Who is Howard Chu?

Howard Chu is the Chief Architect of the OpenLDAP project and its main corporate sponsor Symas Corporation. OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) which provides an enterprise with shared address books, single sign-on functionality, automount of home directories and file sharing for Linux, Unix, Mac and Windows clients.

Q: Can you tell us a little bit about what you do, the OpenLDAP project, its relationship with Symas?

Well, as Chief Architect for the OpenLDAP Project I occasionally make decisions about what technical features should or should not be integrated into the code. For the most part though, developers in the OpenLDAP community simply work on whatever they choose, whatever scratches their itch. I wrote my first contribution in 1998 and was invited to join the core team shortly after that. Under Kurt Zeilenga's leadership, most of the early development in OpenLDAP was focused on cleaning up portability issues and implementing LDAPv3. The more radical evolution of the code since its UMich origins has been at my instigation and most of that is my code. I've been working full time on the project since 1999 as a Founder of Symas which has chosen to invest in this technology through funding my participation.

Q: How do you compare OpenLDAP with proprietary directory services technologies like Active Directory or SunOne?

Active Directory is fundamentally flawed in so many areas it barely deserves mention. It is grossly non-compliant with the LDAP specifications, breaking interoperability. And its database design is so broken it can barely get out of its own way. Our recent assessment of AD and Active Directory Application Mode (ADAM) as LDAP servers and the benchmarks that show it to be 3 to 5 times slower convinced us that enterprise strategies based on that as a production enterprise directory are headed for trouble. See Symas' enterprise assessment whitepaper of Microsoft Active Directory's Application Mode versus OpenLDAP and the report's update.

SunOne was, for some years, probably the leading directory technology in the industry. However, the original development teams walked away from the code base years ago and it's showing its age, with numerous well documented stability and maintainability issues. Today OpenLDAP has a significant lead in performance, scalability, and reliability. Unfortunately we can't publish benchmark results against SunOne due to a restriction in their end user license. It's worth nothing, however, that SunOne is being replaced by OpenDS, an open source directory project written in Java. The reign of Sun's proprietary directory service is over; SunOne has reached the end of the line.

OpenLDAP is unmatched by any other directory service, proprietary or open source. Of all the others available, the proprietary ones are just hiding their dirty laundry and all of them are just a waste of time and money.

Q: We are seeing the emergence of an Open Source software stack upon which it is perfectly possible to run an enterprise. Where do you see OpenLDAP's position in this 'Open Source enterprise stack'?

I think the best answer to that is to point to HP's Open Source Investment Portfolio and Open Source Middleware Stack. The selected OpenLDAP as the directory technology (and Symas as the support partner).

Several smaller ISVs have also adopted OpenLDAP as their directory technology of choice (Ventyx and Zimbra the most notable) and we expect more announcements of that type.

Q: It seems every OSS project has its own different LDAP schema, for example Samba's schema is very different from those used by GOsa or Kolab. What's your solution to the problem of schema proliferation and associated problems of incompatibility and complexity?

Schema proliferation in LDAP directories is really quite manageable. The main point is to get these various teams to publish formal specifications of their schema for public review, to aid in their adoption. As an example, we're working with the Samba team and IETF Kerberos working group to develop a standard LDAP schema for Kerberos KDC information. We're creating a rational superset of the schemas currently used by Heimdal and MIT, which can be consistently implemented by both and then relied upon by Samba and other applications that need to work closely with Kerberos and LDAP. It's simple really: the people and teams have to interoperate, in order to ensure that the software will interoperate.

It's a bit surprising that this is even considered a problem in the LDAP space, because it's generally so easy to address. You very rarely run into truly incompatible schema definitions. Usually you just find that the published standard schema are incomplete or inadequate for a specific application you had in mind. That's to be expected, since most of the published schema are only intended as starting points, and they're meant to be extended and mixed and matched with other schema. In contrast, schema management in relational databases is a truly intractable problem. There are no shared definitions in the SQL world like there are in X.500/LDAP. In fact there isn't even a single SQL in the first place, there are a variety of subtly incompatible dialects without any authoritative reference. Even such fundamental concepts as elementary data types (integer, Int64, etc.) lack a standard definition across various implementations.

Of course we do run into situations where in depth education is needed. We do a lot of formal and informal consulting for enterprises moving to OpenLDAP. Some compatibility concerns occasionally pop up but they're quickly addressed as technical staff gets up to speed with early "LDAP University" classes that Symas teaches.

Q: How can the OSS community work better towards encouraging the use of OpenLDAP by enterprises?

