[ldapdata] LDAP Newsletter 5-21-05 (LDAP Certification) DOUBLE ISSUE

  • From: Hallett German <hrgerman@xxxxxxxxxxxxx>
  • To: ldapdata@xxxxxxxxxxxxx
  • Date: Sat, 21 May 2005 15:37:10 -0400

Topics:   LDAP Server Performance: Certifications

Issue Contents:

* LDAP Server Performance: Certification
* Next Time: LDAP Server Performance: More on Benchmarks and Load Testing
This newsletter is sponsored by Alessea Consulting.

Business/IT Services for small and medium businesses.
Specializing in network identity, project management, and
business development.

Visit us and read more about the Alessea difference.

URL:   http://www.alessea.com
Mail:  info@xxxxxxxxxxx
RSS:   http://www.alessea.com/feed.xml
Phone: 860-346-9121
By Hallett German

Topic: LDAP Server Performance Part 2:  Certifications

This is a new series about LDAP Server Performance. One that will take us 
through many
topics such as server benchmarks/certifications, server sizing, capacity 
and server optimization. We hope to provide you a good roadmap of the 
products and trends in these fields.

This second article in the series will review LDAP certification.

    When considering a new LDAP directory server, it is important to 
discover early
in the process the answers to these questions:

* Is this directory server LDAP-compliant (version 2 or 3)?
* Are there any gaps in this directory server being LDAP compliance?
* Are there any extensions to the LDAP standard that this product uses?
* Are there any known issues of this directory server interfacing with 
other LDAP-compatible products (i.e. LDAP servers, browsers, applications, 

These questions are both easy and hard to resolve. One can easily find 
on-line their vendor's white papers. These white papers detail the LDAP 
Protocol RFCs that their
products are compliant with. (See examples below.)

However, these white papers discuss standards compliance/conformance and 
NOT necesarily interoperability. This because standards compliance does not 
guarantee seamless
interoperability with other products. And seamless interoperability with 
other products does not guarantee LDAP standards compliance. In some ways, 
it is merely the "luck of the draw" that you avoid the descent into 
"interoperability hell" as outlined in the Thurman article below.

So the LDAP directory server selection decision-maker has one of two choices:

1) Do your own compliance and interoperability testing.
2) Rely on the independent certification of interoperability testing.

Let's review the choices available for both options:


There are a variety of test suites available:

1) For $2000-$5000 a year plus maintenance, you can use the Open Group's 
VSLDAP LDAP Compliance Test Suite. (This is part of a portfolio of other 
available test suites from the Open Group.)

Do note that this is the same toolkit that the Open Group uses as part of 
their LDAP
Certification program. (see below)

2) The Open Group also hosts the Basic LDAP Interoperability Test Suite 
(BLITS). The current version is 3.0. This open source software is available 
for free download. It includes over 160 test cases with associated test 
data. An announcement mailing list is also available.

3) The Secure Programming Group of the University of Oulu offers a way to 
test the security aspects of TCP/IP-based protocols such as LDAP. This is 
called the PROTOS LDAPv3 test suite. It uses black-box (functional testing 
techniques). The software is freely distributed in two JAR files. Do note 
that the PROTOS project and the test suite ceased further developments in 2001.


In 1998-1999 various groups began a series of popular vendor LDAP 
interoperability testing sessions. The Open Group announced a plan to build 
on these efforts with a certification and testing effort. In 2000, the Open 
Brand for "LDAP 2000" and "Works With LDAP" programs were launched. In 
2003, this evolved into "LDAP Ready" and "LDAP Certified".

"LDAP Certified" is a program certifying that a directory server is 
compliant with
key functionality associated with the LDAP protocol. This uses a wider set 
of criteria than found in the LDAP 2000 program. It does not place any 
requirements on the operational and portability environment of the 
evaluated server. Vendors must do the following: 1) Sign a legal agreement 
with the Open Group. 2) Run VSLDAP as discussed above and submit the 
results with all suite tests passed to the Open Group. And 3) get approval 
after submitting a formal application. They will also have to pay for the 
VSLDAP licensing fee although certification is free to members of the Open 
Group's Directory Interoperability Forum (DIF). This process may take 
several weeks.

"LDAP Ready" is a program that certifies that an LDAP application will work 
with any
"LDAP Certified" directory server under specified conditions. Vendors 
submit their data
which is subject to various terms and conditions. If this information is 
complete, it is immediately added to the "LDAP Ready" product registry. 
Note that the database LDAP Ready certification is valid for two years. 
Also, there is an escalation/review process if one believes an application 
may not meet "LDAP ready" status.

While the Web site is helpful in providing details about this program, we 
wanted to know
even more about the program. Below are the questions submitted to Chris 
Harding, the Director of the Directory Interoperability Forum and his answers.
Q1.   How many vendors and products currently have signed up for the LDAP 
certified program?

A. There are currently 22 certified products from 6 vendors for "LDAP 
Certified", see http://www.opengroup.org/openbrand/register/dj.htm  There 
are no certified products under the "LDAP Ready" program.

Q2. With almost two years of experience, what have been the lessons learned 
from the LDAP certified program deployment/adoption?

A. The success of the LDAP Certified program is an indication that LDAP v3 
is a mature standard, and the existence of a number of certified products 
shows that customers have a real choice of conformant implementations when 
it comes to servers. The lack of take-up for LDAP Ready illustrates the 
difficulty of certifying client applications. Unfortunately, customers must 
satisfy themselves as to the degree of conformance of any applications they 
are considering.

Q3. Are there any changes in these programs that are planned?

A. There are no changes currently in preparation.

Next time, we will take a deeper look at LDAP benchmarking.

Here are some representative references:

VENDOR LDAP Compliance

Active Directory
A good whitepaper describing LDAP compliance and how Active Directory supports
LDAP compliance. Note this is focuses on compliance with some modest discussion
on interoperability.

Novell (eDirectory) Compliance
Here is a typical vendor LDAP compliance list.

Lists which LDAP extensions are and are not supported.

LDAP interoperability
Article by Mathias Thurman explaining standards compliance versus 

Historical article about LDAP 2/3 compliance & conformance testing.

1997-1999 Directory Interoperability Tests.

Compatibility and Interoperability Test Suites
http://www.opengroup.org/testing/sales+support/prices.html VSLDAP Prices
www.opengroup.org/downloads/vsldap.pdf   VSLDAP Overview
http://www.opengroup.org/testing/support/vsldap_support.html VSLDAP Support 
http://www.opengroup.org/dif/blitspub/blits3.0/  BLITS homepage
BLITS mailing list
http://www.opengroup.org/press/08sep03.htm BLITS Press Release
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ PROTOS 
LDAPv3 test suite
http://www.cert.org/advisories/CA-2001-18.html Historical article on LDAP 
vulnerabilities discovered by using PROTOS LDAPv3 test suite.

LDAP Cerification
http://www.opengroup.org/directory/ Open Group DIF Home Page
http://www.opengroup.org/openbrand/register/dj.htm  "LDAP Certified" 
Certified Products
http://www.opengroup.org/dif/ldapc/ "LDAP Certified" Program
http://www.opengroup.org/dif/ldapr/index.htm  "LDAP Ready" Program

Next Time: LDAP Server Performance: Part 4: More on Benchmarks and Load Testing

Topic: Articles and Comments Welcome

I welcome 100-800 word articles for inclusion in future
issues. Vendors and LDAP data administrators are
particularly welcome. Of course, you receive full credit and
ownership of your article. Thanks in advance for your help.

Please feel free to comment on how useful it was and what
you would like to see in the future.
Contact me at hallett.german@xxxxxxxxxxxx
About Hal German

Hallett German has 20 years experience in a variety of
IT positions and in implementing stable infrastructures.
This includes directories/messaging architecture,
desktop support, and IT management. Hal is the founder
of the Northeast SAS Users Group and former President
of the REXX Language Association. He is the author of
three books on scripting languages. Periodically, he
writes articles on various business and IT topics.

Contacting Hal German/Past Issues

Mail: hallett.german@xxxxxxxxxxx

Archive of the LDAP Administration Newsletter:

Copyright Alessea Consulting 2005

Other related posts:

  • » [ldapdata] LDAP Newsletter 5-21-05 (LDAP Certification) DOUBLE ISSUE