[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.2 and db4 under RHEL4 on Xen 3.0

--On Tuesday, March 21, 2006 8:35 AM -0700 Craig White <craigwhite@azapple.com> wrote:

On Mon, 2006-03-20 at 15:08 -0800, Quanah Gibson-Mount wrote:

> So while the problems with xen are not the concern of the OpenLDAP
> developers really, expect to hear more and more from your users about
> xen and running OpenLDAP on xen.  I had just hoped someone with more
> experience could tell me to just rebuild the bdb stuff with some
> configure option.  I'll be talking to the bdb folks about this.


As Howard noted, an alternative vendor solution is CDS from Symas
Corporation.  That software installs into its own path (/opt/symas), so
it  doesn't conflict with the ldap libraries shipped by RedHat.  I would
strongly recommend against using the RedHat for a number of reasons:

(1) They historically do a very bad job of packaging OpenLDAP.  This
pattern continues with their current packaged version
(2) They have no incentive to "do" OpenLDAP well, since it competes with
their Fedora DS
(3) They do not update their distributed version, nor patch it for the
many  known bugs fixed in later releases.

If what you are looking for is a reliable, robust directory service,
then  using RedHat's packaged version is the wrong thing to do.
I do disagree with some of this, especially as I am beginning to
understand things better.

The Red Hat packages of OpenLDAP within their RHEL have been behind
probably because their customers aren't pushing them to get closer to
current. If their customers were insisting on it, they would update.

I actually think their customer requests have little to do with what versions of OpenLDAP they package, based off my discussions with people at RedHat. Like most distributions, they pick a release that is current at the time they are doing their next OS revision, and then test everything client related against that. There is little desire to upgrade to a newer release once that is done, because of the lengthy amount of testing involved.

Red Hat was distributing out of date OpenLDAP packages long before their
purchase of the NDS which is now the Fedora Directory Services but from
all appearances, it seems that OpenLDAP will continue to be the packages
that are part of the distribution and I haven't seen any sign of that

Hence my point that they historically have had old packages. This has nothing to do with my point that they have no incentive to "do" OpenLDAP well, because they don't. In fact, they now have an incentive to /not/ do it well.

They do update their distributed version - the bug fixes that they back
port can be determined from the change logs.

I'm quite aware they backport some bugs fixes. However, I'm also well aware that I've never seen a member of the RedHat group who maintains the OpenLDAP packages on the openldap-devel list or tracking the various CVS commits that come in. Looking at the RedHat changelog for their OpenLDAP package, shows a total of *2* fixes imported into their 2.2.13 release from the 2.2 branch, one from 2.2.15, and one from 2.2.16. No modifications or updates since that time. Given the many bug fixes by the time 2.2.30 was released, their version is horribly out of date, and has one or two DOS attacks present in it. I would hardly call that "updating" their distribution.

sh-3.00# rpm -q --changelog openldap | more
* Tue Apr 19 2005 Nalin Dahyabhai <nalin@redhat.com> 2.2.13-3

- move nptl libraries into arch-specific subdirectories on %{ix86} boxes,
 to match glibc's layout
- update notes on upgrading from previous releases
- pull in fix for ITS #3201 from 2.2.15
- pull in fix for ITS #3326 from 2.2.16

If the desire is for a reliable, robust directory service, there's no
doubt that the Red Hat's packaged version is the wrong thing, but as a
client, it's adequate. I also use it for small scale server roles (small
offices, small number of hosts/users).

And of course, this entire discussion was about using RedHat's packages to run as a directory server, not about what its capabilities as a client are. As for your small scale server roles, when you hit the many issues present in RedHat's package some day, just remember to send your questions to RedHat.


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html