When most administrators think about self-hosted LDAP directory servers, OpenLDAP and 389 Directory Server come to mind first. But the LDAP ecosystem includes several capable alternatives that address different use cases — from Java-based enterprise directories to community-maintained forks with modern feature sets.

This guide explores three LDAP servers that operate outside the OpenLDAP/389DS mainstream: OpenDJ (and its community fork WrenDS), Apache Directory Server (ApacheDS), and the architectural decisions that make each suitable for specific deployment scenarios.

Why Consider Alternatives to OpenLDAP

OpenLDAP is the default choice for most self-hosted LDAP deployments, and for good reason — it is mature, well-documented, and battle-tested at massive scale. However, alternative directory servers offer distinct advantages:

  • Java-based architecture: OpenDJ and ApacheDS run on the JVM, providing cross-platform consistency, garbage-collected memory management, and integration with Java-based identity stacks
  • REST API support: Modern directory servers expose LDAP data through REST endpoints, enabling web applications to query directory data without LDAP client libraries
  • Community-driven development: OpenLDAP’s development pace has slowed in recent years, while community forks like WrenDS maintain active release cycles with modern security patches
  • Integrated identity platforms: Some LDAP servers ship as part of larger identity management stacks, reducing the need to integrate separate components

OpenDJ / WrenDS

OpenDJ originated as Sun Microsystems’ commercial directory server (Sun Directory Server), was open-sourced by ForgeRock, and is now actively maintained by the Open Identity Platform community. WrenDS is a community fork that continues development where ForgeRock’s commercial focus diverged from open-source needs.

Architecture

OpenDJ is written entirely in Java, uses a multi-master replication model, and supports LDAPv3 with extensions for password policies, virtual attributes, and REST access. The server includes a built-in administration console accessible via HTTP.

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

version: "3.8"
services:
  opendj:
    image: openidentityplatform/opendj:2024.02
    container_name: opendj
    ports:
      - "1389:1389"
      - "1636:1636"
      - "4444:4444"
    volumes:
      - opendj-data:/opt/opendj/data
      - opendj-config:/opt/opendj/config
    environment:
      - ROOT_USER_DN=cn=Directory Manager
      - ROOT_USER_PASSWORD=changeme
      - BASE_DC=example,dc=com
    restart: unless-stopped

volumes:
  opendj-data:
  opendj-config:

Key Features

  • Multi-master replication: Synchronize directory data across multiple servers with conflict resolution
  • Password policies: Built-in support for password history, complexity, expiration, and account lockout
  • REST API: Access LDAP data through HTTP/JSON endpoints without LDAP clients
  • Virtual attributes: Dynamically computed attributes that don’t require storage
  • LDIF import/export: Bulk data operations for migration and backup

Configuration Example

1
2
3
4
5
6
7
8
9

# Enable password policy
dn: cn=Password Policy,cn=config
objectClass: top
objectClass: ds-cfg-password-policy
cn: Password Policy
ds-cfg-password-attribute: userPassword
ds-cfg-default-password-storage-scheme: cn=SSHA-256,cn=Password Storage Schemes,cn=config
ds-cfg-password-change-requires-current-password: true
ds-cfg-password-history-count: 5

Apache Directory Server (ApacheDS)

ApacheDS is an embeddable LDAP and Kerberos server written in Java, maintained by the Apache Software Foundation. It is designed to be both a standalone server and an embeddable component within Java applications.

Architecture

ApacheDS uses a partitioned data model, where different types of data (system, users, groups) are stored in separate partitions. It supports LDAPv3, Kerberos v5, and Change Password Protocol (Changepw), and includes an Apache Directory Studio management GUI.

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

version: "3.8"
services:
  apacheds:
    image: greggigon/apacheds:latest
    container_name: apacheds
    ports:
      - "10389:10389"
      - "10636:10636"
    volumes:
      - apacheds-data:/var/lib/apacheds
    environment:
      - APACHEDS_ADMIN_PASSWORD=changeme
    restart: unless-stopped

volumes:
  apacheds-data:

Key Features

  • Embedded mode: Run ApacheDS within your Java application as an in-process directory server
  • Kerberos integration: Built-in KDC for single sign-on without separate Kerberos infrastructure
  • Partitioned storage: Separate system, user, and custom data partitions for clean data isolation
  • LDIF-based configuration: All server configuration stored in LDIF format, version-controllable
  • Apache Directory Studio: Full-featured LDAP browser and editor with schema management

Configuration via LDIF

1
2
3
4
5
6
7

# Create a new partition for organization data
dn: ads-partitionId=myorg,ou=partitions,ads-directoryServiceId=default,ou=config
objectClass: top
objectClass: ads-directoryServicePartition
ads-directoryServiceId: default
ads-partitionId: myorg
ads-partitionSuffix: dc=myorg,dc=com

WrenDS

WrenDS is a community-driven fork of OpenDJ, created when the Open Identity Platform community sought to maintain a fully open-source LDAP directory independent of commercial interests. It inherits OpenDJ’s feature set while adding community-requested improvements.

Architecture

WrenDS shares OpenDJ’s Java-based architecture but benefits from active community contributions, faster security patch cycles, and a development model focused purely on open-source needs without commercial feature gating.

