[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Supported RFC's and "features"



Clowser, Jeff (Contractor) wrote:
> i.e. to get a definitive list of features it's missing that Sun has
> and what it has that Sun doesn't have, etc.  (...) have just focused
> on those associated with 1) RFC compliance (...) and 2) features to
> match the Sun DS (which it would be replacing).

Are you interested in non-RFC features in OpenLDAP that Sun does not
have?  First you say yes, then no.

Also, are you interested in clients?  The library?  Otherwise don't say
just "OpenLDAP", since that's both server, libraries and clients.  (I
don't know which of those, if any, "Sun DS" refers to.)

> RFC 4510 (which includes 4511-4519).  There was recent discussion on the
> list around this, such that in some cases, not everything that changed
> from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been
> updated in OpenLDAP, but I think those issues are fairly minor.
>
> The following additional RFC's are supported in OpenLDAP:
> - RFC 2247 and RFC 3088
> - RFC 4524 COSINE schema

Note that if you find some LDAP implementation which doesn't already
provide them, supporting these is trivial - just load the schemas
defined in the RFCs.  Unless the server defines some conflicting schema
elements of its own.

> (There are some other, often obscure, LDAP related RFC's that I didn't
> include, but this seems to be the major/useful ones)

You may need to compare RFC 4513 features (Authentication Methods and
Security Mechanisms) in more detail.  E.g. SASL is *defined* as just a
framework.  Access controls are important, but the details are left to
the implementation.  So are the details for how to store, hash and
protect passwords and certificates, how to map between SASL identities
and LDAP identities (DNs), and various security policies.

Documentation, support and user community are other "features" you might
have a look at.  If you are in trouble, is the doc good enough to get
you out of it?  Do you get help?  If you opt for paid support, what do
you get for your money?  (For OpenLDAP, the doc has been lagging behind
the software but has steadily improved.  It got a major boost for
OpenLDAP 2.4.  Paid support - see home page.)

> Other supported features:
> - dyngroup/dynlist/memberof overlay (A much more useful feature than
> Sun's groupOfURLs "dynamic" group and "roles" mechanism)

Also some OpenLDAP fields can be LDAP URLs to for DNs, even without
overlays: dynamic groups in access statements (unless the doc is missing
a reference to the overlay). authz-policy and authz-regexp for Proxy and
SASL Auth.

> - live acl changes via LDAP

More generally, live config changes.

-- 
Regards,
Hallvard