Skip to content

LDAP Roundup

OpenLDAPOpen Source Some interesting reading in the LDAP[?] Sector tonight that is worth noting:

- Excel LDAP Search 0.56

This is actually pretty cool. Does OpenOffice.org have one? Almost.



- Windows Server 2008 - Active Directory certified for the BC-LDAP-USR Directory Interface for User Management

I find this post funny, as SAP already say "SAP's directory interface lets you consolidate user data from SAP systems with data from directories that implement the Lightweight Directory Access Protocol (LDAP)."

Active Directory, implement LDAP? They don't even get it right with ADAM[?].

So why is it certified when any Directory Server will do?



- OpenLDAP Configuration Automation

Why is this interesting? Well it's already on an OpenLDAP TODO list.



- Six Questions on building Identity Enabled Applications...

Here some quick answers, I'm sure others will have deeper replies:

- Protocols:Nowadays, the folks over at the Burton Group such as Bob Blakely, Dan Blum and Gerry Gebel have put together the most wonderful XACML interoperability events. The question that isn't addressed is if I am building an enterprise application from scratch, should I XACML-enabled, think about integrating with STS, stick to traditional LDAP invocation or something else?


I would ask what problem is the application addressing? What protocols are actually needed for it to provide a solution and what does the customer want?

Anyway, I'm not sure how industry wide XACML has been adopted (that's mainly due to my lack of exposure to it and doesn't imply that it's not), but LDAP isn't going anywhere.


- Virtual Directories: What role should a virtual directory play in an Identity metasystem? Should virtual directory be a standalone product in the new world and simply be a feature of an STS? If an enterprise were savage in consolidating all directory information into Active Directory, why would I still need virtualization?


Point by point: Virtual Directories help with data consolidation, that is their role. I think yes, standalone where it is needed. I don't think any enterprise should be that dumb.

- Entitlements: One missing component of the discussion is authorization and their is somewhat too much focus on identity. Consider the scenario where if you were to ask my boss if I am still an employee, he would say yes as he hasn't fired me yet. Likewise, if you ask him what are all of the wonderful things I can access within the enterprise, he would say that he has no freakin clue, but as soon as you figure it out, please let him know. Honestly, even in my role, there are probably things that I can do but shouldn't otherwise have access to. So, the question becomes how come the identity conversation hasn't talked about any constructs around attestation and authorization?


I think because it always comes down to what the application is trying to do and the fact that these applications tend to do it all internally. There's more discussion over at SAML and Federated Identity Part 2 - Identity Management


- Workflow: Have you ever attempted to leave a comment on Kim Cameron blog? You will be annoyed with the registration/workflow aspects. The question this raises in my mind is what identity standards should exist for workflow? There are merits in this scenario for integrating with the OASIS SPML standard, but I can equally see value in considering BPEL as well.


I think there are too many XXXL all seem similar BPEL and SPML. Trying to keep up with these let alone write applications that use them would be a nightmare.

- Education: Right now the conversation regarding identity is in the land of geeks and those who are motivated to read specifications. There is a crowd of folks who need things distilled, the readers digest version if you will. Traditionally, this role is served by industry analysts such as Gartner and Forrester. What would it take for this guys to get off their butts and start publishing more thoughtful information in this space?


Time, Money? Won't it still be the geeks that read them anyway? The people that make the decisions don't have time ;-)

- Conferences: When do folks think that the conversation about identity will occur at other than identity/security conferences? For example, wouldn't it have been wonderful if Billy Cripe, Craig Randall and Laurence Hart where all talking about the identity metasystem in context of ECM?


Sometimes it's hard to talk in the short time conferences last. What do you suggest? Maybe worth trying to get the ball rolling.


That's all I have time for tonight, not much but something for a quick read.

Gavin.

Bad LDAP coding, bad Application, but....maybe the LDAP Implementation?

OpenLDAPSuretec It is true that Poorly written LDAP[?] code can really affect your Portal, Suretec have seen it a few times:

A programmer who hadn't had much exposure to LDAP decided it best to do a base level search, for example, using ldapsearch:

CODE:
ldapsearch -x -b 'dc=suretecsystems,dc=com' '(objectclass=*)' -H ldap[?]://127.0.0.1


he retrieved *everything*, then did all the searching/filtering etc. locally in the client! What's the point of a Directory Server!?!

Our partners Symas have also talked about similar encounters, mainly with Sendmail.

It all comes down to the level of LDAP understanding a programmer has.

Or could it actually be the Directory Server implementation, namely Oracle Internet Directory (OID)?

I know OpenLDAP wouldn't slow an app down like this, because it's very fast..very very fast ;-)

tweetbackcheck