Return-Path: 
 <users-return-4769-apmail-directory-users-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-users-archive@www.apache.org
Delivered-To: apmail-directory-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 666D9D83A
	for <apmail-directory-users-archive@www.apache.org>;
 Thu, 12 Jul 2012 09:37:58 +0000 (UTC)
Received: (qmail 89710 invoked by uid 500); 12 Jul 2012 09:37:56 -0000
Delivered-To: apmail-directory-users-archive@directory.apache.org
Received: (qmail 88577 invoked by uid 500); 12 Jul 2012 09:37:52 -0000
Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@directory.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@directory.apache.org>
List-Post: <mailto:users@directory.apache.org>
List-Id: <users.directory.apache.org>
Reply-To: users@directory.apache.org
Delivered-To: mailing list users@directory.apache.org
Received: (qmail 88497 invoked by uid 99); 12 Jul 2012 09:37:50 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Jul 2012 09:37:50 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of elecharny@gmail.com designates
 209.85.215.178 as permitted sender)
Received: from [209.85.215.178] (HELO mail-ey0-f178.google.com)
 (209.85.215.178)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 12 Jul 2012 09:37:41 +0000
Received: by eaae11 with SMTP id e11so708110eaa.37
        for <users@directory.apache.org>;
 Thu, 12 Jul 2012 02:37:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:reply-to:user-agent:mime-version:to:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=o0Cw8H/FCEXO2pDtmYG085wNrTC6ba7JJXfZyoxJNbE=;
        b=MvpYp5xpMxpiSsjsZTt9fS/k9ceCJ+pMq8ep9GOBlSBjLm/nFkAJyW0ONjqgl9Kwau
         gK9a+SsdKuFfmByU6/EsF4ksItiKPfDZkCoC0Ze07HOqf88DjPeCFIJH0/dzlcOu3WuK
         WRFeT4BTMAr2WGAzQvDNfqVHmy/0QoYn8QG5qatJ0hF/I3BQ48k4zDe//zOlIMK52mAE
         7Nc3rybdV6zyffYDCyj4hg46FFB/xzNDf+8zJb8mociUSWw7Z+TtbFncUP9cIw8LlqEN
         6lsdkIi85QUj5Ctvu4hZYS9+s1K4Ibwm7FVqY2Hjf7I0nhitNUgPy3hNBWjvOyOc4cTY
         cOSA==
Received: by 10.14.101.79 with SMTP id a55mr11776246eeg.32.1342085841630;
        Thu, 12 Jul 2012 02:37:21 -0700 (PDT)
Received: from dcw2k3004.degremont.knsdev.com
 (lon92-10-78-226-5-35.fbx.proxad.net. [78.226.5.35])
        by mx.google.com with ESMTPS id a16sm13842183eeg.0.2012.07.12.02.37.20
        (version=SSLv3 cipher=OTHER);
        Thu, 12 Jul 2012 02:37:21 -0700 (PDT)
Message-ID: <4FFE9ACF.6090405@gmail.com>
Date: Thu, 12 Jul 2012 11:37:19 +0200
From: =?UTF-8?B?RW1tYW51ZWwgTMOpY2hhcm55?= <elecharny@gmail.com>
Reply-To: elecharny@apache.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7;
 rv:13.0) Gecko/20120614 Thunderbird/13.0.1
MIME-Version: 1.0
To: users@directory.apache.org
Subject: Re: Best choice for production LDAP?
References: <BDF43D37-128A-486E-AAF2-157EEFBF4DBB@conncoll.edu>
In-Reply-To: <BDF43D37-128A-486E-AAF2-157EEFBF4DBB@conncoll.edu>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Le 7/11/12 3:50 PM, Tillinghast, Andrew P. a écrit :
> This seems a straight forward question but looking back through the archives I
> don't see it asked in the last year - in October there was a similar question
> but not quite what I want to know.
>
>
> I need to set up a production LDAP solution and I'm looking for guidance on the
> version of apacheDS to implement.
>
> First of all the last version that was marked as "Stable" is 1.0.2 from May of
> 2007, all the 1.5.x versions are identified as "unstable" - Usually production
> and unstable aren't a good combination.

Stable, meant (back then) that teh API was not supposed to evolve. In 
1.5, the API has evolved a lot betewwn each minor version (ie, from 
1.5.0 to 1.5.1, from 1.5.1 to 1.5.2, etc.

In any case, it has nothing to do with the 'stability' of the server : 
the tests we run are the same, and we don't release unless all the tests 
are passing. The risk for the user is that you install version X 
(unstable), then a version X+1 is released, but in order to upgrade, you 
may have to export the data and impert them again, plus some new 
features have been added, and some other have been deprecated.

But more or less, I can tell that the choice we have made (going for 
stable/unstable versions) was *wrong*. This is why we moved from 1.5.7 
to 2.0-Mx.
>
> I completely understand that the 2.0.0 milestone releases are beta - also not
> usually good for production.
Yep.
>
> Unfortunately, for a production implementation there are features missing from
> the 1.5.x versions that I consider extremely important, specifically
> multi-master replication.
Yep, we do consider that those are missing features.
>
> Besides stability of a beta release the other key issue I see with the 2.0.0
> releases is that the documentation is still sparse, completely reasonable for a
> beta version but will make implementation more of a challenge.
Yep.
>
> I'm leaning towards ApacheDS because the product is Java based, seems to have a
> great feature set, and I've had a good history with Apache projects, but I'm
> willing to look at switching to another LDAP solution if ApacheDS isn't ready
> for our needs.
Totally makes sense. I mean, we could tell you that ApacheDS is perfect, 
and to some respect, this is what many vendors are doing : they market 
their product as version X.Y.Z, and fix bugs on the fly. We don't. We 
prefer going for milestones until we have a production ready server, 
even if it takes years...
Quality rules here.

>
>
> To give an idea of our production needs:
>
> We are a high education institution with about 2,500 Staff, Students and Faculty.
> We have approximately 30,000 alumni that continue to have access to various
> systems through CAS.
> We are completely revamping our IAM implementation from AD, Custom scripts and
> CAS to a central Identity vault (where we see apacheDS in the system) fed by
> SPML from our ERP, integrated with Grouper, CAS, Shibboleth, Federated Identity,
> Kerberos and Guest registration through OpenRegistry.
> Desired to be in production by the 13th of August, and I'm the only technical
> person tasked with the implementation.
Frankly ? Use ApacheDS for tests and development. In production, go for 
OpenLDAP atm.They do have everything, except that it's not Java based.

I would *love* telling you that ApacheDS is what you should use in this 
very limited time frame, but that would be a lie. I'd rather disapoint 
you now telling you that we are not production ready for such an usage 
than letting you discovering it by yourself, and being pissed off on 
august !


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com