Who is Howard Chu?

Howard Chu is the Chief Architect of the OpenLDAP project and its main corporate sponsor Symas Corporation. OpenLDAP is a free, open source implementation of the Lightweight Directory Access Protocol (LDAP) which provides an enterprise with shared address books, single sign-on functionality, automount of home directories and file sharing for Linux, Unix, Mac and Windows clients.

Q: Can you tell us a little bit about what you do, the OpenLDAP project, its relationship with Symas?

Well, as Chief Architect for the OpenLDAP Project I occasionally make decisions about what technical features should or should not be integrated into the code. For the most part though, developers in the OpenLDAP community simply work on whatever they choose, whatever scratches their itch. I wrote my first contribution in 1998 and was invited to join the core team shortly after that. Under Kurt Zeilenga's leadership, most of the early development in OpenLDAP was focused on cleaning up portability issues and implementing LDAPv3. The more radical evolution of the code since its UMich origins has been at my instigation and most of that is my code. I've been working full time on the project since 1999 as a Founder of Symas which has chosen to invest in this technology through funding my participation.

Q: How do you compare OpenLDAP with proprietary directory services technologies like Active Directory or SunOne?

Active Directory is fundamentally flawed in so many areas it barely deserves mention. It is grossly non-compliant with the LDAP specifications, breaking interoperability. And its database design is so broken it can barely get out of its own way. Our recent assessment of AD and Active Directory Application Mode (ADAM) as LDAP servers and the benchmarks that show it to be 3 to 5 times slower convinced us that enterprise strategies based on that as a production enterprise directory are headed for trouble. See Symas' enterprise assessment whitepaper of Microsoft Active Directory's Application Mode versus OpenLDAP and the report's update.

SunOne was, for some years, probably the leading directory technology in the industry. However, the original development teams walked away from the code base years ago and it's showing its age, with numerous well documented stability and maintainability issues. Today OpenLDAP has a significant lead in performance, scalability, and reliability. Unfortunately we can't publish benchmark results against SunOne due to a restriction in their end user license. It's worth nothing, however, that SunOne is being replaced by OpenDS, an open source directory project written in Java. The reign of Sun's proprietary directory service is over; SunOne has reached the end of the line.

OpenLDAP is unmatched by any other directory service, proprietary or open source. Of all the others available, the proprietary ones are just hiding their dirty laundry and all of them are just a waste of time and money.

Q: We are seeing the emergence of an Open Source software stack upon which it is perfectly possible to run an enterprise. Where do you see OpenLDAP's position in this 'Open Source enterprise stack'?

I think the best answer to that is to point to HP's Open Source Investment Portfolio and Open Source Middleware Stack. The selected OpenLDAP as the directory technology (and Symas as the support partner).

Several smaller ISVs have also adopted OpenLDAP as their directory technology of choice (Ventyx and Zimbra the most notable) and we expect more announcements of that type.

Q: It seems every OSS project has its own different LDAP schema, for example Samba's schema is very different from those used by GOsa or Kolab. What's your solution to the problem of schema proliferation and associated problems of incompatibility and complexity?

Schema proliferation in LDAP directories is really quite manageable. The main point is to get these various teams to publish formal specifications of their schema for public review, to aid in their adoption. As an example, we're working with the Samba team and IETF Kerberos working group to develop a standard LDAP schema for Kerberos KDC information. We're creating a rational superset of the schemas currently used by Heimdal and MIT, which can be consistently implemented by both and then relied upon by Samba and other applications that need to work closely with Kerberos and LDAP. It's simple really: the people and teams have to interoperate, in order to ensure that the software will interoperate.

It's a bit surprising that this is even considered a problem in the LDAP space, because it's generally so easy to address. You very rarely run into truly incompatible schema definitions. Usually you just find that the published standard schema are incomplete or inadequate for a specific application you had in mind. That's to be expected, since most of the published schema are only intended as starting points, and they're meant to be extended and mixed and matched with other schema. In contrast, schema management in relational databases is a truly intractable problem. There are no shared definitions in the SQL world like there are in X.500/LDAP. In fact there isn't even a single SQL in the first place, there are a variety of subtly incompatible dialects without any authoritative reference. Even such fundamental concepts as elementary data types (integer, Int64, etc.) lack a standard definition across various implementations.

Of course we do run into situations where in depth education is needed. We do a lot of formal and informal consulting for enterprises moving to OpenLDAP. Some compatibility concerns occasionally pop up but they're quickly addressed as technical staff gets up to speed with early "LDAP University" classes that Symas teaches.

Q: How can the OSS community work better towards encouraging the use of OpenLDAP by enterprises?

