server/
A quick glance at the table of contents for these docs will give you a 
lot of information about these and many more features.
> support for SNMP,
Yes.
> password hashing,
Yes - crypt, SHA, SSHA, and (new in Fedora DS) MD5.
> support of LDAP search
> filters such as presence, equality, inequality, sub-string, 
> approximate and boolean operators,
Yes.
> support for consumer-
> initiated replication,
Not exactly.  However, Fedora DS can be configured to have a searchable 
changelog (cn=changelog) which can be polled periodically.  In addition, 
FDS supports persistent search.
> support for supplier-initiated
> replication,
Yes.
> support for Digital certificates,
Yes.  Clients can use certificates to authenticate to FDS, and admins 
can configure mapping the cert subject DN to the user''s LDAP entry.
> support for
> XMLDAP gateway and whether the Directory server support
> XML for integration with external applications.
I think you mean DSMLv2.  Yes, FDS includes a DSMLv2 gateway.
> XML and
> XMLDAP are not supported by OpenLDAP too, I believe.
>
> May be most of the above features were trivial to the
> Directory Server; but still, I would like to know whether
> these features are supported before going for Fedora Directory Server.
>
> Can anyone please help ?
>
> Note: I am not a member of this mailing list; kindly put
>       a CC to me.
>
> - Dinil
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Dinil Divakaran wrote:
> 
> Greetings !!
Greetings,
> Before going for Fedora Directory Server, I thought of going through the 
> feature list to see what all additional features
> are supported when compared to OpenLDAP.
The list is long :-)

> Though the feature list and FAQ says about many features
> supported by Fedora Directory Server (like multi-master replication, 
> nested roles, cascading using hubs etc), they
> don''t provide information about some common features that
> are supported by OpenLDAP. Some of such features include,
> support for SNMP,
Supported.

> password hashing,
Supported hashes are Crypt, SHA, and Salted SHA.

> support of LDAP search
> filters such as presence, equality, inequality, sub-string, approximate 
> and boolean operators,
This is part of the LDAPv3 standard.


> support for consumer-
> initiated replication,
Fedora DS does not support SyncRepl, if that''s what you are asking.

> support for supplier-initiated
> replication,
Supported in single-master and multi-master replication models.

> support for Digital certificates,
Supported for 8 years already.

> support for
> XMLDAP gateway and whether the Directory server support
> XML for integration with external applications. XML and
> XMLDAP are not supported by OpenLDAP too, I believe.
DSML is the standardized markup language for LDAP, and this is supported 
in Fedora DS via the included DSML gateway process (java process).


Fedora DS is a direct and immediate descendant of the Netscape DS, which 
was the first commercial LDAPv2 implementation in the world. Now it''s
at
LDAPv3. Netscape invented most of these features, and OpenLDAP project 
started in 1999 to basically try to implement the core server and some 
of these Netscape features.

If you ask me, the only real benefit to using OpenLDAP today is the 
abundance of strange backends, e.g. if you want to make a really special 
purpose LDAP server. You can make a directory out of just about any 
arbitrary data source, etc. Writing backends for Fedora DS is also 
possible, but there aren''t too many available at the moment.


Mike

-- 
LDAP Directory Consulting - http://www.netauth.com

> Fedora DS is a direct and immediate descendant of the Netscape DS, 
> which was the first commercial LDAPv2 implementation in the world. Now 
> it''s at LDAPv3. Netscape invented most of these features, and
OpenLDAP
> project started in 1999 to basically try to implement the core server 
> and some of these Netscape features.
Actually OpenLDAP began with the old UMich code, which was
also the basis for the Netscape server codeine. The two share a single
common ancestor.
> If you ask me, the only real benefit to using OpenLDAP today is the 
> abundance of strange backends, e.g. if you want to make a really 
> special purpose LDAP server. You can make a directory out of just 
> about any arbitrary data source, etc. Writing backends for Fedora DS 
> is also possible, but there aren''t too many available at the
moment.
Because of the common heritage, the back end plugin interface
is similar (but certainly not identical) to that of OpenLDAP.
So it might be not too hard to port a backend written for
OpenLDAP''s server to FDS.

Thanks for the help guys !

