Tuesday Sep 29, 2009

LDAPCon 2009 summary

On Sunday September 20th and Monday 21st, I attended the 2nd LDAP International Conference, aka LDAPCon 2009, in Portland OR, USA.
The attendance was lower than expected initially but included most of the LDAP open source projects (Apache Directory, LSC Project, OpenDS, OpenLDAP) as well as directory server vendors (Apple, Isode, Sun, Symas, UnboundID) and some users of the technology.

All the slides for the presentations are now available, as well as the articles submitted for participation.

LP0_1859On Sunday, the conference was inaugurated by Mike Schwartz from GLUU, a Texas based start-up. GLUU intends to provide identity federation and single sign-on as a service and makes an intensive use of LDAP technologies : directory servers, directory proxy servers, virtual directories and DSML gateways for provisioning.

LP0_1860Stefan Seelman described the Apache Directory project and its toolchain, from the excellent Apache Directory Studio (you don't know the Studio yet, go get it !) to its embedded directory server. Stefan demonstrated how to use Studio to create a staged directory server, and then role out the changes into the production one.

LP0_1865Later in the day, Emmanuel Lecharny explained how Apache Directory Server is supporting RFC 4533 to allow synchronization between an OpenLDAP server and the Apache Directory Server. As of today, Apache Directory Server is only supporting the consumer side of the protocol so it can act as a replica of an OpenLDAP master. Building the supplier side is next on their roadmap but it's more complex, and then trying to do multi-master replication will require to implement conflict resolution procedures that have to be exactly identical to OpenLDAP ones. Based on our experience with Sun Directory Server and OpenDS, this will be the trickiest part. I got questioned on when OpenDS or Sun Directory Server will support this RFC. Honestly, this is not on our roadmap and we would be happy to add it if the community needs it and is willing to contribute. But today we already have a working multi-master replication feature that is much more scalable and powerful than what RFC 4533 allows to build.

LP0_1862Jonathan Clarke talked about LDAP Synchronization Connector, an open source project building synchronization tools between LDAP and other data sources such as RDBMs, flat files or alternate directories. LSC is written in Java and is already in production in a few french companies.

Terry Neely then presented how to do physical access control with LDAP. An interesting story about how to design schema, leverage replication to distribute access control information related to door and buildings. The OpenLDAP server running on an embedded hardware, with a 4GB compact flash !

Howard Chu, Chief Architect for OpenLDAP, and I did a joint presentation on how to store LDAP data in MySQL Cluster and we described the architecture of our respective implementations: OpenLDAP back-ndb and OpenDS ndb backends. Andrew Morgan from the MySQL Cluster team helped us describing MySQL Cluster. The question of having an in-memory distributed backend for LDAP server still raises a lot of questions and eyeballs, but people are starting to understand the value of scaling and getting simultaneous access to the data via LDAP, SQL or direct APIs.

LP0_1870Kurt Zeilenga presented his work in Isode directory to provide security label-based authorization. Security label based authorization is another flavor of authorization, in addition to identity based and role based authorization. The idea is to grant permission to access data based on the label presented by the authenticated user and the label of the data to be accessed. Which a lot of users in the directory, and many security levels (there can be up to 256 levels), this kind of authorization system scales better than Access controls. The Isode implementation has security labels at the entry level (not attribute). Clearance for a user is derived from an attribute in the user entry, from the user certificate in the directory or directly from the authentication level. While the presentation was mostly an overview of security labels and how they could be used in the context of a directory service, I found the presentation quite interesting as I've been asked a couple of time to add security label awareness to Sun Directory Server, especially in the context of Solaris Trusted Extensions.

