The results are in: I tested iPlanet 4.12 on Solaris 8 with good success. Presumably Sun ONE DS 5.1 will be at least as good performance-wise.
The test box was a SunFire V120 with a 650Mhz processor and 1 Gb RAM. iPlanet Directory Server (aka Netscape) 4.12, which came with our Solaris 8 media was installed. I added the Samba schema to the core files. Loading the authentication information is relatively painless (the same ldapadd function works). Changes to the data include changing the ou=Group to ou=Groups for all groups (the Groups ou is already present in iPlanet), removing the duplicate ou=People and the base dn from the LDIF file. Everything else added without a problem.
Difficulties are to be found in the authentication and binding: specifically, we have a number of users whose passwords are stored in MD5 crypt format (Linux, FreeBSD, etc. style). Unfortunately, this does not work on Solaris 8: the crypt(3c) library only supports DES crypted passwords. This post on the focus-sun mailing list gives the basic rundown: MD5 crypt is not supported in Solaris 8; it is supported in the 12/02 release of Solaris 9. So to use iPlanet or Sun ONE without a painful migration strategy we'll have to get Solaris 9.
Aside from the crypt issue, the directory server performed extremely well. The basic test is to point Mozilla's LDAP address book at the server and run a search for something common (like "Tom", "Smith", or "John"). With OpenLDAP, these searches finished within 30 seconds. With iPlanet 4.12, the searches returned within 2 seconds. The same indexes were established as on OpenLDAP. Most telling is that vmstat shows no more than about 5% CPU utilization while performing a search from Mozilla (it's slightly higher when using the administrator console, but that's a Java application).
I think the search performance issue points clearly to using Sun ONE as the directory server over OpenLDAP. While OpenLDAP performs quite adequately for authentication, I would like to use the directory server for general searches in e-mail clients, and I don't know what sort of load something like a portal or calendar server would put on it. With these considerations, something that performs this well with general searches tunrs into a necessity.
Posted by Rowan Littell at March 25, 2003 01:22 PM