So, does this mean that Fedora DS includes every feature in
Netscape DS and Redhat DS ?

I couldn''t still find whether Fedora DS supports these features
too:

* automatic, on-line directory replication

* Java and C/C++ SDK

* horizontal and vertical scalability

I was actually comparing the features with SUN''s DS. It has
most of the features that I require; but if everything that SUN
supports is found in Fedora DS, then why waste money :) !

- Dinil

On Mon, 20 Jun 2005, Mike Jackson wrote:
> Dinil Divakaran wrote:
>> 
>> Greetings !!
>
> Greetings,
>
>> Before going for Fedora Directory Server, I thought of going through
the
>> feature list to see what all additional features
>> are supported when compared to OpenLDAP.
>
> The list is long :-)
>
>
>> Though the feature list and FAQ says about many features
>> supported by Fedora Directory Server (like multi-master replication, 
>> nested roles, cascading using hubs etc), they
>
>
>> don''t provide information about some common features that
>> are supported by OpenLDAP. Some of such features include,
>> support for SNMP,
>
> Supported.
>
>
>> password hashing,
>
> Supported hashes are Crypt, SHA, and Salted SHA.
>
>
>> support of LDAP search
>> filters such as presence, equality, inequality, sub-string, approximate
>> and boolean operators,
>
> This is part of the LDAPv3 standard.
>
>
>
>> support for consumer-
>> initiated replication,
>
> Fedora DS does not support SyncRepl, if that''s what you are
asking.
>
>
>> support for supplier-initiated
>> replication,
>
> Supported in single-master and multi-master replication models.
>
>
>> support for Digital certificates,
>
> Supported for 8 years already.
>
>
>> support for
>> XMLDAP gateway and whether the Directory server support
>> XML for integration with external applications. XML and
>> XMLDAP are not supported by OpenLDAP too, I believe.
>
> DSML is the standardized markup language for LDAP, and this is supported in
> Fedora DS via the included DSML gateway process (java process).
>
>
> Fedora DS is a direct and immediate descendant of the Netscape DS, which
was
> the first commercial LDAPv2 implementation in the world. Now it''s
at LDAPv3.
> Netscape invented most of these features, and OpenLDAP project started in 
> 1999 to basically try to implement the core server and some of these
Netscape
> features.
>
> If you ask me, the only real benefit to using OpenLDAP today is the
abundance
> of strange backends, e.g. if you want to make a really special purpose LDAP
> server. You can make a directory out of just about any arbitrary data
source,
> etc. Writing backends for Fedora DS is also possible, but there
aren''t too
> many available at the moment.
>
>
> Mike
>
> -- 
> LDAP Directory Consulting - http://www.netauth.com
>

