[ldapdata] LDAP Newsletter 5-21-05 (LDAP Certification) DOUBLE ISSUE

From: Hallett German <hrgerman@xxxxxxxxxxxxx>
To: ldapdata@xxxxxxxxxxxxx
Date: Sat, 21 May 2005 15:37:10 -0400

LDAP: ACCESS & DATA ADMINISTRATION NEWSLETTER
5/21/05 DOUBLE ISSUE
Topics: LDAP Server Performance: Certifications

Issue Contents:

* LDAP Server Performance: Certification
* Next Time: LDAP Server Performance: More on Benchmarks and Load Testing
_______________________________________________________________
This newsletter is sponsored by Alessea Consulting.

Business/IT Services for small and medium businesses.
Specializing in network identity, project management, and
business development.

Visit us and read more about the Alessea difference.

URL: http://www.alessea.com
Mail: info@xxxxxxxxxxx
RSS: http://www.alessea.com/feed.xml
Phone: 860-346-9121
_______________________________________________________________
By Hallett German

Topic: LDAP Server Performance Part 2: Certifications

This is a new series about LDAP Server Performance. One that will take us
through many
topics such as server benchmarks/certifications, server sizing, capacity
planning,
and server optimization. We hope to provide you a good roadmap of the
products and trends in these fields.

This second article in the series will review LDAP certification.

LDAP CERTIFICATION
When considering a new LDAP directory server, it is important to
discover early
in the process the answers to these questions:

* Is this directory server LDAP-compliant (version 2 or 3)?
* Are there any gaps in this directory server being LDAP compliance?
* Are there any extensions to the LDAP standard that this product uses?
* Are there any known issues of this directory server interfacing with
other LDAP-compatible products (i.e. LDAP servers, browsers, applications,
etc.)?

These questions are both easy and hard to resolve. One can easily find
on-line their vendor's white papers. These white papers detail the LDAP
Protocol RFCs that their
products are compliant with. (See examples below.)

However, these white papers discuss standards compliance/conformance and
NOT necesarily interoperability. This because standards compliance does not
guarantee seamless
interoperability with other products. And seamless interoperability with
other products does not guarantee LDAP standards compliance. In some ways,
it is merely the "luck of the draw" that you avoid the descent into
"interoperability hell" as outlined in the Thurman article below.

So the LDAP directory server selection decision-maker has one of two choices:

1) Do your own compliance and interoperability testing.
2) Rely on the independent certification of interoperability testing.

Let's review the choices available for both options:

OPTION ONE: ROLL YOUR OWN TESTING

There are a variety of test suites available:

1) For $2000-$5000 a year plus maintenance, you can use the Open Group's
VSLDAP LDAP Compliance Test Suite. (This is part of a portfolio of other
available test suites from the Open Group.)

Do note that this is the same toolkit that the Open Group uses as part of
their LDAP
Certification program. (see below)

2) The Open Group also hosts the Basic LDAP Interoperability Test Suite
(BLITS). The current version is 3.0. This open source software is available
for free download. It includes over 160 test cases with associated test
data. An announcement mailing list is also available.

3) The Secure Programming Group of the University of Oulu offers a way to
test the security aspects of TCP/IP-based protocols such as LDAP. This is
called the PROTOS LDAPv3 test suite. It uses black-box (functional testing
techniques). The software is freely distributed in two JAR files. Do note
that the PROTOS project and the test suite ceased further developments in 2001.

OPTION TWO: INDEPENDENT CERTIFICATION of INTEROPERABILITY TESTING

In 1998-1999 various groups began a series of popular vendor LDAP
interoperability testing sessions. The Open Group announced a plan to build
on these efforts with a certification and testing effort. In 2000, the Open
Brand for "LDAP 2000" and "Works With LDAP" programs were launched. In
2003, this evolved into "LDAP Ready" and "LDAP Certified".

"LDAP Certified" is a program certifying that a directory server is
compliant with
key functionality associated with the LDAP protocol. This uses a wider set
of criteria than found in the LDAP 2000 program. It does not place any
requirements on the operational and portability environment of the
evaluated server. Vendors must do the following: 1) Sign a legal agreement
with the Open Group. 2) Run VSLDAP as discussed above and submit the
results with all suite tests passed to the Open Group. And 3) get approval
after submitting a formal application. They will also have to pay for the
VSLDAP licensing fee although certification is free to members of the Open
Group's Directory Interoperability Forum (DIF). This process may take
several weeks.

"LDAP Ready" is a program that certifies that an LDAP application will work
with any
"LDAP Certified" directory server under specified conditions. Vendors
submit their data
which is subject to various terms and conditions. If this information is
complete, it is immediately added to the "LDAP Ready" product registry.
Note that the database LDAP Ready certification is valid for two years.
Also, there is an escalation/review process if one believes an application
may not meet "LDAP ready" status.

