This month the OpenLDAP project celebrates its twentieth birthday! Its year of birth is 1998 when Kurt Zeilenga and others decided to consolidate patches that had been spread on mailing lists and news groups to improve the original standalone University of Michigan LDAP server code (slapd). After Kurt Zeilenga resigned, Howard Chu took over the role of the chief architect of the project. The OpenLDAP project traditionally follows the Unix design philosophy “one job – one tool”. Under Kurt Zeilenga's lead, development of OpenLDAP as reference implementation of the “Lightweight Directory Access Protocol” (LDAP) primarily has been driven by Internet Drafts and RFCs. This focus on openness and interoperability turned the project into an important landmark in the landscape of network services, being supported by all major enterprise Linux distributions which offered OpenLDAP as a maintained component of their products.

RedHat and SUSE announced to withdraw support for OpenLDAP

Unfortunately this will change this year since RedHat and SUSE announced to withdraw support for OpenLDAP in their Enterprise Linux offers in favor of RedHat’s own 389 Directory Server (389-ds). This news was broken to customers in the release notes of SLE 15. The 389 Directory Server project is built on the code base dating back to 1996 when the Netscape contracted the LDAP founder, Tim Howes, and some of his former colleagues from University of Michigan. This code base was aquired in 2004 by RedHat and released and extended as Open Source under Gnu Public License (GPL).

OpenLDAP 1.0 itself was born in 1998 out of improvements, which the community had collected over the course of two years. Today’s code has been improved so much with the second major release that it hardly has anything in common with the original code.

The GPL licensed source code of 389 Directory Server is the technological basis of two separate offers. RedHat distinguishes between the identity management (IdM) solution FreeIPA (Identity, Policy, Audit) on the one hand and the "Red Hat Directory Server" (RHDS) on the other hand. The latter is recommended for general business critical applications with special requirements. Refer the following links for more details.

However, for the operation of the RHDS product you need a separate support subscription. RedHat’s decision to focus solely on 389-ds has to be seen in this context. According to this announcement, OpenLDAP will not be supported any longer in the next major release of RedHat Enterprise Linux and the software package "openldap-servers" is already deprecated in RHEL 7.4 (see the paragraph “Important” in that announcement).

With this move, RedHat customers using OpenLDAP are thrown into a situation where they either have to migrate to 389-ds (or RHDS) or to resort to OpenLDAP packages of third party offerings for support (e.g. https://symas.com/message-president-regarding-red-hat-suse-removing-openldap-linux-distributions/ and https://daasi.de/en/2017/09/25/red-hat-wont-continue-openldap-support-rhel-8-daasi-international-supports-migration/). Community maintained packages will continue to be available.

Univention takes a different perspective

Since 2003 Univention supports OpenLDAP for enterprise use. It is one of the central components of their product Univention Corporate Server (UCS). This is possible, because OpenLDAP has always been maintained with a high degree of professionalism. The whole community responds quickly and professionally to questions and submitted patch proposals. The OpenLDAP team ships feature releases in a pace of roughly 12-18 months, interspersed by maintenance releases as required. The feature releases mature for a long time and are not bound to the pressure of release deadlines. In this point the projects works similarly to other open source projects like Debian. This isn't always easy to handle for distributors in terms of product release planning, but it's the freedom of such projects to decide in their own measure when something is considered ready for release.

All of this are reasons why Univention recommends UCS with OpenLDAP also for their enterprise users. In the largest UCS deployment run by the French telecommunications provider Orange, OpenLDAP services up to 30 million authentication accounts and proved utmost scalability and stability.

Reliability, performance and scalability of the base technology is a crucial criterion for operation in professional domains. From this point of view, so argues Univention, the decision of RedHat and SUSE is hard to justify. 389-ds currently still relies on a Sleepycat Berkeley DB backend while OpenLDAP since 2.4 recommends the modern LMDB (Lightning Memory Database) as its backend. The No-SQL/Key-Value database LMDB has been invented and developed by Howard Chu who has been chief architect of the OpenLDAP project since 2007. The new database backend especially features lock free operation, learning from long standing issues of Berkeley DB (BDB). It reaches unprecedented performance increases in comparison to other database technologies, especially with regard to the usage profile of LDAP directory services, which often focus rather on read than write operations.

Since 2014 Univention also switched to LMDB as OpenLDAP backend in their core product Univention Corporate Server (UCS). According to Univention’s experience LMDB opened the doors for OpenLDAP to meet the requirements of high performance projects of scale. In fact, the robustness and performance of LMDB is so remarkable that Univention decided to replace its own BDB based LDAP replication cache by an LMDB based implementation in 2014. Even though LMDB's current version branch of 0.9 already proved convincing stability, the 1.0 series will deliver additional improvements that will be crucial as a solid backend for OpenLDAP.

The next big mile stone for the OpenLDAP project itself will be the release of OpenLDAP 2.5. Some of the features announced for OpenLDAP 2.5 already saw daylight as patchlevel update for the 2.4 series, which will be finalized by 2.4.47 according to the current roadmap.

A big thank to OpenLDAP

Univention likes to thank the OpenLDAP project and its developers for the professional work and commitment to the open source idea. As a Linux distributor, Univention is looking forward with excitement and trust to continue using OpenLDAP in UCS based projects in the coming years, offering public and private corporations and institutions an open, scalable and professional software solution while simultaneously empowering freedom of choice and independence of vendor lock-ins.

This is a guest post from Univention. The author’s views are entirely his/her own and may not reflect the views of OSTechNix.

Resources: