An LDAP Roadmap & FAQ
A tutorial aid to navigating various LDAP and X.500 Directory Services
resources on the Internet
| Latest bug fix applied: 11-Oct-2004; Last major
revision/update: sometime in 1999; LDAP Roadmap & FAQ established in
1997; |
Version 1.7
|
Overall Contents:
Background
So, for some reason or another you have to figure out more about this stuff
variously called X.500, LDAP, "the Directory", the "White Pages Project",
etc.....and you're very confused and can't figure out where to start, which
documents are relevant to what aspects of this crazy stuff, which ones
to read first, which ones provide an overview, where to get what software
or anything else. Well, I've been there and done that and thought that
I'd put together a kind of road map and high-level FAQ (Frequently Asked
Questions) that points off to other Web sites and various docs and kinda
provide a helping hand to getting started with this complex, but way-cool,
Directory stuff.
Introduction
X.500 is an overall model for Directory Services in the OSI world. The
model encompasses the overall namespace and the protocol for querying and
updating it. The protocol is known as "DAP" (Directory Access Protocol).
DAP runs over the OSI network protocol stack -- that, combined with its
very rich data model and operation set makes it quite "heavyweight". It
is rather tough to implement a full-blown DAP client and have it "fit"
on smaller computer systems. Thus, the folks at University of Michigan,
with help from the ISODE Consortium, designed and developed...
LDAP, or "Lightweight Directory Access Protocol". LDAP is, like X.500,
both an information model and a protocol for querying and manipulating
it. LDAP's overall data and namesapce model is essentially that of X.500.
The major difference is that the LDAP protocol itself is designed to run
directly over the TCP/IP stack, and it lacks some of the more esoteric
DAP protocol functions.
A major part of X.500 is that it defines a global directory
structure. It is essentially a directory web in much the same way
that http & html are used to define & implement the gobal hypertext
web. Anyone with an X.500 or LDAP client may peruse the global directory
just as they can use a web browser to peruse the global Web. Additionally,
with the help of web<->X.500 gateways, you can use your favorite web
browser to peruse both!
Note: Please help me out and let me know if you find any stale
links on this page. Thanks, JeffH
[I've been way busy working at a startup for a couple of years and am
WAY behind on fixing links on these page. SORRY. Thanks to everyone who
has pointed out bugs herein. Please keep it up and I'll be trying to get the
links fixed.]
New 2nd edition of Understanding
and Deploying LDAP Directory Services, is available!
Clicking on this
link (or the former one) and purchasing it (and any other stuff) will help
support this site. [12-May-2003]
An LDAP Frequently Asked Questions (FAQ) List
- My talks on aspects of LDAP and its use..
- Books on LDAP- and X.500-based directory services that I'm aware of (there's
likely several, or many, that I'm not aware of)...
- What's the significance of LDAP's implied promise of multi-vendor interoperability?
- What about compliance/conformance of LDAP implementations?
- I suggest doing a Google search
on "ldap conformance testing" -- there's all sorts of information
available on testing conformance of LDAP implementations.
- A long time ago, I wrote up this blurb on compliance/conformance
of LDAP implementations -- it's perhaps now mostly historically interesting.
- Has anyone done any LDAP performance testing?
- I suggest doing a Google search
on "ldap performance testing" -- there's all sorts of information
on the performance of LDAP implementations available.
- A long time ago, I did some nominal performance testing on UMich
slapd (on a slow machine -- but it was still and is quick). The results
are available here.
This only of historical interest.
- What about security testing of LDAP (and other protocol) implementations?
- What's the relationship between LDAP and X.500? Are they complementory
or competing? Are they diverging or converging? What's the mindset of the
two different standards bodies involved?
- Here's an analysis from an X.500/OSI-oriented perspective:
Understanding LDAP
and X.500, David Goodman & Colin Robbins, European Electronic
Messaging Association; v2.0, August 1997. Note: This paper has now
become dated, and is only of historic interest -- rather, you should read
the one below..