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

version: "3.8"
services:
  wrends:
    image: wrensecurity/wrends:latest
    container_name: wrends
    ports:
      - "1389:1389"
      - "1636:1636"
      - "8080:8080"
    volumes:
      - wrends-data:/opt/wrends/data
      - wrends-config:/opt/wrends/config
    environment:
      - ROOT_USER_DN=cn=Directory Manager
      - ROOT_USER_PASSWORD=changeme
      - BASE_DC=example,dc=com
      - HTTP_PORT=8080
    restart: unless-stopped

volumes:
  wrends-data:
  wrends-config:

Key Features

  • OpenDJ compatibility: Drop-in replacement for OpenDJ deployments with minimal configuration changes
  • Active community development: Regular releases with security patches and feature enhancements
  • REST over LDAP: HTTP-based access to directory data through the REST2LDAP gateway
  • Replication: Multi-master replication with automatic conflict detection and resolution
  • Auditing: Built-in audit logging for compliance and forensic analysis

Comparison Table

FeatureOpenDJApacheDSWrenDS
LanguageJavaJavaJava
LicenseCDDL 1.0Apache 2.0CDDL 1.0
Multi-master replicationYesNo (single master)Yes
REST APIYesNoYes
Kerberos supportNoYesNo
Embedded modeNoYesNo
Admin consoleYes (HTTP)Yes (Directory Studio)Yes (HTTP)
Community activityModerateModerateActive
Docker image maturityHighModerateGrowing
Password policiesYesYesYes
Schema extensibilityYesYesYes

Choosing the Right Directory Server

For Java-based identity stacks, OpenDJ or WrenDS integrate seamlessly with applications like Keycloak, SimpleSAMLphp, and custom Java services. Their REST APIs also simplify integration with modern web applications that lack LDAP client libraries.

For Kerberos-enabled environments, ApacheDS is the only option in this comparison that includes a built-in KDC. If you need LDAP and Kerberos in a single server, ApacheDS eliminates the complexity of running separate directory and authentication services.

For community-driven open-source deployments, WrenDS offers the most active development cycle and a clear commitment to open-source governance. Organizations that want a directory server without commercial influence should evaluate WrenDS first.

For embedded directory needs, ApacheDS is unique in supporting in-process deployment within Java applications. This is valuable for development environments, testing frameworks, and applications that need a lightweight directory without external infrastructure.

FAQ

Can I migrate from OpenLDAP to OpenDJ or WrenDS?

Yes. Export your OpenLDAP data to LDIF format using ldapsearch -x -LLL -b dc=example,dc=com, then import it into OpenDJ/WrenDS using the import-ldif tool. Schema differences may require manual adjustments for OpenLDAP-specific overlays.

Is ApacheDS production-ready?

ApacheDS is stable for moderate workloads but is not recommended for high-availability deployments that require multi-master replication. It is best suited for development environments, embedded use cases, or small-to-medium deployments where a single server instance is sufficient.

How does WrenDS differ from OpenDJ in practice?

WrenDS is a fork of OpenDJ with the same core architecture and feature set. The primary differences are in governance (community-driven vs. community-managed with commercial backing), release cadence (WrenDS releases more frequently), and long-term direction (WrenDS focuses exclusively on open-source features).

Can these servers handle Active Directory integration?

All three servers support LDAP schema compatibility and can serve as LDAP backends for AD integration scenarios. However, they do not provide Active Directory protocol compatibility (SMB/CIFS, Kerberos with AD-specific extensions). For AD-compatible deployments, Samba 4 is a better choice.

For OpenDJ/WrenDS: use the backup command to create online backups of the data and configuration directories. For ApacheDS: export partitions to LDIF using the Directory Studio or the ldif-import tool. All servers support regular LDIF exports as a portable backup format.

Do these servers support LDAPS (LDAP over TLS)?

Yes. All three servers support LDAPS on dedicated TLS ports (typically 1636 for OpenDJ/WrenDS, 10636 for ApacheDS). Configuration requires a server certificate in JKS or PKCS12 format, which can be generated with keytool or imported from an existing CA.

How does performance compare to OpenLDAP?

OpenLDAP, being written in C, generally outperforms Java-based LDAP servers in raw query throughput and memory efficiency. However, for typical enterprise directory workloads (authentication, group lookups, user provisioning), the performance difference is negligible. Java-based servers benefit from JVM optimizations and connection pooling.

Why Self-Host Your Directory Server?

Running your own LDAP directory server gives you complete control over identity data, authentication policies, and access to user information. When you self-host, you avoid the vendor lock-in and per-user licensing costs of cloud identity providers, while maintaining the ability to customize schemas, password policies, and replication topologies to match your organization’s specific needs.

For teams already managing self-hosted infrastructure, integrating an LDAP directory server with existing authentication platforms creates a unified identity layer across all services. Combined with MFA and OTP servers for multi-factor authentication, a self-hosted LDAP directory becomes the cornerstone of your organization’s security infrastructure.

For organizations managing complex identity requirements, LDAP directory servers also integrate with SAML identity providers for single sign-on across web applications, providing a centralized authentication source that serves multiple protocols and use cases.