For a client I needed to put in place an LDAP system to be connected with Atlassian Crowd (SSO), after doing a comparison with OpenLDAP (C), Apache DS (Java) and OpenDJ (Java) I decided to go for OpenDJ for several reasons:
- It is open source released with CDDL 1.0 license; while Apache DS is released with Apache license and OpenLDAP with it is own license.
- it has worldwide commercial support, some here in Belgium; Apache DS has only one company and OpenLDAP has also it is worldwide support
- It is a fork of OpenDS like Oracle Unified Directory so you can still find common problems for both products
- The project has a clear roadmap, also described in the wiki, also ApacheDS has it.
- The ForgeRock company provides also another SSO solution (OpenAM), so in case in a future I want to change SSO I can think to use it, while Apache DS no.
- It comes packaged as ZIP, RPM and DEB, while ApacheDS has a package for each Operating System and OpenLDAP is packaged in many Operating Systems.
- It has very good documentation with a lot of examples (released in EPUB, HTML, PDF and RTF), while I found the one from ApacheDS simpler or in progress (HTML , PDF) and the one of OpenLDAP is good (released in HTML and PDF).
- It has a rich command line tool, while I found the command line of ApacheDS simpler (relying mostly on the Apache Directory Studio or on ldap client).
- It is shipped with a java client (not web) while Apache DS has a gui based on Eclipse (Directory Studio)
- it has REST API on top of the ldap protocol, while ApacheDS leaves to SCIM such job; therefore I hope there will be a web interface using the REST API.
- It supports replication out of the box, also ApacheDS has it, OpenLDAP as well.
- It seems to have very good performance (almost at OpenLDAP level) at least in comparison to ApacheDS.
- It has a support for the virtual attribute IsMemberOf, useful to check which groups a user belongs to, while for ApacheDS the feature needs to be still implemented.
- It has an implementation of the PKCS5S2 (see PBKDF2) which is used by Crowd as default despite the implementation is different from Crowd and ApacheDS, which OpenLDAP doesn’t have (and some other password schemes as well)
- The development team uses Continuous Integration practices (by testing against Ubuntu and Windows), also ApacheDS by using the common Apache Jenkins and testing on Ubuntu.
- The team has coding guidelines providing checkstyle rules, also ApacheDS has some guidelines and OpenLDAP has few
I have been working with my brother to change the PBKDF2 implementation so it is almost similar to Crowd and ApacheDS differing for the printing format of the iterations.
Enjoy using OpenDJ !