Dinil Divakaran wrote:
>
> Thanks for the help guys !
>
> So, does this mean that Fedora DS includes every feature in
> Netscape DS and Redhat DS ?
Yes.  Red Hat bought Netscape DS and renamed it Red Hat DS.  They also 
released the source code and created the open source Fedora DS project.  
So, for now, Netscape DS == Red Hat DS == Fedora DS.  See 
http://directory.fedora.redhat.com/wiki/FAQ#How_is_Fedora_Directory_Server_different_from_iPlanet_and_Sun_Directory_Server.3F
>
> I couldn''t still find whether Fedora DS supports these features
> too:
>
> * automatic, on-line directory replication
I''m not sure what you mean by this.  Could you explain this more?
>
> * Java and C/C++ SDK
Yes.  The Mozilla LDAP C and Java SDKs are included with the binary 
distribution, as well as PerLDAP.
>
> * horizontal and vertical scalability
Scalability: thousands of operations per second, tens of thousands of 
concurrent users, tens of millions of entries, hundreds of gigabytes of 
data
>
> I was actually comparing the features with SUN''s DS. It has
> most of the features that I require; but if everything that SUN
> supports is found in Fedora DS, then why waste money :) !
The features of Fedora DS are very, very similar to Sun DS, because up 
until late 2001 they had the same code base.
>
> - Dinil
>
> On Mon, 20 Jun 2005, Mike Jackson wrote:
>
>> Dinil Divakaran wrote:
>>
>>>
>>> Greetings !!
>>
>>
>> Greetings,
>>
>>> Before going for Fedora Directory Server, I thought of going
through
>>> the feature list to see what all additional features
>>> are supported when compared to OpenLDAP.
>>
>>
>> The list is long :-)
>>
>>
>>> Though the feature list and FAQ says about many features
>>> supported by Fedora Directory Server (like multi-master
replication,
>>> nested roles, cascading using hubs etc), they
>>
>>
>>
>>> don''t provide information about some common features that
>>> are supported by OpenLDAP. Some of such features include,
>>> support for SNMP,
>>
>>
>> Supported.
>>
>>
>>> password hashing,
>>
>>
>> Supported hashes are Crypt, SHA, and Salted SHA.
>>
>>
>>> support of LDAP search
>>> filters such as presence, equality, inequality, sub-string, 
>>> approximate and boolean operators,
>>
>>
>> This is part of the LDAPv3 standard.
>>
>>
>>
>>> support for consumer-
>>> initiated replication,
>>
>>
>> Fedora DS does not support SyncRepl, if that''s what you are
asking.
>>
>>
>>> support for supplier-initiated
>>> replication,
>>
>>
>> Supported in single-master and multi-master replication models.
>>
>>
>>> support for Digital certificates,
>>
>>
>> Supported for 8 years already.
>>
>>
>>> support for
>>> XMLDAP gateway and whether the Directory server support
>>> XML for integration with external applications. XML and
>>> XMLDAP are not supported by OpenLDAP too, I believe.
>>
>>
>> DSML is the standardized markup language for LDAP, and this is 
>> supported in Fedora DS via the included DSML gateway process (java 
>> process).
>>
>>
>> Fedora DS is a direct and immediate descendant of the Netscape DS, 
>> which was the first commercial LDAPv2 implementation in the world. 
>> Now it''s at LDAPv3. Netscape invented most of these features,
and
>> OpenLDAP project started in 1999 to basically try to implement the 
>> core server and some of these Netscape features.
>>
>> If you ask me, the only real benefit to using OpenLDAP today is the 
>> abundance of strange backends, e.g. if you want to make a really 
>> special purpose LDAP server. You can make a directory out of just 
>> about any arbitrary data source, etc. Writing backends for Fedora DS 
>> is also possible, but there aren''t too many available at the
moment.
>>
>>
>> Mike
>>
>> -- 
>> LDAP Directory Consulting - http://www.netauth.com
>>
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Dinil Divakaran wrote:
>
> Thanks for the help guys !
>
> So, does this mean that Fedora DS includes every feature in
> Netscape DS and Redhat DS ?
Pretty much yes. There were one or two little used
features in later Netscape DS versions that have been
removed, but nothing significant.
> I couldn''t still find whether Fedora DS supports these features
> too:
>
> * automatic, on-line directory replication
Yes.
>
> * Java and C/C++ SDK
The SDK isn''t per se part of the server, but
the former Netscape C and Java SDK code is
used heavily in the server. It''s available from
the Mozilla Directory project (open source).
>
> * horizontal and vertical scalability
>
> I was actually comparing the features with SUN''s DS. It has
> most of the features that I require; but if everything that SUN
> supports is found in Fedora DS, then why waste money :) !
>
Sun and Fedora DS are very similar. They were the same
product until a few years ago when the code forked.

>> 
>> * automatic, on-line directory replication
>
> I''m not sure what you mean by this.  Could you explain this more?
>
Basically, online replication (not backup).

Dinil Divakaran wrote:
>
>>>
>>> * automatic, on-line directory replication
>>
>>
>> I''m not sure what you mean by this.  Could you explain this
more?
>>
>
> Basically, online replication (not backup).
Yes.  Fedora DS is fully automatic and on-line.  You just have to create 
the replication agreement, then initialize the consumer (on-line or 
off-line), then everything is fully automated from that point on.  The 
replication protocol is supplier initiated.  The protocol is robust 
despite unreliable networks - it will automatically resync after network 
restoration, and the protocol has been optimized to maximize WAN network 
bandwidth and latency.
>
>

David Boreham wrote:
>  
> Actually OpenLDAP began with the old UMich code, which was
> also the basis for the Netscape server codeine. The two share a single
> common ancestor.
Well, yes :-) But what I meant was that back there in 1999, the Netscape 
DS package was already far more advanced than the UM snapshot that the 
OpenLDAP project started with, and they still haven''t quite caught up
in
my opinion. They didn''t even support LDAPv3 until 2002, iirc.

