LDAP 101: Glue Your Network's Pieces Together
Let's see...there is...
- LDAP - Lightweight Directory Access Protocol
- DNS - Domain Name Service
- DHCP - Dynamic Host Configuration Protocol
- Radius - Extranet/Internet/Wireless authentication service
- Kerberos - Intranet infrastructure authentication service
- PKI - Public Key Infrastructure
As part of your systems support job, there are so many applications and protocols you need to understand and support. It is enough to start tearing your hair out... Can't they all work together so you have only one interface to worry about? The answer is, yes, they can all be integrated together. To accomplish this you need to use the Lightweight Directory Access Protocol or LDAP. "The protocol that nobody ever heard about is taking over," wryly notes Hal German, independent LDAP consultant and the architect of the architect for GTE directory/messaging strategies. "When the average company has 181 directories, something must be done to fix the support nightmare."
Forgotten passwords, disabled passwords, mistyped passwords -- as a technical IT professional, you have heard all of these requests and more. According to the Giga Information Group, problems with passwords represent 30% of all helpdesk calls. Since call-center contacts cost lots of time and money, cutting down on even 50% of these routine calls is an enormous savings. Your boss has just told you that you need to develop an application to keep track of all your user accounts, their computers and anything else about them that are connected to the network to minimize these calls. It needs to be easy to use and easy to implement. Do you really need to create this from scratch? Can you buy an application and customize it to suit your company's requirements? How do you decide? LDAP can solve this problem by creating an application provides users with self-help password restoration and automated user account policies, but you do need to understand what LDAP can do for you and how it works before deciding on the specific implementation.
What is LDAP?
Whenever "computer", "managing", and "information" appear together in a sentence, you are immediately talking about a database. Directories are specialized databases used to keep track of information distributed on a network. In general, think of LDAP as the SQL (Structured Query Language) for network aware directory type databases. Although officially LDAP is specifically only the protocol for accessing and creating directory information, the directory itself is sometimes referred to as LDAP as well, leading to much confusion in the industry.
Before LDAP was developed at the University of Michigan in 1995, directory services IT managers might encounter on data networks were either routing tables like DNS, or proprietary directory structures such as Banyan VINES or Novell NDS. The only open standard for directories was X.500, introduced in 1988. The original concept was that LDAP would be a protocol that would translate TCP/IP into the OSI model the old X.500 protocol supports. The latest RFC specifies the LDAP server explicitly, allowing the user the option to implement the server or let it remain a gateway to an X.500 directory. From the client's perspective, any server that uses the LDAP protocol is an LDAP directory server, however it is implemented behind the scenes. All the gory technical details of the LDAP 3.0 standard are available in RFC 2251-2254.
When is a database not a database? When it is a directory! Vikas Mahajan, a LDAP and directories expert at PricewaterhouseCoopers, specializing in LDAP Directory design and deployment lists the major characteristics of LDAP directories:
- Relatively Static Data -- The data is rarely modified. How often do you change your telephone number?
- Extremely Fast Read Operations - The directory is tuned for high read performance because the data in the directory is frequently read but rarely written or updated.
- Distributed - The data is located on a number of systems on the network for redundancy, performance, and scalability.
- Hierarchical -This ensures there is an authoritative source of the data in the directory system.
- Object-Oriented -- The directory represents elements and objects. Objects are created from object classes, which represent a collection of attributes.
- Standard Schema -- Directories use a standard schema available to all applications making use of the directory. Although Hal German notes, "There are SO many standards to choose from. There is no guarantee which schema you get out of the box!"
- Multi-Valued Attributes -- Directory attributes can have single or multi-values.
- Multi-master Replication -- Unlike a traditional database, directories are distributed over a large number of servers on the network. The power of that concept is that directories are self-healing. That means if one system is unavailable on the network, the client systems can get the replicated information from another system in the network.
TO LDAP or not LDAP...
Mahajan writes, "When making the decision to go with a directory or database solution for your application, ask yourself the following questions. If you can answer yes to at least three or more of these questions, then LDAP directories and directory-based applications would be useful to your application or project."
- Is the data relatively static?
- Does the data need to be distributed?
- Can the data be used by more than one application?
- Is the data multi-valued?
- Can the data or application take advantage of a hierarchical relationship?
- Do you need flexible security options?
- Do you need single sign-on?
- Do you need distributed or delegated administration capabilities?
There are endless applications where the LDAP architecture and technology can make sense; it is really limited only by your imagination.
Applying LDAP Directory Services
Now that we have an idea of what LDAP directories are -- what is LDAP is used for and how can I benefit from it? A good application for the LDAP technology is an on-line company white-pages, e.g., the company phone list if you will, but you can extend the idea to develop on-line company blue pages or yellow pages as well. Ford Motor Company created an extranet for its entire staff and all of its thousands of venders. Hal German, independent LDAP consultant, notes, "DNS and LDAP can be used together to tie ID verification with message routing. Stanford University used it this way. Until recently much of the development work was done in the universities." Many universities with their needs to provide secure access to an ever-shifting population of students, faculty and staff have embraced LDAP for its ability to centralize management of large numbers of complex records.
LDAP is not only for large installations, however. It can be used to manage user account in small installations just as easily and since the source is freely available, for those who want to "roll their own" the capital costs can be minimal. It has even been used for printer queue applications.
Because LDAP is distributed and replicated throughout the network, it is very scalable. German reports there are now LDAP implementations that maintain millions of records. PricewaterhouseCoopers implemented a Global Directory Infrastructure for a large non-profit using the Oblix LDAP based NetPoint 5.1 Identity and Access Management. "This implementation was part of a centralized Internet infrastructure," says Jeff Everage, PricewaterhouseCoopers Manager, Security Integration Services. "It was designed to support more than 1 million authenticated application users with a 10 million plus 'hits' per--day load for the most-used Web applications. The IT Operations Department faced exploding Help Desk costs for password resets alone. They also had accumulated an unmanageable number of databases and directories to store user information. We recommended that a centralized access and Identity Management solution capable of delegated administration and user profile self-management would help this organization substantially reduce its administrative costs."
In the Internet space, LDAP-compliant directories are deployed in three major roles: Authentication, Authorization, and Personalization. LDAP works particularly well as a repository for security information like PKI digital certificates. LDAP's fluent access capabilities as a network service to all applications, databases, and servers make it a prime candidate for providing this security service. LDAP takes authentication and authorization out of the application and off the platform and put it on the network.
According to Vikas Mahajan, a LDAP and directories expert at PricewaterhouseCoopers, "Authorizing permissions and restrictions to resources are also well suited to directories. Many security and identity management applications rely on directories to authorize users to resources or web-based applications.
Mahajan continues, "The most common usage for LDAP is its personalization features. From e-mail systems to portals to policy-based security applications, more applications are using the Directory as a repository for storing data related to the user. For example, names, addresses, telephone numbers, and e-mail addresses are the most common type of personalized data found in a directory. This data is specific to the user, but often needed by many applications."
LDAP enjoys broad industry acceptance as the protocol for deploying directory-based applications and solutions. The LDAP vendor support has grown considerably since the original 40-50 vendors in 1995. Novell, the Sun-Netscape Alliance, Red Hat, Sun, Microsoft, Oracle, and IBM have all endorsed LDAP along with other leading ISV developers, consultants, and system integrators. Seibel, SAP, and Microsoft all have support built in to their products. PERL, Python, TKL, and most modern software languages all include APIs that support it. UNIX and Linux systems source code is freely available through the open LDAP movement.
So, you have decided that an LDAP application should be in your company's future. Here are some tips to help you through the process of choosing the system that will work best for your company.
First, decide how you are planning to use it. Is it a simple application that is already commercially available? Great! You just saved yourself a lot of trouble. Use off the shelf preconfigured software, open source software on your own servers, or the easiest solution, a "plug and play" .
If your application is a vertical market or business application (e-commerce, CRM, etc.) your best choice is to purchase the application that best fits your requirements. The LDAP interface will generally come built-in to the application. iPlanet, Oblix and Metasolv all offer these type of solutions.
Microsoft's .NET and Active Directory, Sun One from Sun Microsystems are all examples of middleware -- software that uses the LDAP protocol as a base and adds specific additional features. German says, "Both Novell and Critical Path have LDAP/Meta-Directory offerings. Netrigity's Site Minder is a great glue to tie access to NOS, web services, middleware servers, and LDAP. Middleware is not designed to be deployed standalone. If you use this solution, you will still need to build your application on top of it."
Of course, if you have a very specialized need you can always build custom software based on the LDAP 3.0 standard directly. I would only recommend this approach if you were a software vender or a large organization with some extremely special requirements and the necessary development resources.
Hal German offers this advice about when to use LDAP instead of a network operating system (NOS): "LDAP makes the most sense when you need a highly flexible system, good security and privacy are requirements, and you are concerned with the systems performance and scalability."
Are there things to watch for that will ensure the likelihood of a successful LDAP implementation? German puts it nicely in what he calls the "Top five gotchas list":
- Make sure the vender is IETF compliant.
- Architect the application correctly from the beginning
- Build in security right from the start
- Have a data czar and a data strategy vision to unify your portals, data warehouse, legacy apps, and yes directories together.
- Do not try to implement everything all at once. LDAP is a good system to implement in phases
Yes, LDAP will definitely be in your systems portfolio in the future. With the IETF is building enhancements into the spec, including server-side sorting of search results, language tags, dynamic directories, LDAP server discovery, new LDAP APIs and digital signature verification, the protocol is more powerful than ever. The possibilities are almost limitless.
This resource list just scratches the surface of the information available about the LDAP protocol
- LDAPGuru.org -- Large source of all things LDAP, particularly good on open source material and technical forums
- LDAPZone.com-- Large and comprehensive site, more commercial orientation
- LDAPMan.org -- Michael Donnelly's personal site with the RFCs and links to source code
- www.ietf.org - Home site of the IETF with the RFCs for the truly technically obsessed
- Understanding LDAP, (by Heinz Johner, Larry Brown, Franz-Stefan Hinner, Wolfgang Reis, Johan Westman) An excellent on-line document, covering all aspects of the LDAP protocol, directory planning, history. In PDF format.
- Understanding and Deploying LDAP Directory Services (MacMillan Network Architecture and Development Series) by , et al -- Good resource for a general overview of LDAP, new edition available in October.
Beth Cohen is president of Luth Consulting, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently writing a book about IT for the small enterprise and pursuing an Information Age MBA from Bentley College.