[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP - versioning/stability questions



On Mon, 2005-02-21 at 15:58 -0600, Richard L. Goerwitz III wrote:
> Quanah Gibson-Mount wrote:
> 
> > I see the versions of OpenLDAP shipped with a particular linux 
> > distribution as the local client libraries, and they should not be 
> > confused with what to use for running a directory service.
> 
> Extremely sharp people like you (Quanah) who are coming from
> institutions Stanford's size, or greater, serve as great data
> points, and I understand what you say:  To do things 'right'
> with an enterprise directory in an institution of your type
> and size requires a certain level of care and feeding.  I did
> a six-year stint at Brown University, so I understand somewhat
> where you're coming from.
> 
> In smaller environments like my current one at Carleton College
> (just 1800 students), we typically (in order to keep from
> being overwhelmed with lifecycle maintenance issues) like to try
> to rely on vendors (RedHat, others) to supply us with patches
> and proper updates to as much software as possible.
> 
> We try to reduce the number of packages that we feed by hand
> because our size limits our breadth and capacity.
> 
> That's not to say we don't do any hand compilation or anything
> of that sort.  In fact, we sometimes hand patch software to fit
> our environment, although this almost always goes badly (there
> is usually just one person who understands the patches, and he
> or she may leave, move on to other duties, or simply not have
> the time to integrate them into new versions of products).  So
> if we can get away without hand compiling/patching - i.e., if we
> can find a way to deploy software so that dumber and/or busier
> and/or more thinly stretched people can still manage it - we do
> it.
> 
> So anyway, with regard to my original query (regarding OpenLDAP
> and RedHat), my goal was to determine whether RedHat's OpenLDAP
> build is solid or worth using.  Is it enterprise worthy, as you
> might expect from the designation 'RedHat Enterprise Linux'?
> Or are they just putting OpenLDAP out there without giving it
> much effort?
> 
> I'm also interested in determining whether (aside from basic
> security and reliability patches) there is any particular
> version of OpenLDAP expected to last, as a solid, supported
> version of the product, for eighteen to twenty four months -
> a typical lifecycle for a thing like a database (e.g., Oracle
> 8i, 9i, etc.) an OS (e.g., RHEL 3.0) etc. at an institution
> of my size, with a staff like ours.  By solid/supported I am
> not implying that no changes or patches would be needed.  The
> issues for us are persistence of a given product revision
> (e.g., 2.2 series), feature freezes, and ease of upgrades.
> 
> With Apache, e.g., we rarely have any trouble at all upgrading.
> The issues are practically nil.  Ditto, e.g., for MySQL.  And
> in the case of Apache, we try (as far as possible) just to use
> RPMs given us by RedHat (a few servers require custom builds,
> but we try to keep that down).
> 
> For MySQL we just use RPMs provided by MySQL.  Junior sysadmins
> can maintain MySQL quite nicely and use very little time doing
> it.
> 
> But back to OpenLDAP and RedHat, though:
> 
> My sense is that this group sees the RedHat build (2.2.13,
> released 8 months ago) as obsolete and RedHat's use of it
> questionable.
> 
> Is this correct?
----
I will reply to the parts of this that I feel that I can reasonably
offer a perspective.

RHEL 3 and openldap 2.0.27 is rather of an antique. There are so many
desirable features of openldap that are missing that it felt like
kissing my sister.

RHEL 4 indeed has a much newer version of openldap 2.2.13 and who knows
which and how many patches/back ports that they have done without a
close inspection.

Obviously Red Hat is concerned with shared libraries between various
parts, not only being their kerberos client software, the sleepycat
software (db-4), their version of openssl, samba, sendmail, postfix and
who knows what else they have built with dependencies against the
installed openldap.

You could probably get by with their RHEL 4 & openldap 2.2.13 version
and get most of the functionality of installing current version from
source. Of course, you won't get the newer replication features but I'm
gathering that things are entirely optimal there yet anyway and that it
requires some advanced knowledge to make it functional.

I can tell you for sure that installing openldap (and other required
dependencies) from source wasn't that hard to accomplish and thus,
building on RHEL 3 or 4 or some other Linux/Unix system is far less of a
factor than you fear and it can be done without breaking any of the
other software on the system.

Craig