By Ludo on Sep 29, 2009
On Sunday September 20th and Monday 21st, I attended the 2nd LDAP International Conference, aka LDAPCon 2009, in Portland OR, USA.
The attendance was lower than expected initially but included most of the LDAP open source projects (Apache Directory, LSC Project, OpenDS, OpenLDAP) as well as directory server vendors (Apple, Isode, Sun, Symas, UnboundID) and some users of the technology.
All the slides for the presentations are now available, as well as the articles submitted for participation.
On Sunday, the conference was inaugurated by Mike Schwartz from GLUU, a Texas based start-up. GLUU intends to provide identity federation and single sign-on as a service and makes an intensive use of LDAP technologies : directory servers, directory proxy servers, virtual directories and DSML gateways for provisioning.
Stefan Seelman described the Apache Directory project and its toolchain, from the excellent Apache Directory Studio (you don't know the Studio yet, go get it !) to its embedded directory server. Stefan demonstrated how to use Studio to create a staged directory server, and then role out the changes into the production one.
Later in the day, Emmanuel Lecharny explained how Apache Directory Server is supporting RFC 4533 to allow synchronization between an OpenLDAP server and the Apache Directory Server. As of today, Apache Directory Server is only supporting the consumer side of the protocol so it can act as a replica of an OpenLDAP master. Building the supplier side is next on their roadmap but it's more complex, and then trying to do multi-master replication will require to implement conflict resolution procedures that have to be exactly identical to OpenLDAP ones. Based on our experience with Sun Directory Server and OpenDS, this will be the trickiest part. I got questioned on when OpenDS or Sun Directory Server will support this RFC. Honestly, this is not on our roadmap and we would be happy to add it if the community needs it and is willing to contribute. But today we already have a working multi-master replication feature that is much more scalable and powerful than what RFC 4533 allows to build.
Jonathan Clarke talked about LDAP Synchronization Connector, an open source project building synchronization tools between LDAP and other data sources such as RDBMs, flat files or alternate directories. LSC is written in Java and is already in production in a few french companies.
Terry Neely then presented how to do physical access control with LDAP. An interesting story about how to design schema, leverage replication to distribute access control information related to door and buildings. The OpenLDAP server running on an embedded hardware, with a 4GB compact flash !
Howard Chu, Chief Architect for OpenLDAP, and I did a joint presentation on how to store LDAP data in MySQL Cluster and we described the architecture of our respective implementations: OpenLDAP back-ndb and OpenDS ndb backends. Andrew Morgan from the MySQL Cluster team helped us describing MySQL Cluster. The question of having an in-memory distributed backend for LDAP server still raises a lot of questions and eyeballs, but people are starting to understand the value of scaling and getting simultaneous access to the data via LDAP, SQL or direct APIs.
Kurt Zeilenga presented his work in Isode directory to provide security label-based authorization. Security label based authorization is another flavor of authorization, in addition to identity based and role based authorization. The idea is to grant permission to access data based on the label presented by the authenticated user and the label of the data to be accessed. Which a lot of users in the directory, and many security levels (there can be up to 256 levels), this kind of authorization system scales better than Access controls. The Isode implementation has security labels at the entry level (not attribute). Clearance for a user is derived from an attribute in the user entry, from the user certificate in the directory or directly from the authentication level. While the presentation was mostly an overview of security labels and how they could be used in the context of a directory service, I found the presentation quite interesting as I've been asked a couple of time to add security label awareness to Sun Directory Server, especially in the context of Solaris Trusted Extensions.
We ended day one with a panel open discussion with the various directory projects and vendors. After briefly discussing areas where progress is to be made (see Mathias summary for details), we looked at the LDAP community and try to find ideas to increase it or make it more active. One area we (Sun) have been active is education. For the last couple of years, we've been involved in giving LDAP trainings in Universities, or helping teachers with projects involving LDAP instead of RDBMs. Another area is client APIs and code examples. The work that we're doing with the Apache Directory team is a good step. It was also quite interesting that Howard Chu came to me in the after hours and discussed about Java for servers. Obviously, getting fresh blood in projects in getting harder with C based projects than Java based projects, as most of students are no longer learning C programming but Java programming (and other modern languages).
On Monday September 21st, the day started with an analyst view on the LDAP directory landscape. Felix Gaehtgens, analyst and partner at Kuppinger Cole, talked about the various market segments of the directory markets and the third generation of LDAP directory products that have emerged in the last couple of years.
Kurt Zeilenga gave a status of LDAP standardization efforts, occurring at IETF and at ISO/IEC. The hottest topic is the password policy which is evolving in both standard bodies. Howard Chu and I have published an update on the Password Policy for LDAP internet-draft. We intend to post additional changes and get it through to RFC status in the coming months.
Other topics being worked on through IETF are LDAP Transaction draft, currently under editors' review, the LDAP schema for NIS (rfc 2307-bis), schema for VCard, schema for Kerberos and for NFS v4.
Kurt suggested that there is still some work to be done at IETF on the LDAP front, but it would be better conducted through a working group. He also encouraged people to join the standardization effort and bring some new blood to it, recognizing that he would be happy to participate but not lead a new working group. He suggested a list of topics that could be covered by the working group :
- Chaining Operations
- Access Controls based on X.500 model
- LDIF update
- Complex Transactions
- Schema versioning and management
- Password Policies
The next 3 presentations were about APIs for LDAP Java developers. Emmanuel Lecharny and I described the work we've done in the last few months collaborating on a common LDAP API for the Java platform, and we discussed what is required to move this work to standardization. Our presentation was mostly areas of work and a call for participation on that effort. We've moved our discussion to the Apache Directory API public mailing list (api (a) directory (dot) apache (dot) org).
Right after, Neil Wilson, chief architect at UnboundID, showed some slick slides about UnboundID's products, focusing mainly on their new LDAP client Java SDK, demonstrating it's use on the Android platform. UnboundID SDK is already available as opposed to Apache Directory or OpenDS ones. But it would definitely need to be polished and cleaned so that it could be used by our project for our needs, i.e. use the same SDK for both the server and client tools.
Following these 2 SDK presentations, Stefan Seelman demonstrated how to leverage the DataNucleus project and more specifically its support of LDAP to the standard JDO interface.
Howard Chu gave an overview of the new overlays developed in OpenLDAP related to user authentication and authorization. Based on the work from nss-ldapd the nssov overlay provides integration with the nss and the pam stacks. Another interesting module is an integrated certification authority overlay where user certificates and keys are generated magically based on the query filters. While this looks smart, it raises a lot of questions with regards to the security levels associated with generating and using certificates over LDAP, and it's current implementation (only search parameters are used to generate the certificate) is messing a lot with the semantics of searches. Both Kurt and I think it should be implemented as an extended operation or at least a search control.
Finally but not least, I closed the LDAPCon with my presentation on the innovations that have been done in the OpenDS project. My presentation was articulated in 2 parts, innovations that directory administrators benefit from like the Assured Multi-Master replication model and the scheduled and recurrent tasks. And the innovations for the developers, basically new LDAP syntaxes and matching rules to ease application developments. You can find the details in the slides or the paper that I wrote for the conference.
Overall, this conference was really good for us and for meeting with some of the OpenDS community members, but as well for raising the awareness on what we've been doing in the last couple of years. I really enjoyed the discussions with all attendees, the beers in the evening and the fun of trying to connect the iPhone LDAP clients to the OpenLDAP server running on Howard's G1 phone.
All photos that I took during the conference are publicly available, and free of use for non commercial purpose.