It's first about selecting LDAP as the technology for directory data. We see enterprises and OSS projects implementing directory data stores with other technologies and they rarely scale, perform, or administer adequately for enterprise deployments. LDAP offers a superior and readily available database for directory data. Second, take the time to qualify your LDAP use against OpenLDAP. Having invested in LDAP capable code, you should test it against the most standards-compliant LDAP technology and offer your users the chance to easily deploy on OpenLDAP. Third, they should benchmark the OSS directory technologies using the proposed schema, representative data samples and workloads, and at numbers of entries similar to what enterprises might need. These benchmarks are simple to do and Symas can help a project get started with the OSS benchmarking technology we use constantly. Those three steps will quickly convince OSS developers to endorse OpenLDAP as their recommended OSS directory technology.

Things could hardly be tougher in the Whitehall front line. Last year Gordon Brown made it clear in his budget speech just what he expects – 4% annual growth in spending on front line services financed out of just 2% overall budget growth.

Enacting this latter day miracle of loaves and fishes is not going to be easy. But it will not happen at all unless Whitehall ends its chronic failure to use market power to deliver sustainable savings in the massive bill the public sector pays for software.

Nowhere else would departments or their agencies tolerate a monopoly or a monoculture. Imagine if every department decided, as policy, to buy its hardware from the same supplier. Of course innovation wouldn’t stop – improvements in manufacturing and the fundamental laws of physics would see to that. But the pace would slow – what’s the incentive if the buyer is locked in? – and the price would rocket.

And that is exactly where we are with software.

Whitehall needs to apply the lessons it has learnt everywhere else – not just that markets drive down cost and improve quality but that sustaining markets requires active fostering with regular deal flow and sufficient encouragement to the supplier community to keep stepping up to the wicket to compete for the work.

We do not expect proprietary software to disappear from the public sector. We don’t even expect, in the short to medium term at least, that there will be a massive shift away from current suppliers to a more heterogeneous world. But we do think that unless Whitehall acts to create a mixed market in software supply then long term savings will be impossible to deliver.

The open source business model is a different one from the proprietary model that currently dominates. And we think those differences mean even a relatively small use of open source will drive big changes that benefit purchasers and ultimately the public.

The key insight of the open source model is that the software you use should be yours to control and customise. It’s not a new concept: the internet depends on open source to direct you to the site you want to see. And the TCP/IP protocols that carry almost all network traffic – whether on the internet or not - have driven out proprietary alternatives not because of heavy handed marketing or the famous “fear, uncertainty and doubt” beloved of computer salesmen of old, but precisely because they are open and so strengthened by peer review.

That openness means that there is a common interest in driving improvements and innovation, making software more reliable, more robust and even simpler to use. And open source is big business: the Linux operating system, at the core of so many open source projects, might have been started in the bedroom of a Finnish student, but today it is at the heart of a multi-billion dollar industry that is revolutionising the way IT works.

We have already seen this in the private sector. Moving to new software solutions based on the open source business model is saving Specsavers, Europe's fastest growing opticians group, hundreds of thousands of pounds a year in licensing alone. Yes, there are costs of transition from one set of software to another, but they are broadly comparable to the familiar cycle of software upgrades that proprietary users have to face every two to five years. The difference is that open source delivers year on year savings once we've got over the hump of the software upgrade.

Bringing those benefits to the public sector might require some people to take what seem like counter-intuitive decisions. The first thing that the big proprietary software firms do when they hear a government department are considering opting for a more diverse range of software suppliers is pitch up at their door offering big discounts.

These tactics have worked well for the proprietary software sellers. Britain only ranks sixth amongst public sector users of open source in the EU. Yet few would claim that means we have better quality IT infrastructure or a better record of delivering IT-led service transformation.

But, like the offers in the summer sales, the discounts offered one day are recouped by mark-ups sought at a later date and, particularly when the purchasers are big central departments, purchasing decisions need to be made in the general interest of the taxpayer, not simply on the basis of who is offering the cheapest price on that one day.

And the supplier lock-in does more than keep costs high, it stifles innovation. Ten years ago the “browser wars” were big news in IT – with two proprietary solutions – Netscape Navigator and Internet Explorer – battling it out to be the desktop gateway to the web. Internet Explorer – offered at the ultimate discount of the ‘free’ download (of course the costs were bundled into the cost of the operating system licence) – eventually crushed Netscape. But with the competition gone, the browser technology stagnated, with the only updates being the endless security patches designed to beat the growing army of ‘blackhats’ trying to hijack our machines.

But then, just not even three years ago, version 1.0 of the open source son of Navigator, Firefox, was released. Suddenly, competition kicked in as open source developers brought their expertise to the browser project. Today as much as a quarter of the world’s internet browsers are using Firefox and while Internet Explorer remains the default choice for most of us, it has radically improved as its developers face up to a struggle to keep market share.

