[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Silly details like CN= v cn=

Howard Chu wrote:
It's not just perfectly valid, it is exactly correct. RFC4519 defines the
attribute name to be 'cn' and we always return the canonical name for a given
attribute. As always with Microsoft, AD is a broken abomination.

Of course, the point remains that attribute names are case-insensitive, and
any user doing a case-sensitive compare on the attribute names is begging for

I know we've had this conversation before, but I think it bears repeating - you don't always need to be bug-for-bug compatible with Microsoft. As long as low-level system functions that people can't easily get at to fix all work, you're close enough. It's also important to stress - it's better to educate your users and teach them best practices, than to keep catering to their ignorance. The only way things improve is when you emphasize doing things right and teaching others to also be able to do things right. Keep aiming for the lowest common denominator, and you get Microsoft, Hollywood, and the majority of US mass media.

Right now Microsoft AD is the market leader for directory services in identity management, and OpenLDAP is #2. (See here http://connexitor.com/blog/pivot/entry.php?id=190 for some pointers to the story.) If the Samba and OpenLDAP teams continue to do their job right, we can easily push Microsoft into the back seat. Microsoft has already demonstrated their (in)ability to produce any quality software (see Vista, see the benchmarks of OpenLDAP vs AD); unless they fire the majority of their developers and start over from scratch they'll never be able to close that gap.

People keep piping up "performance isn't the only thing that matters" - of course it's not. Correct operation is #1. By any measure, OpenLDAP is the *most correct* directory server implementation in existence, *and* it can easily be extended to include any features necessary. And when it can outperform other "competitors" (I use the term very loosely) by margins of over 5 to 1, the reasons for using anything else really tend to disappear. That means any enterprise using OpenLDAP has at least a 5:1 cost advantage over any competitor who's not using it, in terms of hardware/maintenance cost, data center provisioning costs, system management cost, etc... Any CIO who isn't leveraging all of these advantages for their own enterprise is wasting money. Any CIO that *is* leveraging all of these advantages will have a distinct competitive advantage over all of those other enterprises, because more of their IT budget will be freed up to provide more useful services for the company.

If you're a shareholder or Board member of a company that *isn't* already using OpenLDAP, you need to ask your CIOs "Why Not? How Soon Will You Switch?" and if there's no good answer to those questions, those CIOs need to be fired. It *is* as clear cut as that. Other products may win on slick marketing points, but in the end, the bottom line is still the bottom line, and no enterprise can ignore it. Indeed, they have a duty to their shareholders *not* to ignore it.

So weigh that into your bug-for-bug-compatibility considerations - over time, Samba+OpenLDAP will be the #1 directory deployed in Windows environments, just as it already is in Unix/Linux environments. As long as neither one of us badly screws up the code bases it is inevitable. So some places where you bend over backwards to accommodate Microsoft's flagrant disregard of open standards won't be so important down the road, because we are the de jure standard and will be the de facto standard.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/