Top 4 open source LDAP implementations

1 reader likes this.
neon sign with head outline and open source why spelled out

Opensource.com

When you want to set up an application, most likely you will need to create an administrative account and add users with different privileges. This scenario happens frequently with content management, wiki, file sharing, and mailing lists as well as code versioning and continuous integration tools. When thinking about user and group centralization, you will need to select an application that fits your needs.

If the application can connect to a Single Sign On server, users will be happy to remember only one password.

In the proprietary landscape of directory servers, Active Directory is the dominant tool, but there are directory servers that can also satisfy your needs. The LDAP protocol is the base for all the directory servers, independently of how they are implemented. This protocol is an industry standard and allows you to create, search, modify, and delete your users or groups. And, if the application is able to connect to an LDAP server, you will not have to be concerned with understanding the protocol.

OpenLDAP

The most famous LDAP server, which you can find already packaged in many Linux distributions, is OpenLDAP. It released under the OpenLdap Public Licence, with good documentation and worldwide commercial support. With OpenLDAP you can secure the communication and define privileges for your users. Being a command line tool, you can consider setting up phpLDAPAdmin, which is a web application that allows you to see and modify the structure of your organization within your browser. If you find setting up and configuring OpenLDAP difficult, you may find ApacheDS and OpenDJ easier as they are both LDAP servers running on Java.

ApacheDS

ApacheDS respects the latest version of the LDAP protocol, and it is released under the Apache license. Although you can use the OpenLDAP command line, ApacheDS is shipped together with Apache Directory Studio, a client application, which allows you to easily manage your users and groups. For the setup, ApacheDS provides different installers for Windows, Mac OS X, and Linux. Further, if you are looking for an open source Identity Server, you might discover that the WSO2 Identity Server has ApacheDS built in to manage users.

OpenDJ

OpenDJ is a fork of former project, OpenDS, and has similar roots as the Oracle Unified Directory, as it was inherited from Sun Microsystems. After Sun was acquired by Oracle in 2010, OpenDJ was designed to replace Sun Directory Server. OpenDJ is released under the CDDL license and, like OpenLDAP, has good documentation and worldwide commercial support. OpenDJ is in active development, and ongoing activity is reflected in the roadmap. The OpenDJ team provides not only a client application to manage the server but also OpenAM, which provides Single Sign On, authorization, federation, and more.

389 Directory Server

The 389 Directory server is a Red Hat product (also provided under the name Red Hat Directory Server on top of the Red Hat Enterprise distribution). It is mostly licensed with GPL, having other components under different licenses. The directory server is in active development and it is packaged for Fedora and Red Hat distribution although you can obtain it for other Linux distributions as well. The 389 Directory Server has also a graphical interface that can be used for administration. If you need more services like Certification Autority and authentication and integration with Active Directory check out FreeIPA which is based on 389.


 

OpenLDAP, ApacheDS, OpenDJ, and 389 Directory server all allow you to establish secure communication and define privileges for your users; they also have strong encryption methods for storing user passwords.

User profile image.
Emidio is an IT consultant passionate about open source software, new technologies, continuous delivery and automation testing. You can follow him on Twitter @emidiostani

18 Comments

Shouldn't this be called "Open source implementations of LDAP" or "Open source alternatives to Active Directory"? The article correctly describes that LDAP is just the protocol, but the title is confusing and possibly misleading.

Hello Mark, I agree with you, currently I am experiencing some login problem, as soon as it is solved, I will change it.

Best,

Emidio

Hello, I fixed the title :-)

No mention of FreeIPA? Admittedly, the LDAP implementation is 389 Directory Server, but if you're discussing GUI tools and Active Directory it seems like a good fit. IPA installation is extremely easy, comes with an HTML management GUI, and gives you useful pre-integrated services like Kerberos, a CA, optional management of your DNS, and so-on. For most people who might consider deploying a new directory, it should be a strong contender. I think it's easier and more full-featured than anything mentioned in the article.

Thank you Andrew, for reporting it and sharing it, being a Red Hat product I am sure it is a good product. I will have a better look and add it.

You're most certainly welcome. I'd also hasten to point out that FreeIPA is an open source project, and as such no more "Red Hat's" than 389 or Fedora - my employer pays a lot of people to work on it, but it's hardly proprietary. There's also no extra charge for it as a RHEL component, so there's no sale for me to try to drive with the comments. I just like it.

In reply to by Emidio Stani

" you can consider setting up phpLDAPAdmin" --

For managing openLDAP, mention should also be made of the web interface LDAP Account Manager (LAM)

Home Page of LAM is at

Hello Malcom, thanks mentioning it, the article is more based on the LDAP servers and as far as I can see LAM is based on phpLDAPAdmin.

In reply to by Malcolm Thompson (not verified)

No mention of Samba4?

samba4 is an opensource AD and CIFS server. In my mind AD is a tightly canned and somewhat limited LDAP server rolled up with kerberos and half of a dns server.

It's quite an acheivement nonetheless, but personally I'm having a hard time letting go of the flexibility of OpenLDAP for the "privilege" speaking more natively with windows systems. They're kinda on their way out (finally), IMO.

Sadly, generations of IT folk have been taught that AD IS LDAP. It most definitely is NOT.

In reply to by Brad Hards (not verified)

Hello Brad,

indeed Samba4 is quite interesting, I wll keep an eye on it

Hello!

I want to use LDAP and learn many about it at the moment. It is useful to use it? All documentation I found is from 2001 or something. Is LDAP outdated in the next years or maybe other architectures meanwhile released? I think about migrating a project to LDAP and if it is a modern method.

Hello Brandon,

LDAP is well famous and stabile protocol that is used a lot at corporate level, many software like Drupal, Jenkins, Nexus, Owncloud, Atlassian Suite, Redmine, Apache, PAM, Postfix support it. Of course there can be new protocol around, for example rest api, but the concept is always the same. The difference among various software is the level of extension they provide, for example ApacheDS and OpenDj support various password encryption methods which could be one of your requirements if previously you saved password in a particular format and you don't want ask your users to change their password as soon as an ldap server installed. For me Ldap is the natural choice as soon as new software need to be installed since only few of them can act as Single Sign On client so you want make sure at least user centralization.

In reply to by Brandon (not verified)

Thanks,

Your answer ist very helpfully for me!

In reply to by Emidio Stani

OpenLDAP only has the strong encryption if you are willing to become a OpenLDAP developer. You will have to create your own distribution of OpenLDAP, compile from source, package and so forth.

It is not included in the default install. Default password will store in plain text.

tres utile! grand merci !

I use openLDAP and Samba3 for single sign on. With the help of smbldap tools, we can start loading the openLDAP with a structure for windows login (need to add samba schema to the openldap schema directory), etc. Each time I want to create a new user or group, I utilize smbldap tools (smbldap-useradd / smbldap-groupadd) since it's "safer" to use than phpldapadmin and it's more flexible (we can add/del hundreds of users via a bash script). For the operation team - the non-techy person - I give them phpldapadmin. It's been running for almost 10 years now on an openSuSE server.

Creative Commons LicenseThis work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License.