LDAP: ACCESS & DATA ADMINISTRATION NEWSLETTER 5/21/05 DOUBLE ISSUE Topics: LDAP Server Performance: Certifications Issue Contents: * LDAP Server Performance: Certification * Next Time: LDAP Server Performance: More on Benchmarks and Load Testing _______________________________________________________________ This newsletter is sponsored by Alessea Consulting. Business/IT Services for small and medium businesses. Specializing in network identity, project management, and business development. Visit us and read more about the Alessea difference. URL: http://www.alessea.com Mail: info@xxxxxxxxxxx RSS: http://www.alessea.com/feed.xml Phone: 860-346-9121 _______________________________________________________________ By Hallett German Topic: LDAP Server Performance Part 2: Certifications This is a new series about LDAP Server Performance. One that will take us through many topics such as server benchmarks/certifications, server sizing, capacity planning, and server optimization. We hope to provide you a good roadmap of the products and trends in these fields. This second article in the series will review LDAP certification. LDAP CERTIFICATION When considering a new LDAP directory server, it is important to discover early in the process the answers to these questions: * Is this directory server LDAP-compliant (version 2 or 3)? * Are there any gaps in this directory server being LDAP compliance? * Are there any extensions to the LDAP standard that this product uses? * Are there any known issues of this directory server interfacing with other LDAP-compatible products (i.e. LDAP servers, browsers, applications, etc.)? These questions are both easy and hard to resolve. One can easily find on-line their vendor's white papers. These white papers detail the LDAP Protocol RFCs that their products are compliant with. (See examples below.) However, these white papers discuss standards compliance/conformance and NOT necesarily interoperability. This because standards compliance does not guarantee seamless interoperability with other products. And seamless interoperability with other products does not guarantee LDAP standards compliance. In some ways, it is merely the "luck of the draw" that you avoid the descent into "interoperability hell" as outlined in the Thurman article below. So the LDAP directory server selection decision-maker has one of two choices: 1) Do your own compliance and interoperability testing. 2) Rely on the independent certification of interoperability testing. Let's review the choices available for both options: OPTION ONE: ROLL YOUR OWN TESTING There are a variety of test suites available: 1) For $2000-$5000 a year plus maintenance, you can use the Open Group's VSLDAP LDAP Compliance Test Suite. (This is part of a portfolio of other available test suites from the Open Group.) Do note that this is the same toolkit that the Open Group uses as part of their LDAP Certification program. (see below) 2) The Open Group also hosts the Basic LDAP Interoperability Test Suite (BLITS). The current version is 3.0. This open source software is available for free download. It includes over 160 test cases with associated test data. An announcement mailing list is also available. 3) The Secure Programming Group of the University of Oulu offers a way to test the security aspects of TCP/IP-based protocols such as LDAP. This is called the PROTOS LDAPv3 test suite. It uses black-box (functional testing techniques). The software is freely distributed in two JAR files. Do note that the PROTOS project and the test suite ceased further developments in 2001. OPTION TWO: INDEPENDENT CERTIFICATION of INTEROPERABILITY TESTING In 1998-1999 various groups began a series of popular vendor LDAP interoperability testing sessions. The Open Group announced a plan to build on these efforts with a certification and testing effort. In 2000, the Open Brand for "LDAP 2000" and "Works With LDAP" programs were launched. In 2003, this evolved into "LDAP Ready" and "LDAP Certified". "LDAP Certified" is a program certifying that a directory server is compliant with key functionality associated with the LDAP protocol. This uses a wider set of criteria than found in the LDAP 2000 program. It does not place any requirements on the operational and portability environment of the evaluated server. Vendors must do the following: 1) Sign a legal agreement with the Open Group. 