The Roadmap
Overall note: Version
2.0a of these pages is available for "beta" (mebbe "alpha" is really
more appropriate, but what-the-heck) HERE
The following is an annotated list of pointers to information sources.
Start at the begining if you're an X.500/LDAP/Directory newbie.
Else, peruse the list and start whereever seems appropriate. Happy hunting...
Additionally, below's the slides from a talk I've written. It provides
an introduction to LDAP, discusses organization and content, and presents
directory deployment considerations...
"Introduction
to Directories and LDAP", Jeff Hodges, June 1997.
The Attendant Fine Print:
This document doesnot purport to be the
last, best, or most recent word on LDAP or developments in the directory
community. THIS DOCUMENT IS UPDATED AND OTHERWISE MAINTAINED ON A BEST-EFFORTS
BASIS. This information is provided AS IS, with no guaranties at
all. It is the readers' responsibility to keep themselves up-to-date and
aware of developments by whatever means they have available. I trust the
pointers and info here help in that effort.
Please be sure to peruse the pages pointed to in the last
three (3) items above for information that is likely more current, in terms
of recent developments, than that here. Thanks.
The Basics: An Introduction to LDAP and X.500
Start here if you're just beginning...
These are basic introductory documents to directory services
in general, and X.500 and LDAP in particular. I've arranged them to be
read nominally in this order -- but that's entirely up to the reader. There's
a fair amount of overlap in the overview docs, fyi....
"Introduction
to Directories and LDAP", Jeff Hodges, June 1997. The "Introduction"
sections are relevant for those just beginning (duh!).
"Understanding
and Deploying LDAP Directory Services", by Tim Howes, Mark
Smith, and Gordon Good. MacMillan Techincal Publications, ISBN: 1578700701.
This book covers the gamut of issues involved in deploying an LDAP-based directory
service. Its presentation is vendor-independent. It should be considered a
companion volume to <this
one>.
"The
Lightweight Directory Access Protocol: X.500 Lite", Timothy A. Howes,
July 27, 1995, CITI Technical Report 95-8
This paper gives a good overview of the X.500 model, and then describes the
LDAP model and rationale in detail. Realize that it is nominally discussing
LDAPv2.
"Understanding
LDAP", IBM Redbook.
"Understanding X.500
- The Directory", David Chadwick, University of Salvord, UK. International
Thomson Computer Press edition 1996 ISBN 185 0332 813.
This book is now out-of-print, but David has an online version of it at the
site pointed to above.
rfc1308 J. Reynolds,
C. Weider, "Executive Introduction to Directory Services Using the X.500
Protocol", 03/12/1992. (Pages=4) (Format=.txt) (FYI 13)
This RFC gives a good, concise overview of the X.500 model.
rfc1309 S. Heker, J.
Reynolds, C. Weider, "Technical Overview of Directory Services Using the
X.500 Protocol", 03/12/1992. (Pages=16) (Format=.txt) (FYI 14)
This RFC builds upon the one above to provide a more detailed technical introduction
to how X.500-based directory services work.
rfc1684 P. Jurg, "Introduction
to White Pages services based on X.500", 08/11/1994. (Pages=10) (Format=.txt)
This RFC provides an overview of both X.500 basics, plus how X.500-based Directory
services globally work in a broad sense.
rfc1777 W. Yeong, T.
Howes, S. Kille, "Lightweight Directory Access Protocol", 03/28/1995.
(Pages=22) (Format=.txt) (Obsoletes RFC1487)
This RFC is an Internet "Draft Standard". It is the technical counterpart
to the "Lightweight Directory Access Protocl: X.500 Lite" paper referenced
above, and denotes version 2 of the LDAP protocol (LDAPv2). The Applications
area director has stated that LDAPv2 will not progress to "full standard"
because of various perceived dificiencies. Thus the IETF's Access and Sychronization
of Internet Directories working group is working on LDAPv3. See the
section about the IETF working groups, below.
rfc1823 T. Howes &
M. Smith, "The LDAP Application Program Interface", August 1995. (Format:
TXT=41081 bytes)
This RFC documents the API that LDAP clients utilize to interact with the
Directory. This API is implemented in "libldap.a", the code to which is available
at the UMich LDAP/X.500 client,
server, and general resource repository.
rfc1960 T. Howes, "A
String Representation of LDAP Search Filters", June 1996. (Format: TXT=5288
bytes) (Obsoletes RFC1558)
This RFC is defines exactly what its title sez it defines. See RFC 1823 shows
how search filters are used by the LDAP API.