While the Web site is helpful in providing details about this program, we
wanted to know
even more about the program. Below are the questions submitted to Chris
Harding, the Director of the Directory Interoperability Forum and his answers.
Q1. How many vendors and products currently have signed up for the LDAP
certified program?

A. There are currently 22 certified products from 6 vendors for "LDAP
Certified", see http://www.opengroup.org/openbrand/register/dj.htm There
are no certified products under the "LDAP Ready" program.

Q2. With almost two years of experience, what have been the lessons learned
from the LDAP certified program deployment/adoption?

A. The success of the LDAP Certified program is an indication that LDAP v3
is a mature standard, and the existence of a number of certified products
shows that customers have a real choice of conformant implementations when
it comes to servers. The lack of take-up for LDAP Ready illustrates the
difficulty of certifying client applications. Unfortunately, customers must
satisfy themselves as to the degree of conformance of any applications they
are considering.

Q3. Are there any changes in these programs that are planned?

A. There are no changes currently in preparation.

Next time, we will take a deeper look at LDAP benchmarking.

References:
Here are some representative references:

VENDOR LDAP Compliance

Active Directory
http://www.microsoft.com/windowsserver2003/techinfo/overview/ldapcomp.mspx
A good whitepaper describing LDAP compliance and how Active Directory supports
LDAP compliance. Note this is focuses on compliance with some modest discussion
on interoperability.

Novell (eDirectory) Compliance
http://developer.novell.com/ndk/doc/ndslib/index.html?page=/ndk/doc/ndslib/dsov_enu/data/a2b6k5w.html
Here is a typical vendor LDAP compliance list.

Open LDAP
http://www.openldap.org/faq/data/cache/645.html
http://www.openldap.org/faq/data/cache/649.html
Lists which LDAP extensions are and are not supported.

LDAP interoperability
http://www.computerworld.com/securitytopics/security/story/0,10801,80054,00.html?from=story_package
Article by Mathias Thurman explaining standards compliance versus
interoperability

http://www.kingsmountain.com/directory/ldap/conformance.html
Historical article about LDAP 2/3 compliance & conformance testing.

http://www.imc.org/dc1-final.html
http://www.connectathon.org/ldaptests/
1997-1999 Directory Interoperability Tests.

Compatibility and Interoperability Test Suites
http://www.opengroup.org/testing/sales+support/prices.html VSLDAP Prices
www.opengroup.org/downloads/vsldap.pdf VSLDAP Overview
http://www.opengroup.org/testing/support/vsldap_support.html VSLDAP Support
Requests
http://www.opengroup.org/dif/blitspub/blits3.0/ BLITS homepage
http://www.opengroup.org/tech/dif/blits/mailinglists.tpl?CALLER=mailinglists.tpl

BLITS mailing list
http://www.opengroup.org/press/08sep03.htm BLITS Press Release
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ PROTOS
LDAPv3 test suite
http://www.cert.org/advisories/CA-2001-18.html Historical article on LDAP
vulnerabilities discovered by using PROTOS LDAPv3 test suite.

LDAP Cerification
http://www.opengroup.org/directory/ Open Group DIF Home Page
http://www.opengroup.org/openbrand/register/dj.htm "LDAP Certified"
Certified Products
http://www.opengroup.org/dif/ldapc/ "LDAP Certified" Program
http://www.opengroup.org/dif/ldapr/index.htm "LDAP Ready" Program

Next Time: LDAP Server Performance: Part 4: More on Benchmarks and Load Testing

Topic: Articles and Comments Welcome

I welcome 100-800 word articles for inclusion in future
issues. Vendors and LDAP data administrators are
particularly welcome. Of course, you receive full credit and
ownership of your article. Thanks in advance for your help.

Please feel free to comment on how useful it was and what
you would like to see in the future.
Contact me at hallett.german@xxxxxxxxxxxx
______________________________________________________________
About Hal German

Hallett German has 20 years experience in a variety of
IT positions and in implementing stable infrastructures.
This includes directories/messaging architecture,
desktop support, and IT management. Hal is the founder
of the Northeast SAS Users Group and former President
of the REXX Language Association. He is the author of
three books on scripting languages. Periodically, he
writes articles on various business and IT topics.

______________________________________________________________
Contacting Hal German/Past Issues

Mail: hallett.german@xxxxxxxxxxx

Archive of the LDAP Administration Newsletter:
http://www.alessea.com/newsletters.htm
_______________________________________________________________

[ldapdata] LDAP Newsletter 5-21-05 (LDAP Certification) DOUBLE ISSUE

Other related posts: