Fedora directory users - Dec 2005 - Advantages of using FDS vs OpenLDAP?

Sorry to poke at a moldy old thread, but I think some misconceptions
need to be cleared up.
>     * From: Mike Jackson <mj sci fi>
>     * Date: Fri, 08 Jul 2005 23:37:41 +0300
> Fedora Directory Server was called Netscape Directory Server until
> just recently. It was the first LDAPv3 server in the world, afaik.
> The code was commercially developed and tested for ~8 years and has
> been in use in large scale deployments all over the world for a long
> time. It has contained features for many years which OpenLDAP project
> is just now considering, e.g. multi-master replication, ability to
> alter the configuration of the running server via LDAP, in-tree
> access control, etc.
This "just now considering" is wrong. The OpenLDAP code has supported
multi-master replication and in-tree access control since 1999, very
shortly after the Project began. The design for dynamic reconfiguration
started in-house at Symas in 2002. The point wrt MMR and in-tree access
control is that the Project actively discourages their use, not that the
features don''t exist in OpenLDAP.

The debates on the mailing lists going back all those years clearly show
that none of this is a new consideration. We simply don''t believe that
the claimed benefits justify the risk. The point about load-balancing
writes is totally specious, and anybody who pushes that factor is just
deluded. High availability / SPOF arguments at least have some
theoretical basis, but as easily as you can say "we''ve never had a
data
conflict problem with MMR" I can say "we''ve never had an SPOF
issue with
standby master" and moreover, we can state with 100% certainty no
conflicts are in our data.

The use of in-tree access controls violates some basic principals of
good security design. I.e., good security comes from a top-down policy
design. Once you have the design, you need to be able to verify that the
deployed rules actually implement that design. With the centralized ACL
rules, you can mathematically prove that your deployment matches your
policy. With distributed controls that are subject to arbitrary
modification, you cannot make any definitive statements about the
security state. The key point that people miss in building distributed
systems is that you need *centralized* control, while providing
*distributed access* to those controls, otherwise manageability goes out
the window.
> Fedora is not what I would call a "specialized" LDAP server,
it''s
> just a full-featured, standards based, general purpose, high quality
> LDAP server. OpenLDAP is, in contrast, very specialized, having a lot
> of different types of backends in the recent versions. You can do
> some really tricky stuff with OpenLDAP that you can''t do with
Fedora,
> if you need that sort of tricky stuff in your architecture.
That''s a very interesting way to spin things. OpenLDAP is a
full-featured, standards based, general purpose, high quality LDAP
server, that happens to include a number of powerful extras. You make it
sound like the enhancements in OpenLDAP make it unsuitable for general
use, which is untrue, since those enhancements are all modularized
features that can be ignored if unneeded.
> And the main difference for a new person like yourself is the amount
> of available documentation. Fedora is professionally and extensively
> documented, whereas OpenLDAP documentation is very scarce and terse.
Yes, the OpenLDAP documentation is sparse, and this is a fatal flaw.
Yes, what documentation exists is terse, and this is a vital strength.
Nobody likes to spend time wading thru docs, and there''s nothing gained
from saying in 5 sentences what can be stated in only one. Certainly we
need to work on expanding the scope of the documentation to cover the
numerous holes. But good documentation is concise and to the point, and
the docs I''ve written are precise. There may be a problem with
imprecise
readers, who skim and skip over things when every single word is
crucial, but that''s not our fault.

I''m not here to attack FDS. I have nothing but respect for the team
working on it today. But the fact that OpenLDAP developed under
different conditions, with a different philosophy, is just that -
philosophical difference.
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/

> This "just now considering" is wrong. The OpenLDAP code has
supported
> multi-master replication and in-tree access control since 1999, very
> shortly after the Project began.
Howard, this sounds interesting. I wonder if you would mind pointing me 
at the MMR code
in the source tree ? I''ve looked for it a few times without success.

Thanks.

For what its worth, while I have not worked with OpenLDAP at all, I
vigorously support Howard''s argument for concise, precise & clear
documentation.  The state of technical documentation today is
pathetic - designed more for people to navigate GUI''s than to impart
information about how things work.  Its reminiscent of cotton candy
- a lot more air than content.  Another artifact of the Microsoft
age....

Arshad Noor
StrongAuth, Inc.


Howard Chu wrote:
> Yes, the OpenLDAP documentation is sparse, and this is a fatal flaw.
> Yes, what documentation exists is terse, and this is a vital strength.
> Nobody likes to spend time wading thru docs, and there''s nothing
gained
> from saying in 5 sentences what can be stated in only one. Certainly we
> need to work on expanding the scope of the documentation to cover the
> numerous holes. But good documentation is concise and to the point, and
> the docs I''ve written are precise. There may be a problem with
imprecise
> readers, who skim and skip over things when every single word is
> crucial, but that''s not our fault.
>

The documentation that we have available covers both "how to navigate
[with the] GUI" and "how things work."  All the way from an
overview of
how to build your LDAP tree down to a reference of the internal config
settings that drive the directory server.

I suspect that you''re saying that you prefer documents that are low
level descriptions of how the system works, and we do have those.  But
you''re not the only market.  There''s a fair number of ways
that people
tend to directory servers.

--Chris

On Fri, 2005-12-02 at 08:32 -0800, Arshad Noor wrote:
> For what its worth, while I have not worked with OpenLDAP at all, I
> vigorously support Howard''s argument for concise, precise &
clear
> documentation.  The state of technical documentation today is
> pathetic - designed more for people to navigate GUI''s than to
impart
> information about how things work.  Its reminiscent of cotton candy
> - a lot more air than content.  Another artifact of the Microsoft
> age....
> 
> Arshad Noor
> StrongAuth, Inc.
> 
> 
> Howard Chu wrote:
> 
> > Yes, the OpenLDAP documentation is sparse, and this is a fatal flaw.
> > Yes, what documentation exists is terse, and this is a vital strength.
> > Nobody likes to spend time wading thru docs, and there''s
nothing gained
> > from saying in 5 sentences what can be stated in only one. Certainly
we
> > need to work on expanding the scope of the documentation to cover the
> > numerous holes. But good documentation is concise and to the point,
and
> > the docs I''ve written are precise. There may be a problem
with imprecise
> > readers, who skim and skip over things when every single word is
> > crucial, but that''s not our fault.
> > 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Chris,

I don''t deny that people need to know how to navigate through tasks.

What I neglected to add to my e-mail, is that "navigation knowledge"
is better learned from "flash" type clips, rather than through dozens
of pages of text and still-graphics.  Perhaps what is needed is a
standard for how documentation is produced to make it easier for
users to learn from - something along the lines of:

- A concepts and architecture document
- An installation clip
- Tutorial clips
- Task oriented clips

I''m just bemoaning the fact that as technology becomes increasingly
complex, the level of documentation has correspondingly risen.  The
quality of such documentation, however, has declined; there isn''t a
single reason one can blame, but interspersion of concepts & tasks
in documents is one factor.  By separating them & using appropriate
media, perhaps we might address some of these shortcomings as an
industry.

Arshad Noor
StrongAuth, Inc.

Christopher Blizzard wrote:
> The documentation that we have available covers both "how to navigate
> [with the] GUI" and "how things work."  All the way from an
overview of
> how to build your LDAP tree down to a reference of the internal config
> settings that drive the directory server.
> 
> I suspect that you''re saying that you prefer documents that are
low
> level descriptions of how the system works, and we do have those.  But
> you''re not the only market.  There''s a fair number of
ways that people
> tend to directory servers.
> 
> --Chris
> 
> On Fri, 2005-12-02 at 08:32 -0800, Arshad Noor wrote:
> 
>>For what its worth, while I have not worked with OpenLDAP at all, I
>>vigorously support Howard''s argument for concise, precise &
clear
>>documentation.  The state of technical documentation today is
>>pathetic - designed more for people to navigate GUI''s than to
impart
>>information about how things work.  Its reminiscent of cotton candy
>>- a lot more air than content.  Another artifact of the Microsoft
>>age....
>>
>>Arshad Noor
>>StrongAuth, Inc.
>>
>>
>>Howard Chu wrote:
>>
>>
>>>Yes, the OpenLDAP documentation is sparse, and this is a fatal flaw.
>>>Yes, what documentation exists is terse, and this is a vital
strength.
>>>Nobody likes to spend time wading thru docs, and there''s
nothing gained
>>>from saying in 5 sentences what can be stated in only one. Certainly
we
>>>need to work on expanding the scope of the documentation to cover
the
>>>numerous holes. But good documentation is concise and to the point,
and
>>>the docs I''ve written are precise. There may be a problem
with imprecise
>>>readers, who skim and skip over things when every single word is
>>>crucial, but that''s not our fault.
>>>
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users@redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

Howard Chu wrote:
> Sorry to poke at a moldy old thread, but I think some misconceptions
> need to be cleared up.
Hi Howard,
  That certainly was a moldy old thread. I''m surprised it took this
long
to catch your attention :-)

> I''m not here to attack FDS. I have nothing but respect for the
team
> working on it today. But the fact that OpenLDAP developed under
> different conditions, with a different philosophy, is just that -
> philosophical difference.
  This is one problem which I have with using OL in commercial systems: 
developers pushing their philosophy. The preaching of philosophies is a 
fundamental difference between open-source and commercial 
projects/products, and fortunately not all open-source projects do it. 
With a commercial product, the customer is always right and new features 
(like MMR) will appear and be enabled by default with sufficient 
customer demand. With an open-source project, the developers sometimes 
call the "customers" crazy, stupid, uninformed, etc, and tell them to
be
quiet or go away if they don''t like it. Since this project''s
software
has commercial roots, and still has commercial funding, thankfully you 
don''t see much pushing of philosophy here.