"LDAP:
Programming Directory-Enabled Applications with Lightweight Directory Access
Protocol", T. Howes & M. Smith, Macmillan
Technical Publishing, 1997, ISBN 1-57870-000-0.
This is The Book for folks who want to do exactly what its title says. In
quality bookstores near you.
Behind the Basics: Schema, Attributes, and Directory
Organization
Look here if you understand the basics and are wondering about stuff such
as attributes, their syntaxes, object classes, etc.
These documents discuss Directory attributes and their syntaxes. You
need to read this stuff if you're setting up your directory and mapping
your organization's information into the it and/or if you're
creating new attributes.
-
rfc1274 P. Barker,
S. Kille, "The COSINE and Internet X.500 Schema", 11/27/1991. (Pages=60)
(Format=.txt)
-
rfc1779,
A String Representation of Distinguished Names. S. Kille. March
1995. (Format: TXT=12429 bytes) (Obsoletes RFC1485)
The above defines a small set of "short" attribute names, although
it doesn't define the full set as is commonly in present use within the
LDAP community. Clearly defining those is a topic of future work in the
IETF directory-oriented working groups.
-
rfc2079,
Definition of an X.500 Attribute Type and an Object Class to Hold Uniform
Resource Identifiers (URIs). M. Smith. January 1997. (Format: TXT=8757
bytes)
-
Preparing
Data for Inclusion in an X.500 Directory, Paul Barker, Department
of Computer Science, University Colleage London, May 1992
The above item is a good overview of the subject matter, though
with a Quipu orientation. Quipu is an (old) X.500 server implementation
from ISODE, Ltd.
-
rfc1279 S. Kille, "X.500
and Domains", 11/27/1991. (Pages=13) (Format=.txt, .ps)
-
rfc1778
T. Howes, S. Kille, W. Yeong, C. Robbins, "The String Representation
of Standard Attribute Syntaxes", 03/28/1995. (Pages=12) (Format=.txt)
(Obsoletes RFC1488)
-
rfc1617
P. Barker, S. Kille & T. Lenggenhager, "Naming and Structuring Guidelines
for X.500 Directory Pilots". May 1994. (Format: TXT=56739 bytes) (Obsoletes
RFC1384)
This RFC discusses how to organize one's directory. It applies to
standalone LDAP-based directories as well as X.500-based ones.
Once you have a directory with information in it, you need to be able to
search for information. One uses "filters" to specify one's searches. The
RFC below specifies LDAPv2 search filters..
-
rfc1960,
A
String Representation of LDAP Search Filters. T. Howes. June 1996.
(Format: TXT=5288 bytes) (Obsoletes RFC1558)
The documents below discuss the details of how information in the LDAP
protocol is actually encoded. Note that UTF-8 isn't actually used yet (I
believe), but is being discussed in terms of being specified in the LDAP
V3 Internet-Draft. See the section on IETF directory
service work , below, for info about what's going on in the various
IETF directory-services-oriented working groups.
"A Layman's Guide
to a Subset of ASN.1, BER, and DER"
rfc2279, UTF-8,
a transformation format of ISO 10646. F. Yergeau. January 1998. (Format:
TXT=21634 bytes) (Obsoletes RFC2044) (Status: DRAFT STANDARD)
Beyond the Basics: Directory Services for the Internet
at Large
Start here if you already know the basics and are wondering about underlying
details or about what all can be built with them...
"Introduction
to Directories and LDAP", Jeff Hodges, June 1997. The section on Deployment
Considerations and the Summary are relevant here.