> Because of the common heritage, the back end plugin interface
> is similar (but certainly not identical) to that of OpenLDAP.
> So it might be not too hard to port a backend written for
> OpenLDAP''s server to FDS.
Oh god, not the back-sql! I just know that somebody''s itching to do it.

Actually, I remember about 3 years ago on the OL list, somebody from HP 
contributed code for OL to support the Netscape plugin API.

--
Mike

On Mon, 20 Jun 2005, Rich Megginson wrote:
>> * horizontal and vertical scalability
>
> Scalability: thousands of operations per second, tens of thousands of 
> concurrent users, tens of millions of entries, hundreds of gigabytes of
data
>
and if we have hundreds of thousands of users, is it possible to
partition into multiple repositories for scalability; instead of
having just one repository ?

- Dinil

Dinil Divakaran wrote:
>
> On Mon, 20 Jun 2005, Rich Megginson wrote:
>
>>> * horizontal and vertical scalability
>>
>>
>> Scalability: thousands of operations per second, tens of thousands of 
>> concurrent users, tens of millions of entries, hundreds of gigabytes 
>> of data
>>
>
> and if we have hundreds of thousands of users, is it possible to
> partition into multiple repositories for scalability; instead of
> having just one repository ?
Yes.  You can split up the data into different suffixes and databases on 
a single server (analogous to Novell "partitions" if you are familiar 
with those), or you can use chaining to have multiple servers host the 
data, and you can use entry distribution to distribute the entries in a 
single suffix among multiple servers.
>
> - Dinil
>

In the features list, its written:

"Support for most LDAPv3 features, including many common controls and
extensions."

Is there any list of LDAPv3 features that are not supported by Fedora DS ?


On Mon, 20 Jun 2005, Mike Jackson wrote:
> Dinil Divakaran wrote:
>> 
>> Greetings !!
>
> Greetings,
>
>> Before going for Fedora Directory Server, I thought of going through
the
>> feature list to see what all additional features
>> are supported when compared to OpenLDAP.
>
> The list is long :-)
>
>
>> Though the feature list and FAQ says about many features
>> supported by Fedora Directory Server (like multi-master replication, 
>> nested roles, cascading using hubs etc), they
>
>
>> don''t provide information about some common features that
>> are supported by OpenLDAP. Some of such features include,
>> support for SNMP,
>
> Supported.
>
>
>> password hashing,
>
> Supported hashes are Crypt, SHA, and Salted SHA.
>
>
>> support of LDAP search
>> filters such as presence, equality, inequality, sub-string, approximate
>> and boolean operators,
>
> This is part of the LDAPv3 standard.
>
>
>
>> support for consumer-
>> initiated replication,
>
> Fedora DS does not support SyncRepl, if that''s what you are
asking.
>
>
>> support for supplier-initiated
>> replication,
>
> Supported in single-master and multi-master replication models.
>
>
>> support for Digital certificates,
>
> Supported for 8 years already.
>
>
>> support for
>> XMLDAP gateway and whether the Directory server support
>> XML for integration with external applications. XML and
>> XMLDAP are not supported by OpenLDAP too, I believe.
>
> DSML is the standardized markup language for LDAP, and this is supported in
> Fedora DS via the included DSML gateway process (java process).
>
>
> Fedora DS is a direct and immediate descendant of the Netscape DS, which
was
> the first commercial LDAPv2 implementation in the world. Now it''s
at LDAPv3.
> Netscape invented most of these features, and OpenLDAP project started in 
> 1999 to basically try to implement the core server and some of these
Netscape
> features.
>
> If you ask me, the only real benefit to using OpenLDAP today is the
abundance
> of strange backends, e.g. if you want to make a really special purpose LDAP
> server. You can make a directory out of just about any arbitrary data
source,
> etc. Writing backends for Fedora DS is also possible, but there
aren''t too
> many available at the moment.
>
>
> Mike
>
> -- 
> LDAP Directory Consulting - http://www.netauth.com
>

Dinil Divakaran wrote:
> 
> In the features list, its written:
> 
> "Support for most LDAPv3 features, including many common controls and 
> extensions."
> 
> Is there any list of LDAPv3 features that are not supported by Fedora DS ?
I don''t know the list of unsupported features, but I guess that you 
could count it on one hand, and that none of them are required features.

