In the first part of this chapter we introduced the notion of online directories and made comparisons to a variety of other network-based services and protocols. Now that we have discussed the capabilities of directories in depth, it is time to discuss LDAP and the origin of general-purpose, standards-based online directories. The Dawn of Standard Directories: X.500It is impossible to discuss the origins of LDAP without first talking about X.500. In the mid-1980s, two separate standards bodies independently started work on directory services that could work across system, corporate, and international boundaries. The first body was the International Telegraph and Telephone Consultative Committee (CCITT), which later changed its name to the International Telecommunication Union (ITU). CCITT member organizations ( mainly telephone companies) wanted to create a white pages directory that could be used to look up telephone numbers and electronic mail addresses. The other standards body was the International Organization for Standardization (ISO), which wanted a directory to serve as a name service for Open Systems Interconnection (OSI) networks and applications. (A name service provides information about network objects; the DNS is a familiar example.) Eventually, the two independent directory specification efforts merged into one effort, and X.500 was born. The first X.500 standard was approved in late 1988 and published in early 1990 by CCITT; it was subsequently updated in 1993, 1997, and 2001 (work continues today). The specification itself references other ISO Standards and consists of a series of recommendations, including the following:
As you can see, X.500 developers must absorb quite a few documents before they can begin to develop X.500 directory services software! The X.500 documents are published both online and in paper form by the ITU, which currently charges money to access them. X.500 InnovationsAt the time it was originally defined, X.500 had many novel qualities. First, it was one of the first truly general-purpose directory systems, and it was designed from the beginning to be extensible to serve the needs of a great variety of applications. Second, X.500 provided a rich search operation that supported many different kinds of queries. Third, X.500 was designed to be a highly distributed system in which the servers, data, and administrators could span the globe. Finally, X.500 was an open standard not controlled by any one vendor or tied to any specific operating system, networking technology, or application. The dream of the X.500 designers was that there would eventually be one fully interconnected global directory service: the Directory. Figure 1.10 shows the major components of an X.500 directory service. Figure 1.10. Components of an X.500 Directory Service
X.500 directories rely on a large suite of protocols, including DAP, DSP, DOP, and DISP. Some of X.500's strengths are its information model (which is flexible and complete), its versatility, and its openness. As you will see, the LDAP designers adopted many of the best ideas from X.500 while removing unneeded complexity. X.500 FlawsIn practice, X.500 directories suffered from some significant flaws, especially in their first decade of existence. The early implementations were buggy and did not perform or scale well. Those who tried to deploy distributed X.500 directories discovered some significant barriers to adoption, many of which were not specific to X.500 (such as difficulty obtaining and maintaining good data in a directory service). In addition, because of the complexity of the standards themselves and the associated difficulty of implementation, it has taken a long time for interoperability between different X.500 implementations to become possible. Furthermore, X.500 was based on the OSI network protocols. The dream of the OSI designers was that OSI would eventually replace TCP/IP as the networking protocol suite of the future. Unfortunately for them, this never happened . The simplicity, speed, and low cost of TCP/IP proved to be an unbeatable combination. Recently, in fact, the proponents of X.500 have defined a mapping that allows X.500 to run directly over TCP/IP. Finally, the origins of X.500 itself have to some extent prevented it from succeeding. The Internet grew rapidly in a bottom-up fashion as independent organizations deployed hosts and services at their own pace and without a lot of reliance on others. In contrast, X.500 was designed with the large public service providers in mind, implying a top-down deployment. Top-down deployment has proved to be impossible to achieve ”and it is certainly at odds with the prevailing Internet culture. Early X.500 Implementations and PilotsOne of the best-known early X.500 implementations, called Quipu, was developed at University College, London. Its name refers to the complicated system of knot-tying that the Incan culture used for communication. Part of the reason for Quipu's early popularity was that it was freely available in source code form. Quipu is built on top of an OSI networking package called the ISO Development Environment (ISODE), which allows OSI protocols to run on top