-
A Scalable,
Deployable, Directory Service Framework for the Internet, Timothy
A. Howes & Mark C. Smith, April 28, 1995, CITI Technical Report 95-7
This paper describes how we might utilize LDAP and the DNS to achieve
a directory service framework in the near term. It specifically proposes
a new DNS record, "DX", to be used to locate an administrative domain's
directory service. The DX concept has been recently superseeded however,
by the "SRV" (service) record concept, which could be utilized instead.
See rfc2052, below.
-
rfc2052,
A DNS RR for specifying the location of services (DNS SRV). A. Gulbrandsen,
P. Vixie. October 1996. (Format: TXT=19257 bytes)
-
rfc1727 C. Weider,
P. Deutsch, "A Vision of an Integrated Internet Information Service",
12/16/1994. (Pages=11) (Format=.txt)
-
Using LDAP with
sendmail.8.8.x, Booker Bense, Stanford University, October 1996.
The Near Future: Current IETF work on LDAPv3 and Related
Topics...
LDAPv3 was annointed Proposed Standard status by the IESG (Internet
Engineering Steering Group) in early December '97.
See: Current
State of the LDAP Protocol Specifications (LDAPv3, LDAPv2)
There is a fair amount of work going on currently in the IETF on directory
services in general, and X.500/LDAP in particular. Most of this work is
occuring within the Applications
area of the IETF.
The IETF doesn't "work on" X.500. That is the domain of the International
Telecommunications Union (ITU).
Raw bibliography of X.500 and LDAP RFCs
This page simply lists just what it sez, but it also has
links to the RFC and Internet-Draft repository at Information
Sciences Institute (ISI).
Implementation Repositories, Extant Directory Infrastructures,
and other Resources
These are places to pick up both more detailed info and actual implementations...
-
UMich LDAP/X.500
client, server, and general resource repository
Get yer LDAP clients (for Mac, PC, and UNIX/X) here, as well as
servers and other goodies. Note that this site also has the complete
Standalone Ldap Daemon (slapd) documentation on-line, as well as
other documents and pointers to further information. Be sure to see the
link to the patch repository, below.
-
ISODE Ltd.
vailable, full-blown, native (tho somewhat old) X.500 server technology
and information here. They charge money for their up-to-date product line.
Also a second site for LDAP stuff.
Here's pointers to other pages about LDAP and LDAP
implementations in particular. Given
that you are reading this page, you should also take the time to peruse
these other pages -- I don't claim that this page has the last word on
LDAP developments...
Here's pointers to other Web pages about X.500 itself.
Some of these, like Nexor's pages, are general info sources about the X.500/LDAP-based
directory(ies). Other's, like SURFnet's and UMich's, are documents relating
to their particular Directory infrastructure and are quite interesting
as examples of how Internet-wide directory participants can package &
deliver their product both to their users and to the Internet at large...
-
Alta
Vista search on...
"LDAP and X.500 and not title:"Web500gw" with ranking spec of: "ldap
X.500 repository FAQ experience"
Here's pointers to various organization's directories, and to pages with
info about their directory projects (but be sure to peruse some of the
links above too, such as the ISODE Consortium and Nexor)...
-
North Atlantic Directory Forum
At one time, I had links here to the NADF's page at www.usps.gov/nadf/,
but it has disappeared. Nexor (see above) had some links, but theirs now
also dangle. Please drop me a line if you have info about NADF or pointers
to NADF stuff. Thanks. (31-Mar-97)
Currency of Information and Links in this
Document:
Please email me if
you find any issues with links and/or the content of this document. Thanks.
This page is revised from time-to-time -- as are many documents,
software,
and race
cars.
Credits:
Ros Halevi and Jing-Chyi Chao html-ized Tim Howes' LDAP paper.
Thanks to Tim Howes, Mark Smith, Gordon Good, Mark Wahl, and Steve Kille,
Chris Apple, Chris Weider, Paul Hoffman, and a host of others for answering
(and continuing to answer) my many questions.
Additional credits...
You've caused hit number "one of > 300,000" since 2 May 1996
