LDAP for the Enterprise

Have you ever used finger to find someone's e-mail address or whois to see if a particular domain belongs to anyone? If so, you can understand the utility of X.500, the standard way to develop an electronic directory intended to be part of a global directory.

The Basics

Have you ever used finger to find someone's e-mail address or whois to see if a particular domain belongs to anyone? If so, you can understand the utility of X.500, the standard way to develop an electronic directory intended to be part of a global directory. It's what makes the Internet White Pages possible. In a similar but scaled-down fashion, Lightweight Directory Access Protocol, or LDAP, makes it possible for any organization, not just the InterNIC, to create global directories within and among organizations.

LDAP is a scaled-down version of DAP (Directory Access Protocol), which is part of X.500. In the mid-1980s, two large standards organizations -- the ITU and ISO -- combined their individual work on a global directory into one universal directory of phone numbers, e-mail addresses, and network object information. The combined effort was called X.500.

As is often the case in life, sometimes the small, unintended consequences of a large effort are ultimately more interesting. In the case of X.500, two outcomes have sparked universal interest - the X.509 authentication system (a popular standard for digital certificates), and LDAP, a client/server protocol that is much easier to implement than its parent, DAP. DAP (the method used to access X.500) relies on the entire OSI stack, while LDAP runs over TCP, which is less invasive and freely distributed. Because LDAP is an open protocol under IETF's control, it can more easily evolve to meet market demands. Its biggest commercial supporter is Netscape, but it is also being integrated into more than 40 directories from vendors such as Microsoft, Novell, Lotus, and AT&T.

LDAP is optimized for replicating structured information, much like a relational database, but with more extensibility. Unlike a typical database that lets many users create entries, LDAP is often used as a read-only database, with the exception of authorized administrators making additions, deletions, and modifications. An LDAP server, called a Directory System Agent (DSA), serves as the messenger that pulls together coordinated responses to user queries from other distributed LDAP-compliant directories. Without an LDAP directory, every time a new employee is hired or a new partner allowed into the network, an administrator has to modify an e-mail database, an authentication database, and an extranet system, for example. LDAP lets administrators simply add user information to one global directory that is then accessed by other applications. When users need to be removed from the network (they're fired, the partnership becomes competitive, etc.), an administrator can simply delete their information from a single global directory rather than from multiple sources.

As extranets become more commonplace, so does the need for global directories that make it possible for any computer to obtain directory objects, such as usernames, passwords, digital certificates, and other authentication and policy information pertinent to extranet management. Today, these bits of information are scattered in disparate databases that cannot easily talk to each other. Because LDAP is an open protocol, it can standardize data retrieval so that information does not have to be replicated to create one easy-access global directory. For organizations that are extending their networks to partners, customers, and suppliers, global directories can simplify administration of user permissions and resources. Without LDAP, extranets have to use propriety methods to integrate with operating system directories such as Novell NDS and NT Domains, or application-specific directories like Exchange.

LDAP and Extranets

For large, complex organizations with heterogeneous, distributed users, a global enterprise directory designed to manage all network resources in a unified manner can seem appealing in a utopian, unattainable way. While most companies are discussing LDAP as a means to organizing and managing network-addressable resources (thus reducing administrative costs) few have attempted implementation. The financial services industry seems to be making more headway than most.

It takes a lot of cooperation and coordination to coalesce data from distinct departments, such as human resources and Internet security, particularly if they are spread over distance and time. This data can either be imported from existing directories into one synchronized system or linked together by making all directories LDAP-compliant. Deciding who becomes the administrator of the new system can introduce sticky politics into any organization. Ideally, it should be a high-level Internet architect or CTO spearheading the project. Otherwise, departments could quickly splinter.

In the extranet environment, where strategic partners and customers rarely are willing to commit to a single vendor for all network services, LDAP provides the freedom and flexibility to use various technologies, from address books, to authentication schemes, to other IP-based applications. Over the longer term, LDAP may become the place where extranet management policies are stored and shared among participants. Today LDAP is an underutilized access protocol that lets users query servers, but it is very likely to become the standard multi-vendor directory protocol that enables large-scale distributed extranets.

References
  • The current LDAP specification - RFC-1777. A developing LDAP Version 3 will provide security and other features that the current LDAP lacks.
  • An introduction to directories and X.500. Contains an overview of directories with specific emphasis on the X.500 directory architecture. Also provides information on the LDAP standard and links to related information about directories, the X.500 standard, and directory services.
  • The LDAP Page. Hosted by the University of Michigan, this pages hosts an overview of LDAP, links to client, gateway and server software, resources for developers, and mailing listing information.
  • An LDAP Roadmap and FAQ. Presents an annotated tutorial roadmap of LDAP documents and resources, including information about the IETF's directory service efforts, links to implementations, and links to existing LDAP/X.500-based directories.
  • LDAP Documentation. Resource for LDAP FAQs, guides, manual pages, RFCs, Internet Drafts, and related papers.

Reprinted with permission from The Aventail Corporation






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.