  The biggest problem I have with OL is that the -users mailing list is 
censored, which is sometimes used to ensure that philosophy can be 
pushed without being questioned. I have had numerous postings to 
openldap-users blocked, which either questioned (even indirectly) the 
philosophy of OL or mentioned the name of another directory server. I''m
happy that we have freedom of speech on this list and can have this 
discussion; it would be prohibited on openldap-users. I really despise 
being censored, and I''m sure that many other people feel the same way.

  Considering those two problems, I would have a difficult time saying 
that I have nothing but respect for the *entire* OL team. However, I do 
have a lot of respect for you because you listen to opposing views with 
an open mind and are willing to debate them in a friendly manner.

BR,
Mike

Mike Jackson wrote:
> Howard Chu wrote:
>
>> Sorry to poke at a moldy old thread, but I think some misconceptions
>> need to be cleared up.
>
>
> Hi Howard,
>  That certainly was a moldy old thread. I''m surprised it took this
> long to catch your attention :-)
>
>
>> I''m not here to attack FDS. I have nothing but respect for the
team
>> working on it today. But the fact that OpenLDAP developed under
>> different conditions, with a different philosophy, is just that -
>> philosophical difference.
>
>
>  This is one problem which I have with using OL in commercial systems: 
> developers pushing their philosophy. The preaching of philosophies is 
> a fundamental difference between open-source and commercial 
> projects/products, and fortunately not all open-source projects do it. 
> With a commercial product, the customer is always right and new 
> features (like MMR) will appear and be enabled by default with 
> sufficient customer demand.
I don''t believe the customer is always right.  A good marketing 
organization will give the customer what they ask for.  A great one will 
give the customer what he/she really needs/wants, which is not always 
what the customer asks for.  We were fortunate at Netscape and Red Hat 
to have a couple of great PMs, and a few good ones.

What you will find is that the people who have invested enough time and 
money into OpenLDAP are quite satisfied with it and don''t really need 
any other solution.  Since OpenLDAP has been open source for so long, 
there is a community around it who have developed other backends, 
overlays, and other assorted code for doing things like a perl backend, 
the PADL stuff, heimdal integration, etc.  Those developers may also be 
quite satisfied with OpenLDAP.
> With an open-source project, the developers sometimes call the 
> "customers" crazy, stupid, uninformed, etc, and tell them to be
quiet
> or go away if they don''t like it.
That happens with proprietary software just as much or more, it''s just 
not as public :-)  c.f. Microsoft, Oracle

That being said, I have been bothered by the tone of discussion on the 
openldap lists at times, and I don''t want to have that sort of 
negativity on the fedora ds lists.  Perhaps it is just a difference of 
philosophy.
> Since this project''s software has commercial roots, and still has 
> commercial funding, thankfully you don''t see much pushing of 
> philosophy here.
You see a different philosophy.  Besides, OpenLDAP does have a 
commercial entity behind it (Symas), and they do have customers, and 
they do want to provide features and services for them.
>
>  The biggest problem I have with OL is that the -users mailing list is 
> censored, which is sometimes used to ensure that philosophy can be 
> pushed without being questioned. I have had numerous postings to 
> openldap-users blocked, which either questioned (even indirectly) the 
> philosophy of OL or mentioned the name of another directory server. 
> I''m happy that we have freedom of speech on this list and can have
> this discussion; it would be prohibited on openldap-users. I really 
> despise being censored, and I''m sure that many other people feel
the
> same way.
There are other lists that can be used to talk about other directory 
servers and how they compare to OpenLDAP e.g. the umich list, and to 
some extend the ldap-interop list.  I don''t fault Kurt for keeping the 
discussions germane - perhaps we will have to do the same with the 
Fedora DS lists if we become victims of our own popularity, which is a 
good problem to have :-)
>
>  Considering those two problems, I would have a difficult time saying 
> that I have nothing but respect for the *entire* OL team. However, I 
> do have a lot of respect for you because you listen to opposing views 
> with an open mind and are willing to debate them in a friendly manner.
>
> BR,
> Mike
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users