It's first about selecting LDAP as the technology for directory data. We see enterprises and OSS projects implementing directory data stores with other technologies and they rarely scale, perform, or administer adequately for enterprise deployments. LDAP offers a superior and readily available database for directory data. Second, take the time to qualify your LDAP use against OpenLDAP. Having invested in LDAP capable code, you should test it against the most standards-compliant LDAP technology and offer your users the chance to easily deploy on OpenLDAP. Third, they should benchmark the OSS directory technologies using the proposed schema, representative data samples and workloads, and at numbers of entries similar to what enterprises might need. These benchmarks are simple to do and Symas can help a project get started with the OSS benchmarking technology we use constantly. Those three steps will quickly convince OSS developers to endorse OpenLDAP as their recommended OSS directory technology.

In a previous 2005 report the Government quango Becta showed that schools could effect considerable savings by making use of Free Open Source software such as Open Office. In their study they simply looked at 'like for like' software replacement using existing networks and computers.

Since this study we have seen the emergence of the new breed of ultra-portable Linux-based computers aimed squarely at the education sector and the inexorable build of Web 2 services such as Google Apps.

This week the Elonex One, a Linux-based laptop costing less than £100, was launched at the Education Show in Birmingham causing much excitement amongst the visitors and a very serious discussion about how best to support this new breed of Linux laptops in schools.

So much has changed so quickly that a model of Open Source school computing is emerging which could save the UK taxpayer billions of pounds and provide enormous opportunities for the home-grown technology sector based around Open Source software.

The problem

The Government does not produce figures for the total cost of ICT in schools. Our research shows however that when staffing and power use are included a typical secondary school will spend between £100,000 - £200,000 per year on ICT.

Scale this figure for the whole UK and it approximates to over £½ billion per year.

Contrary to common perception, however, only a small fraction of the cost of ICT in schools is spent on computers and software - 60% of the cost is on technical support and 20% on electricity.

Quite simply, school networks have become too complex for the purpose they serve.

The answer is to simplify the school ICT infrastructure and lower services by outsourcing more services.

Outsourcing

Outsourced services based on free Open Source software such as e-mail, content filtering and remote backup are entirely appropriate to an education sector:

• Content filtering using Dan's Guardian is very powerful and scalable.
• E-mail using Open Source software is sophisticated, highly available and secure. Easy management of webmail and accounts using GOsa.
• Rsync for secure, remote back-ups.

Examples of where such services already exist are a bi-lingual webmail system accessible to all schools in Carmarthenshire County and the fully managed web content filtering infrastructure available to all schools within the Yorkshire and Humberside region.

In both cases the use of free, Open Source technologies has driven exceptional value compared to similar systems deployed using proprietary software.

Simplifying On-Site Infrastructure

Much of the complexity and management burden to schools comes the sheer number of computers needing maintenance - typically 100-500 desktop PCs and approximately eight network servers (file-authentication server, MIS database server, e-mail server, Intranet server, VLE server, thin-client server, web content filtering servers and a firewall).

But what ICT services do students really require from their school?

• Access to suitable software for teaching and learning
• E-mail
• Safe access to the Internet
• A home folder for personal file storage
• Access to shared resources (e.g. Intranet, VLEs, Public Folders, Databases)

How does the emerging model for Open Source in ICT meet these essential needs?

• The new low-cost Linux sub-notebooks have a very large range of Free Open Source applications already installed and many more available for free download, certainly enough for 95% of all educational needs. Many more applications are available on line through Web 2.0 technologies.
• E-mail and safe Internet access will be outsourced.
• Home folders and shared resources can be provided by one computer. By using Internet protocols and abandoning the venerable Windows SMP/CIFS protocols all of these services can be provided by one Open Source database/web server.

If schools moved their ICT to this model the spiral of ever increasing cost and complexity would be broken.

Becta, having twice warned schools against upgrading to Vista or Office 2007, has effectively signalled a halt to what has been an unbroken series of expensive and increasingly ineffective upgrades. It seems 2008 is the year when schools should take stock and rethink their strategic approach to ICT.

The rewards for change are very substantial. Schools would reduce their costs by 4/5ths producing not only an enormous saving to the taxpayer but making it possible to adapt to new developments in ICT and focus more resources on teaching. New opportunities would be created for the domestic technology industry and there would be far less dependence on dominant multinational suppliers.

The Problem

Sirius Corporation has recently successfully implemented a completely Open Source network infrastructure for a 120 person company with several regional offices in the UK and in the Middle East.

Our client wanted an Open Source groupware solution that, in addition to standard IMAP and SMTP e-mail services, would allow them to do group calendaring with Microsoft Outlook 2003 as the client.

