For a client I needed to put in place an LDAP system to be connected with Atlassian Crowd (SSO), after doing a comparison with OpenLDAP (C), Apache DS (Java) and OpenDJ (Java) I decided to go for OpenDJ for several reasons:
- It is open source released with CDDL 1.0 license; while Apache DS is released with Apache license and OpenLDAP with it is own license.
- it has worldwide commercial support, some here in Belgium; Apache DS has only one company and OpenLDAP has also it is worldwide support
- It is a fork of OpenDS like Oracle Unified Directory so you can still find common problems for both products
- The project has a clear roadmap, also described in the wiki, also ApacheDS has it.
- The ForgeRock company provides also another SSO solution (OpenAM), so in case in a future I want to change SSO I can think to use it, while Apache DS no.
- It comes packaged as ZIP, RPM and DEB, while ApacheDS has a package for each Operating System and OpenLDAP is packaged in many Operating Systems.
- It has very good documentation with a lot of examples (released in EPUB, HTML, PDF and RTF), while I found the one from ApacheDS simpler or in progress (HTML , PDF) and the one of OpenLDAP is good (released in HTML and PDF).
- It has a rich command line tool, while I found the command line of ApacheDS simpler (relying mostly on the Apache Directory Studio or on ldap client).
- It is shipped with a java client (not web) while Apache DS has a gui based on Eclipse (Directory Studio)
- it has REST API on top of the ldap protocol, while ApacheDS leaves to SCIM such job; therefore I hope there will be a web interface using the REST API.
- It supports replication out of the box, also ApacheDS has it, OpenLDAP as well.
- It seems to have very good performance (almost at OpenLDAP level) at least in comparison to ApacheDS.
- It has a support for the virtual attribute IsMemberOf, useful to check which groups a user belongs to, while for ApacheDS the feature needs to be still implemented.
- It has an implementation of the PKCS5S2 (see PBKDF2) which is used by Crowd as default despite the implementation is different from Crowd and ApacheDS, which OpenLDAP doesn’t have (and some other password schemes as well)
- The development team uses Continuous Integration practices (by testing against Ubuntu and Windows), also ApacheDS by using the common Apache Jenkins and testing on Ubuntu.
- The team has coding guidelines providing checkstyle rules, also ApacheDS has some guidelines and OpenLDAP has few
To test the performances, I did an LDAP jmeter script and published on Github, just to say that OpenDJ has it is own tool, and Tsung can also test LDAP server.
I have been working with my brother to change the PBKDF2 implementation so it is almost similar to Crowd and ApacheDS differing for the printing format of the iterations.
Enjoy using OpenDJ !
Software Libero e non solo 
Reblogged this on Ludo's Sketches and commented:
Nice post by Emidio on some good reasons to choose OpenDJ for LDAP directory services.
Looking forward to discuss and integrate the Crowd compatible PBKDF2 password storage scheme in the OpenDJ project.
There is one BIG againts OpenDJ.
It does not have releases, at least for non paying customers.
You can download sources or nightbuild, but no release.
Additionally, you do not have access to full sources repository, just to “bleeding edge” trunk. So NO PATCHES …
I do not know when this new rule ( applyed only no OpenDJ, but not all ForgeRock projects) was applyed, but I am in process of change OpenDJ to ApacheDS.
Pingback: Allow SSH users to change their passwords on OpenDJ | Software Libero e non solo
Pingback: Setup Owncloud with OpenDJ excluding disabled accounts | Software Libero e non solo
Pingback: Mailman and OpenDJ | Software Libero e non solo