Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Where's my gigabit Internet, anyway?
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Symantec, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
/

Sizing up LDAP servers

iPlanet orbits the competition with superior performance and manageability.

By Joel Snyder

You've really got to know what you want to do with your Lightweight Directory Access Protocol (LDAP) server before you decide to buy one.

In the past five years, LDAP has been elevated to the de facto standard for how users and applications access information stored in a directory server. There are a variety of LDAP server products on the market today that attempt to get one job done: answer directory queries over LDAP. But these products all arrive at that end in different ways and with varying degrees of success.


The skinny on LDAP performance (chart)
Performance numbers for Active Directory and OpenLDAP (chart)
Microsoft, Open Source fans try their hands at LDAP
Interactive scorecard and NetResults
Management tools and back-end services
LDAP untangled


We looked at a broad spectrum of LDAP directory servers, including simple but fast servers for use inside large Internet sites, enterprise directory servers with integrated LDAP support, X.500 servers with LDAP front ends and relational databases with LDAP built on top.

We invited more than 30 LDAP vendors to participate in our test, which centered around focused management simplicity, standards compliance and performance. Overall, we looked at how well these directory servers could handle LDAP clients -- users and LDAP-enabled applications -- accessing the data.

We also looked at the accessory tool sets offered with each product. A tool set typically comprises data formatting tools that format your data before you bulk-load it and directory query tools that let you see inside the directory. A tool set may include other bits and pieces, such as a schema editor, that help make the manager's job easier but are not part of the LDAP server itself.

To level the playing field, we asked all vendors to send Windows NT versions of their products. Seven products arrived in our test labs. IPlanet's Directory Server and Innosoft's IDDS were the pure LDAP servers we tested. Novell's NDS eDirectory for NT was the general-purpose directory server we evaluated. The X.500-based servers we looked at were Critical Path's Global Directory Server, Computer Associates' eTrust Directory and Siemens' DirX. Oracle's Oracle Internet Directory (OID) was the lone server we tested that grew out of database technology. We could not complete benchmark testing for the Oracle product due to time constraints involved with this review. We are currently testing Oracle's product and will publish these results in print and on the Web when they become available. (Click for the Oracle numbers)

We also evaluated Microsoft's Active Directory running on Windows 2000 and an open source alternative, OpenLDAP, running on Red Hat Linux. We did not include those products in our head-to-head evaluation because of the variables introduced by the different operating systems.

The goal of our benchmark tests was to assess how these products handled LDAP functions only. Our LDAP query mix included messaging, addressing and modifying.

The messaging queries simulated the stress an e-mail gateway or e-commerce application would put on a directory, with exact-match queries looking up entries in the directory.

The addressing queries simulated an application, such as a white pages or yellow pages directory, with queries on different fields, including some wildcard queries.

The modifying tests simulated online directory update operations, as opposed to bulk-load operations.

Our second goal was to assess the tools each of these vendors offered for managing and monitoring these LDAP services, and the back-end services they provide with their products.

Our first goal could be accomplished via an objective benchmark, but the second would require a subjective assessment by this reviewer. We opted to present both evaluations separately (see story, page 84).

We awarded our Network World Blue Ribbon award to iPlanet's Directory Server because it won the performance ratings and offered quality management utilities.

The short answer on performance is that if you care about how fast your LDAP directory is, you should use iPlanet's Directory Server. In eight test scenarios, Directory Server was the fastest directory in six of the tests and second in the other two. Innosoft's IDDS beat Directory Server in the two instances where Directory Server placed second.

What we called messaging performance would be key in an e-mail or e-commerce application because it applies direct hits on indexed fields to return records from the directory. Companies with their roots in messaging, including iPlanet, Innosoft and Critical Path, all did very well here.

Novell also did a good job, probably because the performance profile of an operating system directory matches that test very well -- a lot of queries and few wildcards.

Our messaging performance numbers, however, were slightly skewed because we chose a small enough directory that a good directory server could cache the entire directory in memory. Directories with up to about one million entries are easily and inexpensively stored in main memory. If you plan to go much above that, you probably won't see performance numbers nearly as good as we got.

The addressing performance test uncovered a different set of winners. Although iPlanet's Directory Server still came out on top, the spread between the other products was not as large. Because of the variability in inexact matches, a careful evaluation of your query type and the performance of your directory would be vital to ensure that the directory will be fast enough for the application.

Directories that have a higher proportion of modify operations will also require that you engineer things carefully. While Directory Server, Innosoft's IDDS and Critical Path's Global Directory Server all turned in numbers near 100 modifies per second, the other directories we tested couldn't handle nearly that amount.

In response, Novell officials say their directory is not optimized for bulk loading on NT.

Bulk-loading performance could be a killer issue for many directories. If your LDAP directory is being built as a combination of other back-end databases or from a data warehouse, you might want to drop and reload the directory every day and that would require a bulk load each time. Innosoft's IDDS and iPlanet's Directory Server do this task really well.

