[Date Prev][Date Next]
Re: Silly details like CN= v cn=
Howard Chu wrote:
It's not just perfectly valid, it is exactly correct. RFC4519 defines the
attribute name to be 'cn' and we always return the canonical name for a given
attribute. As always with Microsoft, AD is a broken abomination.
Of course, the point remains that attribute names are case-insensitive, and
any user doing a case-sensitive compare on the attribute names is begging for
I know we've had this conversation before, but I think it bears repeating -
you don't always need to be bug-for-bug compatible with Microsoft. As long as
low-level system functions that people can't easily get at to fix all work,
you're close enough. It's also important to stress - it's better to educate
your users and teach them best practices, than to keep catering to their
ignorance. The only way things improve is when you emphasize doing things
right and teaching others to also be able to do things right. Keep aiming for
the lowest common denominator, and you get Microsoft, Hollywood, and the
majority of US mass media.
Right now Microsoft AD is the market leader for directory services in identity
management, and OpenLDAP is #2. (See here
http://connexitor.com/blog/pivot/entry.php?id=190 for some pointers to the
story.) If the Samba and OpenLDAP teams continue to do their job right, we can
easily push Microsoft into the back seat. Microsoft has already demonstrated
their (in)ability to produce any quality software (see Vista, see the
benchmarks of OpenLDAP vs AD); unless they fire the majority of their
developers and start over from scratch they'll never be able to close that gap.
People keep piping up "performance isn't the only thing that matters" - of
course it's not. Correct operation is #1. By any measure, OpenLDAP is the
*most correct* directory server implementation in existence, *and* it can
easily be extended to include any features necessary. And when it can
outperform other "competitors" (I use the term very loosely) by margins of
over 5 to 1, the reasons for using anything else really tend to disappear.
That means any enterprise using OpenLDAP has at least a 5:1 cost advantage
over any competitor who's not using it, in terms of hardware/maintenance cost,
data center provisioning costs, system management cost, etc... Any CIO who
isn't leveraging all of these advantages for their own enterprise is wasting
money. Any CIO that *is* leveraging all of these advantages will have a
distinct competitive advantage over all of those other enterprises, because
more of their IT budget will be freed up to provide more useful services for
If you're a shareholder or Board member of a company that *isn't* already
using OpenLDAP, you need to ask your CIOs "Why Not? How Soon Will You Switch?"
and if there's no good answer to those questions, those CIOs need to be fired.
It *is* as clear cut as that. Other products may win on slick marketing
points, but in the end, the bottom line is still the bottom line, and no
enterprise can ignore it. Indeed, they have a duty to their shareholders *not*
to ignore it.
So weigh that into your bug-for-bug-compatibility considerations - over time,
Samba+OpenLDAP will be the #1 directory deployed in Windows environments, just
as it already is in Unix/Linux environments. As long as neither one of us
badly screws up the code bases it is inevitable. So some places where you bend
over backwards to accommodate Microsoft's flagrant disregard of open standards
won't be so important down the road, because we are the de jure standard and
will be the de facto standard.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/