Clowser, Jeff (Contractor) wrote:
i.e. to get a definitive list of features it's missing that Sun has and what it has that Sun doesn't have, etc. (...) have just focused on those associated with 1) RFC compliance (...) and 2) features to match the Sun DS (which it would be replacing).
Are you interested in non-RFC features in OpenLDAP that Sun does not have? First you say yes, then no.
Also, are you interested in clients? The library? Otherwise don't say just "OpenLDAP", since that's both server, libraries and clients. (I don't know which of those, if any, "Sun DS" refers to.)
RFC 4510 (which includes 4511-4519). There was recent discussion on the list around this, such that in some cases, not everything that changed from 3377 (which includes 2251-2256, 2829, and 2830) to 4510 has been updated in OpenLDAP, but I think those issues are fairly minor.
The following additional RFC's are supported in OpenLDAP:
- RFC 2247 and RFC 3088
- RFC 4524 COSINE schema
Note that if you find some LDAP implementation which doesn't already provide them, supporting these is trivial - just load the schemas defined in the RFCs. Unless the server defines some conflicting schema elements of its own.
(There are some other, often obscure, LDAP related RFC's that I didn't include, but this seems to be the major/useful ones)
You may need to compare RFC 4513 features (Authentication Methods and Security Mechanisms) in more detail. E.g. SASL is *defined* as just a framework. Access controls are important, but the details are left to the implementation. So are the details for how to store, hash and protect passwords and certificates, how to map between SASL identities and LDAP identities (DNs), and various security policies.
Documentation, support and user community are other "features" you might have a look at. If you are in trouble, is the doc good enough to get you out of it? Do you get help? If you opt for paid support, what do you get for your money? (For OpenLDAP, the doc has been lagging behind the software but has steadily improved. It got a major boost for OpenLDAP 2.4. Paid support - see home page.)
Other supported features:
- dyngroup/dynlist/memberof overlay (A much more useful feature than
Sun's groupOfURLs "dynamic" group and "roles" mechanism)
Also some OpenLDAP fields can be LDAP URLs to for DNs, even without overlays: dynamic groups in access statements (unless the doc is missing a reference to the overlay). authz-policy and authz-regexp for Proxy and SASL Auth.
- live acl changes via LDAP
More generally, live config changes.