Geertjan is a DZone Zone Leader and has posted 468 posts at DZone. You can read more from them at their website. View Full User Profile

Interview: What's OpenDS?

07.29.2009
| 8599 views |
  • submit to reddit

With the release of OpenDS 2.0 and the 3rd birthday of the project, let's take a moment to find out what OpenDS actually is, via an interview with Ludovic Poitou, OpenDS Community Manager and senior staff engineer at Sun Microsystems.

Ludovic Poitou is an architect in the Directory engineering team, which is mostly located in the Grenoble Engineering Center, France. About two years ago, after several years of development of the Sun Directory Services products, he moved into the role of Community Manager for the OpenDS project.

Below an interview with Ludovic about OpenDS, where you learn things like the fact that with OpenDS, you can have a fully functional directory server on a machine in less than 3 minutes and 6 clicks, thanks to the OpenDS Java web start installer. Also, the relationship between Java and OpenDS is highlighted below.

In a nutshell, what's OpenDS and when would I need it?

OpenDS stands for Open Directory Service and is, in fact, an LDAPv3 compliant directory server. In other words, it's an object oriented and hierarchical database implementing a standard protocol and data model: the Lightweight Directory Access Protocol (LDAP).

LDAP is used in enterprises as the central service for storing user identity information, including passwords or authentication credentials, while the service is leveraged by many pieces of the infrastructure from the operating systems to web servers, messaging servers, portals, and so on.

So, whenever you're building an application that needs to store or access information related to users, you should think "LDAP" and consider the use of a directory server such as OpenDS.

What are you proudest of, as a key member of OpenDS?

There are really two things that I'm really proud of with the OpenDS project:

  • First is its ease of use. LDAP directory servers have often been considered complex and hard to use technologies. With OpenDS, you can have a fully functional directory server on a machine in less than 3 minutes and 6 clicks, thanks to our Java web start installer.

  • The second thing is performance. Because LDAP directory servers are a central place to retrieve user information, to authenticate and authorize them, performance has been a key aspect of a good product. With OpenDS, we're taking performance to levels that are exceeding expectations, and will allow LDAP directory servers to be used in critical parts of network infrastructures, including wireless networks.

    To give an idea of what we mean by performance, the basic test for any performance or reliability test starts with loading 10 million entries in 2 replicated instances of OpenDS directory server (10 million is large for enterprises, but small for service providers, especially in the Telco space). We then use SLAMD to hammer one of the servers with LDAP requests for half an hour or more. On our quite powerful lab machines, we can reach several tens of thousands of search requests per seconds, with an average response time under one millisecond. For modifications, we range from seven thousand to fourteen thousand modifications per second, depending on the storage sub-systems, again with an average response time of around one millisecond.

What's the relationship between Java and OpenDS?

Firstly, the whole project is written in the Java language. It requires Java 5 update 8 or higher, but to achieve the best performance the latest update of Java 6 is preferred.

The use of Java is key in the ease of use of OpenDS, as it simplifies distribution, i.e., we have a single ZIP file for all platforms, as well as installation. It also allows the OpenDS server to scale from a laptop to the large and multi-CPU servers, leveraging 64-bit support and accessing all available memory. We often run tests with 64GB of heap for the virtual machine running OpenDS.

Also, being a pure Java application, OpenDS can be embedded in other Java applications and we provide Java APIs to manage the lifecycle of the server as well as it configuration. For example, the Open Web SSO project (OpenSSO) is an open source project embedding OpenDS in its delivery and using it to store its own configuration and policies.

What are its competitors and how does it compare?

From an open source perspective, there are 3 other competitive projects:

  • OpenLDAP
  • Port389 (formerly known as Fedora Directory Server)
  • Apache Directory Server, which is also based on the Java platform

I would say the main competitor is OpenLDAP, because it's a well established and fully featured LDAP server, especially on Linux where it's bundled in most distributions. Feature-wise, I think OpenDS is on par with OpenLDAP, both projects implement most of the LDAP standard and experimental extensions, but OpenDS clearly wins in term of ease of use, simplicity, and documentation.

What are two or three things that people typically do not know about OpenDS?

There are probably more than two or three things that people do not know about OpenDS! But here are two that I think matters when looking at open source directory projects:

  1. OpenDS is developed and released with enterprise quality. It's thoroughly tested (for every build, more than 35000 unit tests are run), it's localized in 7 languages (and more localizations are "work in progress"), it comes with a complete documentation set that is reviewed by both editors and engineers, and there is a Sun-supported version, the Sun OpenDS Standard Edition 2.0.

  2. Although OpenDS is quite a recent project (we launched the project about 3 years ago), it didn't come out of thin air. The project was started by the same team that developed the Sun Directory Server Enterprise Edition product line and most of the developers have more than 10 years of experience in Java, as well as in designing and scaling LDAP directory services. The objective from the Sun team is to transition Sun DSEE to the OpenDS code base within the next 12 to 18 months.