The lesson is that the only way to deliver long term cost savings and sustainable quality improvements will be to actively sponsor some bio-diversity in the software world. A few years ago that could quite easily have been done though the use of proprietary software – in word processors think of Wordstar, AmiPro and Wordperfect – but that option has largely gone: only open source has had the strength to resist the monopoly.

We have been able to resist because we have been able to demonstrate quality. Two key aspects of the open source philosophy – that in general a piece of software should do just one thing but do it well and that individual pieces of software should be designed to work together through the use of open and extensible data formats – means that open source software now dominates the backbone of the internet.

Whitehall is often criticised for its aversion to risk as oppose to its willingness to manage it. Switching to a mixed market for software may strike some as a risk too far. Yet at the same time we work in a world where the Internet is taken to be a given, not just at the “five nines” level of reliability but always there, always on. That constancy is a token of open source, open protocols and open data. It is time these came to the public sector.

In a previous 2005 report the Government quango Becta showed that schools could effect considerable savings by making use of Free Open Source software such as Open Office. In their study they simply looked at 'like for like' software replacement using existing networks and computers.

Since this study we have seen the emergence of the new breed of ultra-portable Linux-based computers aimed squarely at the education sector and the inexorable build of Web 2 services such as Google Apps.

This week the Elonex One, a Linux-based laptop costing less than £100, was launched at the Education Show in Birmingham causing much excitement amongst the visitors and a very serious discussion about how best to support this new breed of Linux laptops in schools.

So much has changed so quickly that a model of Open Source school computing is emerging which could save the UK taxpayer billions of pounds and provide enormous opportunities for the home-grown technology sector based around Open Source software.

The problem

The Government does not produce figures for the total cost of ICT in schools. Our research shows however that when staffing and power use are included a typical secondary school will spend between £100,000 - £200,000 per year on ICT.

Scale this figure for the whole UK and it approximates to over £½ billion per year.

Contrary to common perception, however, only a small fraction of the cost of ICT in schools is spent on computers and software - 60% of the cost is on technical support and 20% on electricity.

Quite simply, school networks have become too complex for the purpose they serve.

The answer is to simplify the school ICT infrastructure and lower services by outsourcing more services.

Outsourcing

Outsourced services based on free Open Source software such as e-mail, content filtering and remote backup are entirely appropriate to an education sector:

• Content filtering using Dan's Guardian is very powerful and scalable.
• E-mail using Open Source software is sophisticated, highly available and secure. Easy management of webmail and accounts using GOsa.
• Rsync for secure, remote back-ups.

Examples of where such services already exist are a bi-lingual webmail system accessible to all schools in Carmarthenshire County and the fully managed web content filtering infrastructure available to all schools within the Yorkshire and Humberside region.

In both cases the use of free, Open Source technologies has driven exceptional value compared to similar systems deployed using proprietary software.

Simplifying On-Site Infrastructure

Much of the complexity and management burden to schools comes the sheer number of computers needing maintenance - typically 100-500 desktop PCs and approximately eight network servers (file-authentication server, MIS database server, e-mail server, Intranet server, VLE server, thin-client server, web content filtering servers and a firewall).

But what ICT services do students really require from their school?

• Access to suitable software for teaching and learning
• E-mail
• Safe access to the Internet
• A home folder for personal file storage
• Access to shared resources (e.g. Intranet, VLEs, Public Folders, Databases)

How does the emerging model for Open Source in ICT meet these essential needs?

• The new low-cost Linux sub-notebooks have a very large range of Free Open Source applications already installed and many more available for free download, certainly enough for 95% of all educational needs. Many more applications are available on line through Web 2.0 technologies.
• E-mail and safe Internet access will be outsourced.
• Home folders and shared resources can be provided by one computer. By using Internet protocols and abandoning the venerable Windows SMP/CIFS protocols all of these services can be provided by one Open Source database/web server.

If schools moved their ICT to this model the spiral of ever increasing cost and complexity would be broken.

Becta, having twice warned schools against upgrading to Vista or Office 2007, has effectively signalled a halt to what has been an unbroken series of expensive and increasingly ineffective upgrades. It seems 2008 is the year when schools should take stock and rethink their strategic approach to ICT.

The rewards for change are very substantial. Schools would reduce their costs by 4/5ths producing not only an enormous saving to the taxpayer but making it possible to adapt to new developments in ICT and focus more resources on teaching. New opportunities would be created for the domestic technology industry and there would be far less dependence on dominant multinational suppliers.