Re: Silly details like CN= v cn=

[Howard Chu <hyc@symas.com>]

Howard Chu wrote:
> It's not just perfectly valid, it is exactly correct. RFC4519 defines the
> attribute name to be 'cn' and we always return the canonical name for a given
> attribute. As always with Microsoft, AD is a broken abomination.
>
> Of course, the point remains that attribute names are case-insensitive, and
> any user doing a case-sensitive compare on the attribute names is begging for
> disappointment.

I know we've had this conversation before, but I think it bears repeating - 
you don't always need to be bug-for-bug compatible with Microsoft. As long as 
low-level system functions that people can't easily get at to fix all work, 
you're close enough. It's also important to stress - it's better to educate 
your users and teach them best practices, than to keep catering to their 
ignorance. The only way things improve is when you emphasize doing things 
right and teaching others to also be able to do things right. Keep aiming for 
the lowest common denominator, and you get Microsoft, Hollywood, and the 
majority of US mass media.

Right now Microsoft AD is the market leader for directory services in identity 
management, and OpenLDAP is #2. (See here 
http://connexitor.com/blog/pivot/entry.php?id=190 for some pointers to the 
story.) If the Samba and OpenLDAP teams continue to do their job right, we can 
easily push Microsoft into the back seat. Microsoft has already demonstrated 
their (in)ability to produce any quality software (see Vista, see the 
benchmarks of OpenLDAP vs AD); unless they fire the majority of their 
developers and start over from scratch they'll never be able to close that gap.

People keep piping up "performance isn't the only thing that matters" - of 
course it's not. Correct operation is #1. By any measure, OpenLDAP is the 
*most correct* directory server implementation in existence, *and* it can 
easily be extended to include any features necessary. And when it can 
outperform other "competitors" (I use the term very loosely) by margins of 
over 5 to 1, the reasons for using anything else really tend to disappear. 
That means any enterprise using OpenLDAP has at least a 5:1 cost advantage 
over any competitor who's not using it, in terms of hardware/maintenance cost, 
data center provisioning costs, system management cost, etc... Any CIO who 
isn't leveraging all of these advantages for their own enterprise is wasting 
money. Any CIO that *is* leveraging all of these advantages will have a 
distinct competitive advantage over all of those other enterprises, because 
more of their IT budget will be freed up to provide more useful services for 
the company.

If you're a shareholder or Board member of a company that *isn't* already 
using OpenLDAP, you need to ask your CIOs "Why Not? How Soon Will You Switch?" 
and if there's no good answer to those questions, those CIOs need to be fired. 
It *is* as clear cut as that. Other products may win on slick marketing 
points, but in the end, the bottom line is still the bottom line, and no 
enterprise can ignore it. Indeed, they have a duty to their shareholders *not* 
to ignore it.

So weigh that into your bug-for-bug-compatibility considerations - over time, 
Samba+OpenLDAP will be the #1 directory deployed in Windows environments, just 
as it already is in Unix/Linux environments. As long as neither one of us 
badly screws up the code bases it is inevitable. So some places where you bend 
over backwards to accommodate Microsoft's flagrant disregard of open standards 
won't be so important down the road, because we are the de jure standard and 
will be the de facto standard.
--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP     http://www.openldap.org/project/