OpenDS 2.0 has just been released. What are its highlights?

I would say OpenDS 2.0 is a maturity release. There are a few additional features from OpenDS 1.0 and 1.2, but not many. What we've really worked on in OpenDS 2.0 is stability and performance, and I should really say stability of performance.

We've spent a lot of time doing benchmarks and performance analysis of the code in order to reduce contention and improve concurrency of the code. We know OpenDS 2.0 scales much better both vertically and horizontally on the machines.

But, more importantly, we've done a lot of work on memory management, reducing allocations and copying, resulting in less garbage collection pauses. Overall, OpenDS 2.0 is two to five times faster than OpenDS 1.2.

Feature-wise, OpenDS 2.0 now fully supports UTF-8, as well as searching according to different languages. The Control Panel, a graphical user interface to configure and manage the OpenDS directory server as well as the data, has been improved and provides additional monitoring information:

The Multi-Master Replication feature has been enhanced to support additional data consistency options resulting in higher availability and guarantee of never losing a single modification. Administrators can now schedule recurrent tasks such as daily backups or weekly export to LDIF. Those tasks are defined and managed by OpenDS itself, so they remain valid even if the server is moved to another machine.

See the OpenDS 2.0 Release Note, especially What's new in OpenDS 2.0? Also see Marina Sum's blog entry New Features in OpenDS 2.0, which provides a summary.

What are some features that will be added in the future?

OpenDS 2.2 is planned to be released in October and will have a Changelog accessible via LDAP. This will allow LDAP applications to search and retrieve the changes that have occurred in the directory service. It already has support for new Syntaxes and Matching Rules that simplify the development and administration of LDAP enabled applications.

Most importantly, we will introduce a new LDAP Client API for Java applications, providing an alternative way to JNDI for developing LDAP support in applications. Our intention is to provide a first version of the client API as soon as possible, get feedback and work with the Java and LDAP communities to agree on a new standard API, possibly through the JCP.

And we're also still working on improving performance in some areas of the code, and an important one is with importing the data to OpenDS.

In the longer term, we're investigating how to bring fully distributed transactions to LDAP and how to simplify OpenDS extensibility and plugins with stored procedures and triggers.

The OpenDS Road Map is a living document and can be found on the OpenDS Developer documentation area of the OpenDS documentation Wiki: https://www.opends.org/wiki/page/OpenDSRoadmap.

How can I get started with it?

It's very simple. Go to http://www.opends.org:

Click the "Get 2.0 NOW!" button. If you have Java 5 installed and Java Web Start enabled, this will download the OpenDS QuickSetup installer and will guide you through the few steps to fully configure the server to run on your machine.

Alternately, you can download the OpenDS ZIP file and follow the steps described in the OpenDS 2.0 Installation Guide.

And please consider joining the OpenDS project at https://opends.dev.java.net, subscribe to the mailing lists, or join us at #opends on irc.freenode.net.

 

AttachmentSize
fig-1.png10.5 KB
fig-2.png11.13 KB
fig-3.png94.9 KB
fig-4.jpg19.19 KB
fig-5.png12.06 KB
fig-6.png144.54 KB
Published at DZone with permission of its author, Geertjan Wielenga.

Comments

Anew Hope replied on Thu, 2009/07/30 - 2:06pm

OpenDS is outstanding. I like the progress that has been made since version 1. Below are a few areas that could be improved:

Transaction Support (with JTA) needed

A transactional OpenDS with JTA support would be a huge selling point. As it stands now, there is a lot of confusion surrounding LDAP when it is used for Authentication and Authorization. In many environments, it is necessary for this data to be transactional - and not just transactional but guaranteed availability across all replicants. In other words, if a user's password is changed, it must be stored and guaranteed to be available across the entire topology otherwise the user could be denied login or worse, could be allowed to log in through a replicant that hasn't been updated yet. There are lots of work arounds for this issue but none that are better than having a transactional system.

Most LDAP servers have transactional support on their wishlist but none have really tackled the subject successfully. Do you have any insight into really supporting transactions in OpenDS other than "OpenDS 3.0 -- Plan in progress, scheduled for 2010"?

Binary install vs configuration

Another minor note is that OpenDS needs better separation between configuration and binary files to support using lightweight configuration to run multiple instances from the same binary installation. As of today, the OpenDS documentation has taken the stance that disk space is cheap so just copy the entire installation for an additional instance. However, disk space is only one concern. Security and the maintenance of that security is best served when allowing one binary install to support several separately configured instances.

Stronger clarification of Sun One Directory/Proxy Server

I think it's safe to say that a commercially supported derivative of OpenDS will replace the Sun One Directory/Proxy servers. A stronger statement saying as much may organizations that could start using OpenDS now instead of suffering through the pain of the S1DS products. I know that there is a FAQ for this but apparently it's not strong enough or obvious enough that OpenDS is a viable solution for the enterprise.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.