If the server is LDAPv3 compliant, it correctly implements all MUST, 
REQUIRED, and SHALL requirements from RFC 2251.

--
mike

On 6/22/05, Mike Jackson <mj@sci.fi> wrote:
> Dinil Divakaran wrote:
> >
> > In the features list, its written:
> >
> > "Support for most LDAPv3 features, including many common controls
and
> > extensions."
> >
> > Is there any list of LDAPv3 features that are not supported by Fedora
DS ?
> 
> I don''t know the list of unsupported features, but I guess that
you
> could count it on one hand, and that none of them are required features.
> 
> If the server is LDAPv3 compliant, it correctly implements all MUST,
> REQUIRED, and SHALL requirements from RFC 2251.
> 
What about RFC 2829?

Sam

Sam Tran wrote:
> On 6/22/05, Mike Jackson <mj@sci.fi> wrote:
> 
>>If the server is LDAPv3 compliant, it correctly implements all MUST,
>>REQUIRED, and SHALL requirements from RFC 2251.
>>
> 
> 
> What about RFC 2829?
  A server doesn''t have to implement RFC 2829 to be LDAPv3 compliant.

  Anyway, FDS implements almost all of those, like Start TLS, X.509 
certificate authentication, and SASL. I am guessing that the DIGEST-MD5 
authentication method is not supported, but I''m not certain.

--
mike

Mike Jackson wrote:
> Sam Tran wrote:
>
>> On 6/22/05, Mike Jackson <mj@sci.fi> wrote:
>>
>>> If the server is LDAPv3 compliant, it correctly implements all
MUST,
>>> REQUIRED, and SHALL requirements from RFC 2251.
>>>
>>
>>
>> What about RFC 2829?
>
>
>  A server doesn''t have to implement RFC 2829 to be LDAPv3
compliant.
>
>  Anyway, FDS implements almost all of those, like Start TLS, X.509 
> certificate authentication, and SASL. I am guessing that the 
> DIGEST-MD5 authentication method is not supported, but I''m not
certain.
Yes.  DIGEST-MD5 is required.  Fedora DS supports it.
>
> -- 
> mike
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Dinil Divakaran wrote:
> and if we have hundreds of thousands of users, is it possible to
> partition into multiple repositories for scalability; instead of
> having just one repository ?
Yes, but O(100k) users is a very small number in the context of
what we''d call a ''large deployment''. When we do
performance testing
the minumim size we test is 100,000.

Typically one sees partitioning used only at the 10''s of millions of 
entries level.

David Boreham wrote:
>  
> Yes, but O(100k) users is a very small number in the context of
> what we''d call a ''large deployment''. When we do
performance testing
> the minumim size we test is 100,000.
> 
> Typically one sees partitioning used only at the 10''s of millions
of
> entries level.
Or for reasons of geographical namespace distribution, which is very 
common in multi-city / multi-country organizations.

BTW, what is the largest number of bind operations that you have been 
able to accomplish against a single server in a 24 hour period?

--
mike

On Mon, 20 Jun 2005, Mike Jackson wrote:
>
> Fedora DS does not support SyncRepl, if that''s what you are
asking.
>
Does SyncRepl mean keeping replicas in sync (say by enforcing Replication
updates) ?

If so, this is an important feature that need to be supported, right ?

Dinil Divakaran wrote:
>
> On Mon, 20 Jun 2005, Mike Jackson wrote:
>
>>
>> Fedora DS does not support SyncRepl, if that''s what you are
asking.
>>
>
> Does SyncRepl mean keeping replicas in sync (say by enforcing 
> Replication updates) ?
SyncRepl is the OpenLDAP replication mechanism.  It is strictly consumer 
initiated and works like a persistent search with an update cookie.  
Fedora DS does not support this, so you cannot, for example, set up 
replication between OpenLDAP and Fedora DS using this mechanism.
>
> If so, this is an important feature that need to be supported, right ?
No.  Fedora DS replication provides all of the sync you need for server 
to server.  Fedora DS provides a legacy changelog and persistent search 
for more "lightweight" client sync applications.
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Dinil Divakaran wrote:
> 
> Does SyncRepl mean keeping replicas in sync (say by enforcing 
> Replication updates) ?
It is just a new type of replication protocol, which is at the moment 
only supported by OpenLDAP. It is supposed to be more resistant to 
problems which occur after there has been long downtime between 
replicas, and is very suitable for e.g. synchronizing directories for 
offline usage (laptops).


