Main Nav

Hi All, The University of Chicago is undertaking a project to replace our present LDAP infrastructure (Oracle Directory Server Enterprise Edition v 11) with something not Oracle. The three leading candidates we have selected are: OpenDJ by ForgeRock OpenLDAP Port 389 / RedHat DS Would anybody who happens to already be running one of the above systems mind chiming in about their experiences (good and bad)? Also, if you would please let me know if you could go back in time, would you select the product you're presently running? Thanks Dave -- David Langenberg Identity & Access Management The University of Chicago


Hi Dave, We have been using OpenDJ since Oracle bought Sun and hiked our costs (to the moon) on the Sun DS. OpenDJ has been free, but they are moving to license model for their "Enterprise" binaries. We will be ensuring we stay on the "Community" edition. That may require us to download the source and build ourselves. Downloading source and building proved to fairly easy, we did it yesterday in an hour or so. I would suggest getting on the OpenDJ email list for the complete conversation. OpenDJ has been very reliable, although we haven't successfully made replication work (we may not have really given it the old college try). We are working on that. It is also our password store for CAS and can support 3000 logins a minute. I also have a non optimized java program that easily reads 1000 person records a minute. We currently store 1.2 million ldap records. Hope this helps, Bryan
we use 389. i have used it before at other institutions. multi-master replication works great. extremely reliable product. FREE! as for going back in time and using the same product? well, i did, so i would and i will. :-) /mrg
Edit to previous post. My Java program reads 1000 records a second. -Bryan
>We started out with the Sun product and subsequently moved to 389 DS (Port 389 above). Michael Gettes' pretty much states the reasons. We have >replication between two masters and have two read-only consumers set up in a chain on update mode to the masters. This setup has been rock solid for >us. Additionally we have a replication agreement to AD which synchronizes our passwords from LDAP to AD (we do not go the other way). I have a question about the password sync. I was under the impression that in order for this to work the passwords need to be in plain text in LDAP for this to work. Is this true? I would love to replace our programmatic password sync process. Thanks, Bryan