We ended day one with a panel open discussion with the various directory projects and vendors. After briefly discussing areas where progress is to be made (see Mathias summary for details), we looked at the LDAP community and try to find ideas to increase it or make it more active. One area we (Sun) have been active is education. For the last couple of years, we've been involved in giving LDAP trainings in Universities, or helping teachers with projects involving LDAP instead of RDBMs. Another area is client APIs and code examples. The work that we're doing with the Apache Directory team is a good step. It was also quite interesting that Howard Chu came to me in the after hours and discussed about Java for servers. Obviously, getting fresh blood in projects in getting harder with C based projects than Java based projects, as most of students are no longer learning C programming but Java programming (and other modern languages).

LP0_1867On Monday September 21st, the day started with an analyst view on the LDAP directory landscape. Felix Gaehtgens, analyst and partner at Kuppinger Cole, talked about the various market segments of the directory markets and the third generation of LDAP directory products that have emerged in the last couple of years.

Kurt Zeilenga gave a status of LDAP standardization efforts, occurring at IETF and at ISO/IEC. The hottest topic is the password policy which is evolving in both standard bodies. Howard Chu and I have published an update on the Password Policy for LDAP internet-draft. We intend to post additional changes and get it through to RFC status in the coming months.
Other topics being worked on through IETF are LDAP Transaction draft, currently under editors' review, the LDAP schema for NIS (rfc 2307-bis), schema for VCard, schema for Kerberos and for NFS v4.
Kurt suggested that there is still some work to be done at IETF on the LDAP front, but it would be better conducted through a working group. He also encouraged people to join the standardization effort and bring some new blood to it, recognizing that he would be happy to participate but not lead a new working group. He suggested a list of topics that could be covered by the working group :

  • Chaining Operations
  • Access Controls based on X.500 model
  • LDIF update
  • Complex Transactions
  • Schema versioning and management
  • Password Policies
  • ...

The next 3 presentations were about APIs for LDAP Java developers. Emmanuel Lecharny and I described the work we've done in the last few months collaborating on a common LDAP API for the Java platform, and we discussed what is required to move this work to standardization. Our presentation was mostly areas of work and a call for participation on that effort. We've moved our discussion to the Apache Directory API public mailing list (api (a) directory (dot) apache (dot) org).
LP0_1871Right after, Neil Wilson, chief architect at UnboundID, showed some slick slides about UnboundID's products, focusing mainly on their new LDAP client Java SDK, demonstrating it's use on the Android platform. UnboundID SDK is already available as opposed to Apache Directory or OpenDS ones. But it would definitely need to be polished and cleaned so that it could be used by our project for our needs, i.e. use the same SDK for both the server and client tools.
Following these 2 SDK presentations, Stefan Seelman demonstrated how to leverage the DataNucleus project and more specifically its support of LDAP to the standard JDO interface.

LP0_1872Howard Chu gave an overview of the new overlays developed in OpenLDAP related to user authentication and authorization. Based on the work from nss-ldapd the nssov overlay provides integration with the nss and the pam stacks. Another interesting module is an integrated certification authority overlay where user certificates and keys are generated magically based on the query filters. While this looks smart, it raises a lot of questions with regards to the security levels associated with generating and using certificates over LDAP, and it's current implementation (only search parameters are used to generate the certificate) is messing a lot with the semantics of searches. Both Kurt and I think it should be implemented as an extended operation or at least a search control.

Finally but not least, I closed the LDAPCon with my presentation on the innovations that have been done in the OpenDS project. My presentation was articulated in 2 parts, innovations that directory administrators benefit from like the Assured Multi-Master replication model and the scheduled and recurrent tasks. And the innovations for the developers, basically new LDAP syntaxes and matching rules to ease application developments. You can find the details in the slides or the paper that I wrote for the conference.

Overall, this conference was really good for us and for meeting with some of the OpenDS community members, but as well for raising the awareness on what we've been doing in the last couple of years. I really enjoyed the discussions with all attendees, the beers in the evening and the fun of trying to connect the iPhone LDAP clients to the OpenLDAP server running on Howard's G1 phone.

LP0_1874 LP0_1876 LP0_1878

All photos that I took during the conference are publicly available, and free of use for non commercial purpose.