2) Run VSLDAP as discussed above and submit the results with all suite tests passed to the Open Group. And 3) get approval after submitting a formal application. They will also have to pay for the VSLDAP licensing fee although certification is free to members of the Open Group's Directory Interoperability Forum (DIF). This process may take several weeks. "LDAP Ready" is a program that certifies that an LDAP application will work with any "LDAP Certified" directory server under specified conditions. Vendors submit their data which is subject to various terms and conditions. If this information is complete, it is immediately added to the "LDAP Ready" product registry. Note that the database LDAP Ready certification is valid for two years. Also, there is an escalation/review process if one believes an application may not meet "LDAP ready" status. While the Web site is helpful in providing details about this program, we wanted to know even more about the program. Below are the questions submitted to Chris Harding, the Director of the Directory Interoperability Forum and his answers. Q1. How many vendors and products currently have signed up for the LDAP certified program? A. There are currently 22 certified products from 6 vendors for "LDAP Certified", see http://www.opengroup.org/openbrand/register/dj.htm There are no certified products under the "LDAP Ready" program. Q2. With almost two years of experience, what have been the lessons learned from the LDAP certified program deployment/adoption? A. The success of the LDAP Certified program is an indication that LDAP v3 is a mature standard, and the existence of a number of certified products shows that customers have a real choice of conformant implementations when it comes to servers. The lack of take-up for LDAP Ready illustrates the difficulty of certifying client applications. Unfortunately, customers must satisfy themselves as to the degree of conformance of any applications they are considering. Q3. Are there any changes in these programs that are planned? A. There are no changes currently in preparation. Next time, we will take a deeper look at LDAP benchmarking. References: Here are some representative references: VENDOR LDAP Compliance Active Directory http://www.microsoft.com/windowsserver2003/techinfo/overview/ldapcomp.mspx A good whitepaper describing LDAP compliance and how Active Directory supports LDAP compliance. Note this is focuses on compliance with some modest discussion on interoperability. Novell (eDirectory) Compliance http://developer.novell.com/ndk/doc/ndslib/index.html?page=/ndk/doc/ndslib/dsov_enu/data/a2b6k5w.html Here is a typical vendor LDAP compliance list. Open LDAP http://www.openldap.org/faq/data/cache/645.html http://www.openldap.org/faq/data/cache/649.html Lists which LDAP extensions are and are not supported. LDAP interoperability http://www.computerworld.com/securitytopics/security/story/0,10801,80054,00.html?from=story_package Article by Mathias Thurman explaining standards compliance versus interoperability http://www.kingsmountain.com/directory/ldap/conformance.html Historical article about LDAP 2/3 compliance & conformance testing. http://www.imc.org/dc1-final.html http://www.connectathon.org/ldaptests/ 1997-1999 Directory Interoperability Tests. Compatibility and Interoperability Test Suites http://www.opengroup.org/testing/sales+support/prices.html VSLDAP Prices www.opengroup.org/downloads/vsldap.pdf VSLDAP Overview http://www.opengroup.org/testing/support/vsldap_support.html VSLDAP Support Requests http://www.opengroup.org/dif/blitspub/blits3.0/ BLITS homepage http://www.opengroup.org/tech/dif/blits/mailinglists.tpl?CALLER=mailinglists.tpl BLITS mailing list http://www.opengroup.org/press/08sep03.htm BLITS Press Release http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ PROTOS LDAPv3 test suite http://www.cert.org/advisories/CA-2001-18.html Historical article on LDAP vulnerabilities discovered by using PROTOS LDAPv3 test suite. LDAP Cerification http://www.opengroup.org/directory/ Open Group DIF Home Page http://www.opengroup.org/openbrand/register/dj.htm "LDAP Certified" Certified Products http://www.opengroup.org/dif/ldapc/ "LDAP Certified" Program http://www.opengroup.org/dif/ldapr/index.htm "LDAP Ready" Program Next Time: LDAP Server Performance: Part 4: More on Benchmarks and Load Testing Topic: Articles and Comments Welcome I welcome 100-800 word articles for inclusion in future issues. Vendors and LDAP data administrators are particularly welcome. Of course, you receive full credit and ownership of your article. Thanks in advance for your help. Please feel free to comment on how useful it was and what you would like to see in the future. Contact me at hallett.german@xxxxxxxxxxxx ______________________________________________________________ About Hal German Hallett German has 20 years experience in a variety of IT positions and in implementing stable infrastructures. This includes directories/messaging architecture, desktop support, and IT management. Hal is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. He is the author of three books on scripting languages. Periodically, he writes articles on various business and IT topics. ______________________________________________________________ Contacting Hal German/Past Issues Mail: hallett.german@xxxxxxxxxxx Archive of the LDAP Administration Newsletter: http://www.alessea.com/newsletters.htm _______________________________________________________________ Copyright Alessea Consulting 2005 _______________________________________________________________