of TCP/IP and, thus, the Internet. The availability of Quipu encouraged many organizations to experiment with X.500 directories. The Quipu implementation served as the basis for several European and United States “based pilot projects for X.500 white pages applications. Unfortunately, these worldwide X.500 directory pilots didn't grow as fast as their sponsors hoped, and interest has waned. X.500 found its greatest success in large organizations that could afford the time and effort needed to deploy a large, complex directory service. Some early deployers of X.500 included the United Kingdom academic community, Boeing Corporation, the National Aeronautics and Space Administration (NASA), the University of Texas, and the University of Michigan. X.500 products are still available today, although all of them are accessible through the use of LDAP in addition to the X.500 protocols. Typically, an X.500 directory service is deployed in partnership with the X.500 software vendor. Most vendors provide extensive consulting services to help organizations deploy and integrate an X.500 directory into their existing environment. The Creation and Rise of LDAPThe early adopters of X.500 found that DAP (X.500's directory client access protocol) was fairly complex and not well suited for or available on the desktop computers of the day (PCs and Macintoshes). DAP is large, complex, and difficult to implement, and most implementations perform poorly. Because most potential directory users had ordinary machines on their desks, the people deploying X.500 began to look for an approach that avoided the heavyweight DAP. Forerunners of LDAP: DIXIE and DASIn about 1990, two independent groups devised similar protocols that, compared to DAP, were simpler and easier for desktop computers to implement. Desktop clients used one of these new protocols to communicate with an intermediate server directly over TCP/IP, and the intermediate server in turn implemented X.500 DAP. Both groups brought their work to the IETF. The two lightweight protocols for desktop computers were called Directory Assistance Service (DAS), defined in RFC 1202; and Directory Interface to X.500 Implemented Efficiently (DIXIE), defined in RFC 1249. Figure 1.11 shows the architecture of a directory system that uses a DIXIE client/client/server architecture. Figure 1.11. DIXIE Provides a Front End to an X.500 Directory
Both protocols were successful; DIXIE, though, was quickly adopted as the preferred method to access X.500 directory systems. However, one shortcoming of the DAS and DIXIE protocols is that both were closely tied to a single X.500 implementation (Quipu). The Creation of LDAPAfter DIXIE and DAS showed the utility of a lighter-weight access protocol for X.500, the members of the OSI-DS Working Group within the IETF decided to join forces and produce a full-featured , lightweight directory access protocol for X.500 directories. Thus, LDAP was born. The developers of the first LDAP specification were Wengyik Yeong, Steve Kille, Colin Robbins, and Tim Howes, who is one of the authors of this book. Note also that contributions were made by many people from the Internet and X.500 communities. The first LDAP specification was published as RFC 1487 in July 1993. The first version of LDAP to see widespread use was version 2 (LDAPv2); the final specification for LDAPv2 was published as RFC 1777. LDAP InnovationsThe LDAP developers simplified the heavyweight X.500 DAP protocol in four important areas:
Early LDAP ImplementationsAt first, LDAP was used exclusively to provide a front end for X.500-based directory services. The first LDAP implementation was produced by the authors while at the University of Michigan. The U-M LDAP implementation, as it came to be known, was small and fast, and it ran on a wide variety of popular computing platforms. Most importantly, it included a simple, well-specified C language API that implemented all of the client side of LDAP and could be used to develop any kind of LDAP client application. The LDAPv2 client API eventually became a de facto standard and was published in RFC 1823. Figure 1.12 depicts the components of the early U-M LDAP software releases. The key server-side component is ldapd, which is an LDAP “to “X.500 DAP protocol translator. Figure 1.12. Major Components of the Early U-M LDAP Releases
The first version of the U-M LDAP implementation was released publicly on the Internet in 1992 with a copyright notice that allowed unrestricted use of the software. A wide range of freely available and commercial LDAP client software soon followed, much of which was based on the University of Michigan implementation. LDAP as a Standalone Directory ServiceIn early 1995, the LDAP group at U-M found itself on the brink of another revelation. When examining the directory access statistics for the U-M service, the group noticed that more than 99 percent of the X.500 directory access came through LDAP. This was true of most X.500 directories. Figure 1.13 shows the architecture prevalent at the time. Figure 1.13. LDAP Directory System Architecture, circa 1995
