Directory services that hold up. Identity that scales.

A single-server OpenLDAP or 389 DS deployment with TLS, basic schema, and migration starts at $15,000 to $40,000 for a 3 to 8 week build. Multi-master replicated deployments with HA, SSO bridging, and MFA addition run $30,000 to $120,000+ over 6 to 16 weeks. Managed directory service starts at $3,500 per month for 24/7 monitoring and patching. We share a written fixed-price scope after a free 30-minute discovery call.

OpenLDAP for high-performance, low-overhead deployments on Linux with full schema control. Active Directory when you need native Windows integration, group policy, and Microsoft identity stack. 389 Directory Server for Red Hat or Fedora environments needing strong replication and a familiar console. OpenDJ (Java-based) for environments wanting a REST LDAP gateway and rich extensibility. We benchmark these against your application portfolio, infrastructure, and identity roadmap on the discovery call.

Single-server OpenLDAP or 389 DS: 3 to 8 weeks. Multi-master replicated cluster: 6 to 14 weeks. Migration from Active Directory or legacy NDS / NIS+: 8 to 20 weeks. LDAP-behind-IdP integration (SAML or OIDC bridge): 4 to 10 weeks added. Custom schema design and 100+ application binding: 12 to 24 weeks. We commit to dates in writing in the SOW with weekly milestone tracking.

Yes. We move users, groups, organizational units, ACLs, and Kerberos principals. Schema is mapped between AD-style attributes (sAMAccountName, userPrincipalName) and inetOrgPerson / posixAccount where needed. Migration uses validated LDIF dry-runs, sync periods, and phased cutover by application. Hybrid setups (OpenLDAP + AD synced) are common during transition periods.

We put LDAP behind a modern IdP — Keycloak, Authentik, Auth0, Okta, Shibboleth, or ADFS — so legacy LDAP-bound applications keep working while new applications use SAML, OIDC, or OAuth. The IdP handles MFA, social login, and federation; LDAP remains the source of truth for identities. We also support SCIM provisioning for outbound sync to SaaS apps.

Yes. We deploy an IdP (Keycloak, Authentik, or commercial) in front of LDAP that handles MFA (TOTP, WebAuthn, push notifications, hardware tokens) while presenting an LDAP bind interface to downstream applications. Most applications see no change. Where they do, we provide migration support to native SAML or OIDC.

TLS / StartTLS on every connection, modern cipher suites only, mutual TLS for replication. SASL: GSSAPI for Kerberos cross-realm trust, DIGEST-MD5 for backward compatibility, EXTERNAL for client cert auth. ACI rules tested and audited (rolesAllowed, groupdnattr). Password policy: history, lockout, complexity. ISO 27001 / CIS benchmarks applied as baseline.

Yes. OpenLDAP syncrepl with N-way multi-master (MMR), 389 DS multi-master with up to 20 masters, OpenDJ replication with conflict resolution, AD multi-master inheritance. We design topologies for geo-distributed deployments, calculate replication bandwidth, and instrument monitoring with Prometheus + cn=monitor.

Yes. Fully managed LDAP starting at $3,500/month: 24/7 Sev-1 incident response, monthly patching, replication health monitoring, capacity planning, quarterly security audit, and on-call escalation. We host on your AWS, Azure, GCP, or OCI account so you own the infrastructure. For sovereign deployments, on-premise managed service is available.

Index tuning (eq, sub, pres, approx on hot attributes), connection pooling, persistent search optimization, slapd / 389 DS / OpenDJ tuning per platform. Typical results: bind latency under 5ms, 10,000+ binds/sec on commodity hardware, query latency under 10ms on 1M+ entries. Read replicas for scaling, multi-master for write availability.

Retainer plans from 40 hours per month (patches, schema additions, ACL changes, small integrations) up to fully managed directory service ($3,500/month with 24/7 SLA). Quarterly business reviews covering bind latency, replication lag, ACL coverage, password policy compliance, and capacity headroom.

You do. Configuration lives in your Git repo (slapd.d, dse.ldif, ansible playbooks). Servers run on your infrastructure (AWS / Azure / GCP / on-prem) on your billing. We hand over schema docs, ACI rules, replication topology diagrams, runbooks, monitoring dashboards, and admin training. No vendor lock-in to us.