Selection Criteria

It was important that whatever solution was selected should work well alongside Sendmail and Cyrus and integrate with OpenLDAP. The selection criteria used were:

• Group calendaring functionality
• Microsoft Outlook 2003 compatibility
• PDA synching capability
• Minimum change required of users
• Project viability (openness, membership, activity, profile/visibility)
• Solution architecture
• Support for open standards (WebDAV, CalDAV, GroupDAV and iCAL)

Sirius tested and evaluated the best known Open Source groupware solutions including: Zimbra, Kolab, Hula, Open Xchange and OpenGroupware.

Zimbra

Zimbra first caught our eye through a heavy PR campaign last year and was, at first, glance the front runner. Only the commercial “network" edition of the software promised Outlook compatibility, although at the time of the trial a pre-release version of their MAPI connector was not made available to us for testing.

The Open Source version of Zimbra installed smoothly and relatively easily. The Zimbra web interface is polished and attractive allowing calendar entries to be easily linked with URLs and e-mail addresses and dragged, dropped and manipulated in a highly intuitive fashion. As a Java application, Zimbra did appear to run rather slow, but this was on a Xen virtual test server with limited memory.

Where Zimbra really lost out, however, was its architecture and group calendaring functionality. When we tested Zimbra, group calendaring was promised in the next version which would not have helped us greatly with our client's requirement. The other aspect of Zimbra which ruled it out for our deployment was that it came as a single bundle of modified versions of Postfix and OpenLDAP with its own hand-rolled IMAP server – all of these logging to a single file. As we were looking to build a modular and highly scalable architecture, using standard or transparently modified Open Source packages, we did not wish to use a monolithic bundle of vendor-modified software.

Whilst Zimbra may represent a good solution for small companies wishing to install all their e-mail, calendaring and directory services on a single box without worrying too much how it works, it may not be the ideal solution for larger companies wishing to deploy groupware alongside other enterprise-class Open Source infrastructure.

Kolab

Kolab has a high profile as the preferred KDE groupware solution and has won a number of awards. However, as with Zimbra, it comes as a monolithic bundle of modified applications installing as RPMs (of all things) on Debian via openpkg. We found the installation rather messy and were not impressed with the available documentation. Kolab requires a commercial plugin for Outlook compatiblity. The demo Konsec connector we tried did not work with Outlook 2003, which was not surprising as documentation was only available for Outlook 2000.

Whilst Kolab has a reasonably intuitive management web GUI it has no web interface for the user and requires a compatible client (Kontact or Outlook). As our Konsec connector did not work with Outlook 2003 we were not able to evaluate the group calendaring functionality in the context required by our client.

Open Xchange

Open Xchange, as with Zimbra, has an effective PR and marketing organisation behind it. Whilst the commercial version of the software may install smoothly, the Open Source version certainly does not. We waded through approximately twenty pages of intricate instructions and installed almost every Java package known to man. We finally decided against Open Xchange when the PostgreSQL setup files supplied with the Open Source version of the software proved to be horribly broken.

Overall we felt that the Open Source version of Open Xchange is neither well supported by its vendor nor that it would provide a robust and reliable solution for ESRT.

Hula

Hula, the Novell-developed Open Source groupware solution, fell at the first hurdle by not providing support for Outlook as the client. Although the web interface is attractive, it is not particularly intuitive. The management interface however appeared to be sitting on top of some very ugly legacy code.

OpenGroupware

OpenGroupware is not perfect. The web GUI is functional rather than attractive. Outlook 2003 compatibility requires the installation of additional server software (Zidestore) which manages translation to and from MAPI. Zidestore has a dependency on Apache 1.3 which can cause unpredictable conflicts if you have previously chosen Apache 2.0 as your preferred server for OpenGroupware.

But OpenGroupware does do the job. It provides a fully functional webmail and web calendaring solution with support for WebDAV, CalDAV, GroupDAV and iCAL, as well as a backend solution for group calendaring with Outlook as the client (although be careful that you are using Outlook 2003 as earlier versions of Outlook do not allow simultaneous use of group calendaring and IMAP).

The Outlook plugin and Zidestore server cost 30 euros per seat. OpenGroupware and Zidestore integrate easily with OpenLDAP and work well alongside Cyrus and Sendmail.

Conclusion

In the context of the infrastructure deployment we undertook for our client OpenGroupware met all the requirements. In fact our only disappointment was that the Mozilla Foundation's Sunbird has not yet managed to come up with full support for group calendaring so that we could recommend a cleaner, leaner and Open Source calendaring client. Many of our client's staff are already eagerly moving to Thunderbird for their e-mail.

by Matthew Linden, Projects Director, Sirius Corporation Limited