Although LDAP had solved the directory client access problem, the server implementations were still large, complex, and difficult to deploy. The U-M LDAP group realized that by eliminating the intermediate ldapd server, they could greatly reduce the overall complexity of the system and greatly increase the performance. After all, ldapd spent all its time translating LDAP requests into DAP requests and recasting the DAP results returned from the X.500 servers as LDAP results. In addition, the promise of a global, interconnected X.500 directory didn't seem to be achievable, so the need for an X.500 directory server at all was questioned. The concept of a standalone, or native, LDAP server was born. The new server was dubbed slapd (for standalone LDAP daemon ), and with the aid of a grant from the National Science Foundation, it was quickly implemented. Figure 1.14 shows the revised LDAP system architecture. Figure 1.14. LDAP System Architecture after the Introduction of slapd
While keeping the best pieces of the X.500 models (see Chapter 2 for more information), LDAP had now broken free of the last bit of X.500 and could proudly stand on its own. At the same time, referrals were added to the LDAPv2 protocol as an experimental extension to support an interconnected mesh of slapd directory servers. These changes moved LDAP out of its role as a simple, useful protocol for accessing X.500 directories to a much broader role as the foundation for a complete directory service. The first release of the U-M LDAP software to include slapd was the U-M LDAP 3.2 release in December 1995. LDAP MomentumLDAP's commercial success was assured in April 1996 when Netscape headed a coalition of more than 40 prominent software companies that endorsed LDAP as the Internet directory service protocol of choice. Today, companies such as Netscape, Sun Microsystems, and Novell produce a complete set of enterprise software centered on an LDAP-based directory service, and all major network application software vendors support LDAP in their client and server products. LDAP Version 3 DevelopedIn 1997, LDAP entered an even more mature phase in its evolution with the release of version 3 of the protocol (LDAPv3). Mark Wahl, now with Sun Microsystems, along with some of the original LDAP authors and a cast of hundreds from across the Internet, contributed to the LDAPv3 specification. LDAPv3 improves on LDAPv2 in the following important areas:
At the time of this writing, the LDAPv3 specification encompasses the following RFCs:
Like their X.500 counterparts, developers of LDAP directories must absorb quite a few documents before they can successfully develop LDAP software. Fortunately, all RFCs are freely available on the Internet, and most of the RFCs related to LDAP are fairly short and easy to read. Unfortunately, some of the LDAP documents assume that the reader has knowledge that can be obtained only by consultation of the X.500 standards. For example, to understand all the details of the LDAP naming model (which specifies how to refer to and arrange directory information), you would need to read the X.500 documents. In late 1997, LDAPv3 was approved as a proposed Internet Standard (the first step on its way to becoming a full Internet Standard), and in January 1998, Netscape shipped the first commercial LDAPv3 server, Netscape Directory Server 3.0. All serious directory services software vendors support LDAPv3 in their products today. Some of the available LDAP directory services products are modeled after the original University of Michigan slapd concept and are built around a standalone LDAP server that includes a high-performance embedded database (many such products use some of the U-M code). In other cases, vendors of X.500 or other directory services strongly embraced LDAP and made it their directory access and operational protocol of choice. Some examples of general-purpose LDAP directory services available at the time of this writing include
These directory products are generally designed to support a variety of Internet, intranet, and extranet applications. They usually provide good integration with other services that are based on Internet protocols, such as SMTP-based messaging servers, HTTP-based Web servers, and the like. They provide good administrative tools, are relatively inexpensive, and aim to be easy to deploy and maintain. Note that because these products do not all share a common design center, some are more suitable to certain kinds of directory deployments than others. For example, whereas Netscape Directory Server is designed to support mainly large intranet and e-commerce applications, Active Directory is designed to support mainly the administration of large Windows networks.
The Key Advantages of LDAPToday it is clear that LDAP has moved to the front and center of the online directory services space, and much excitement and energy are being put into developing and deploying LDAP directories. LDAP emerged from the rest of the pack to dominate the directory services space and capture the interest of information technology professionals because of the following factors:
In short, LDAP is making the dream of a universal, general-purpose directory service a reality on the Internet and within organizations. |