Novell's NDS eDirectory and the X.500 directories that made us load over protocol -- instead of using a special tool -- do a poor job.

Novell's NDS eDirectory had a bulk-load time of eight-tenths records per second, taking a mind-numbing 35 hours to load our test data set, compared to the winning time of less than four minutes registered by Innosoft's IDDS.

IDDS and Directory Server are even better than they look in our charts because you can be bulk-loading one directory while the LDAP server is still loading and then switch directories almost instantly.

If all you want is LDAP, iPlanet's Directory Server is the clear leader in that category, although there were some very close contests between Directory Server and IDDS.

A more interesting question is can you use a general-purpose directory service such as Novell's NDS eDirectory as an application's LDAP server or are they really only appropriate for operating system directory functions? Novell's case is tenuous, at least on the NT platform. A directory that crashes under load simply can't be recommended. During light load testing -- for example, one client hitting it really hard -- NDS eDirectory ran fine. But when we increased the load to 10 clients hitting the directory, it crashed. Presumably, because NDS has been available for years on NetWare, it behaves much better on its home territory. However, because we were looking for one platform upon which to compare various LDAP products, we chose NT, and Novell readily submitted its NT-based product for review.

With the X.500 directories, it's a mixed bag. Performance is mediocre with the exception of Critical Path's Global Directory Server, but even then you would have to take into consideration what LDAP applications you want to run against this directory. In general, going to an X.500 plus LDAP server is only advisable if you need the X.500 back-end features of the directory. In that case, your X.500 requirements and LDAP integration needs would govern which directory is best for you.


The skinny on LDAP performance
Product Bulk load time (Record/sec) Messaging test with one client (Operation / sec)
Directory Server 413.2 1,323
IDDS 416.7 426
Global Directory Server 47.6 373
NDS eDirectory 0.8 321.7
DirX 3.1 4.3
eTrust Directory 5.2 94.3
Product Messaging test with 10 clients (Operation / sec) Addressing (wildcard); test with one client (Operation / sec) Addressing (wildcard); test with 10 clients (Operation / sec)
Directory Server 3,175 108.9 166
IDDS 115.1 11.7 1.8
Global Directory Server 670 5.1 3.8
NDS eDirectory 333 86.7 93
DirX 30.1 4.9 12.3
eTrust Directory 101 3.6 3
Product SearchRate test with one client (Operation / sec) SearchRate test with 10 clients (Operation / sec) Modify test (Operation / sec)
Directory Server 1,350 3,147 138
IDDS 461 147 147.1
Global Directory Server 370 651 77
NDS eDirectory 318 464 6.6
DirX 5.1 19.24 12.9
eTrust Directory 162 108 3.4

Click for the Oracle numbers

Back to top


Performance numbers for
Active Directory and OpenLDAP
Product Load time (Record/sec) Messaging test with one client (Operation / sec) Messaging test with 10 clients (Operation / sec)
Open LDAP on Linux 23.5 4.6 47.7
Active Directory on Win 2000 33.3 915 1,536
Product Addressing (wildcard); test with one client (Operation / sec) Addressing (wildcard); test with 10 clients (Operation / sec) SearchRate test with one client (Operation / sec)
Open LDAP on Linux 5.9 48.6 4.5
Active Directory on Win 2000 2.6 11.6 999
Product SearchRate test with 10 clients (Operation / sec) Modify test (Operation / sec)
Open LDAP on Linux 18.2 9.3
Active Directory on Win 2000 2,199 27.7


RELATED LINKS

Snyder is a senior partner at Opus One in Tuscon, Ariz., specializing in security and messaging technologies. He can be reached at joel.snyder@opus1.com.

Snyder is also a member of the Network World Test Alliance.

Novell's response
Novell responds to its ranking in this review.

Microsoft, Open Source fans try their hands at LDAP
In addition to testing the seven Windows NT-based Lightweight Directory Access Protocol servers, we also looked at the LDAP support Microsoft offers inside its new Active Directory and evaluated what the open source code option, OpenLDAP, had to offer.

Interactive scorecard and NetResults
Every network is unique. This calculator lets you change the weights given to scores from our review to see which product might be best suited for your needs.

Management tools and back-end services
X.500 directories offer more features, but LDAP-only directories are easier to set up and manage.

LDAP untangled
A simple look at what's up in the ballooning LDAP market, and what that means for your network.

So what about iPlanet and Innosoft, anyway?

Learn More About LDAP

Distributed LDAP Features

Newsletter: LDAP, one more time
LDAP does not define a directory structure or schema.
Network World Fusion Focus, 04/19/00.

Eprise adds LDAP support
Eprise Participant Server 2.6 now supports LDAP-based directory services including Novell Directory Services eDirectory and Microsoft Active Directory.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.