> If so, this is an important feature that need to be supported, right ?
http://www.openldap.org/doc/admin22/syncrepl.html


I would certainly like to see a compatible replication protocol between 
OpenLDAP and FDS. I guess this could be implemented as a plugin...



Mike
-- 
LDAP Directory Consulting - http://www.netauth.com

Note that there are a lot of issues with replicating data between 
dissimilar ldap implementations, and always will be until things like 
access control is standardized.  Even if I could replicate my data to 
openldap, it would not honor the fds aci''s, which would result in 
unexpected/unwanted results.

 - Jeff

Mike Jackson wrote:
> Dinil Divakaran wrote:
>
>>
>> Does SyncRepl mean keeping replicas in sync (say by enforcing 
>> Replication updates) ?
>
>
> It is just a new type of replication protocol, which is at the moment 
> only supported by OpenLDAP. It is supposed to be more resistant to 
> problems which occur after there has been long downtime between 
> replicas, and is very suitable for e.g. synchronizing directories for 
> offline usage (laptops).
>
>> If so, this is an important feature that need to be supported, right ?
>
>
> http://www.openldap.org/doc/admin22/syncrepl.html
>
>
> I would certainly like to see a compatible replication protocol 
> between OpenLDAP and FDS. I guess this could be implemented as a 
> plugin...
>
>
>
> Mike

Jeff Clowser wrote:
> Note that there are a lot of issues with replicating data between 
> dissimilar ldap implementations, and always will be until things like 
> access control is standardized.  Even if I could replicate my data to 
> openldap, it would not honor the fds aci''s, which would result in 
> unexpected/unwanted results.
Good point. OpenLDAP does support ACIs, but it is listed as 
experimental, and you have to explicitly enable it at configure time.

Still, I don''t know if the ACI syntax and evaluation algorithms in OL 
and FDS are similar or not.

BR,
--
mike

Mike Jackson wrote:
> Jeff Clowser wrote:
>
>> Note that there are a lot of issues with replicating data between 
>> dissimilar ldap implementations, and always will be until things like 
>> access control is standardized.  Even if I could replicate my data to 
>> openldap, it would not honor the fds aci''s, which would result
in
>> unexpected/unwanted results.
>
>
> Good point. OpenLDAP does support ACIs, but it is listed as 
> experimental, and you have to explicitly enable it at configure time.
>
> Still, I don''t know if the ACI syntax and evaluation algorithms in
OL
> and FDS are similar or not.
It''s very different.  For one, the ACI syntax is different.  For 
another, AFAIK, the way in-tree ACIs work with OL is that they are 
stored in the cn=config tree instead of being in the aci operational 
attribute in the regular tree.
>
> BR,
> -- 
> mike
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Rich Megginson wrote:
> 
> It''s very different.  For one, the ACI syntax is different.  For 
> another, AFAIK, the way in-tree ACIs work with OL is that they are 
> stored in the cn=config tree instead of being in the aci operational 
> attribute in the regular tree.
The OL "experimental" ACI support existed long before OL supported 
cn=config (which only came in the just released 2.3 branch, afaik).

I haven''t used the old ACI support with OL, but I really would have 
thought that they just implemented a verbatim copy of Netscape ACI syntax.

Maybe it''s time to play around a little with OL this weekend.

--
mike

Mike Jackson wrote:
> Good point. OpenLDAP does support ACIs, but it is listed as 
> experimental, and you have to explicitly enable it at configure time.
>
> Still, I don''t know if the ACI syntax and evaluation algorithms in
OL
> and FDS are similar or not.
Nope - openldap''s experimental aci''s are comlpetely different
from fedora''s.

 - Jeff