Technorati Tags: , , , , , , ,

Wednesday Sep 02, 2009

Everything has an end...

And so do vacations, and blog silence.

I've been back in the office for over a week now but I was trying to catch up with emails, irc, blogs and news, too busy to find the time to blog again.
There's a lot to say on the LDAP and OpenDS front.

While I was happily riding the Mont Ventoux and around with friends and family, the project kept on moving on the path to OpenDS 2.2 and several new features have been committed by the team in the code repository:

  • The Control Panel can now be used to manage remote server instances.
  • OpenDS now publishes all changes in a public ChangeLog accessible (subject to access control) under the cn=changelog naming context.
  • Replication now supports a Fractional mode allowing to exclude or include only specific attributes of all replicated entries.
  • dsreplication utility has been improved to allow separating the replication service from the replicated OpenDS instance.
  • The import feature has been rewritten and optimized, reducing the time and memory required to import very large set of data.
  • The server now supports 2 new MatchingRules to better deal with Time and Dates (GeneralizedTime syntax).
  • The server now supports the ability to declare a new syntax but default it's implementation to an existing one.
  • The server now supports the ability to declare new Regular Expression based syntaxes and attributes.
  • The server now supports the ability to declare new Enumeration based syntaxes and attributes.

Most of the new features are already documented as part of the User Documentation of the OpenDS documentation wiki. You can test these features in recent daily builds, or you can wait for the next promoted build (2.1.0-build001) that should come pretty soon.
I will be starting a series of articles to describe with illustrations and details those new features, in the coming days and weeks.

Also in a separated branch, Matt and Bo have been working on an LDAP Client API, which is getting in a good shape to be released for beta testing soon (probably along with OpenDS 2.2).

LDAPCon 2009
The 2nd. International conference on LDAP, LDAPCon 2009 will be held on September 20th and 21st at Waterfront Marriot Hotel , Portland OR, USA. If you haven't registered yet, please register now ! The registration fee includes access to the LinuxCon 2009 (Sep 21 - 23), and if you still need to be convinced that it's worth attending, you can check the agenda. I hope to see you there.

Also noticed in the blogosphere and the websphere :

Finally I know the title of this post may have alarmed some of you. I don't know what's going to happen in the coming days, but I just hope I won't have to write another post with the same title on the subject of OpenDS or myself.

Technorati Tags: , , , , , ,

Thursday Jul 02, 2009

LDAPCon call for papers extended to July 8th...

I've just heard that the deadline for submitting proposals of presentations for the LDAPCon has been extended by a week.

if you're involved with LDAP in interesting project and you want to share your experiences, your innovative concepts... please check the "Call for Papers" and submit a proposal. Don't wait, a week is not much and it's better to do it now than realize the deadline is already over ;-)

The second edition of the International Conference on LDAP (LDAPCon) will be held on September 20th and 21st, 2009 in Portland, Oregon, USA, just before and at the same location as LinuxCon 2009.

Technorati Tags: , ,

Monday Jun 15, 2009

LDAPCon 2009, Call for Papers is open

The second edition of the International Conference on LDAP (LDAPCon) will be held on September 20th and 21st, 2009 in Portland, Oregon, USA, just before and at the same location as LinuxCon 2009. The first International Conference on LDAP was held in September 2007 in Germany (Some pictures).

A call for papers has be raised and the Program Committee asks you to submit them by July 1st. So if you're involved with LDAP in interesting project and you want to share your experiences, your innovative concepts... please check the "Call for Papers" and submit a proposal by July 1st 2009.

Technorati Tags: , , , , ,

Monday Sep 10, 2007

LDAPCon 2007 : OpenDS presentation PDF

I've uploaded the presentation [PDF] I gave at the 1st International LDAP Conference on OpenDS wiki.

Picture 3

Technorati Tags: , , , ,

LDAPCon is over

The 1st International LDAP Conference ended on Friday afternoon. I had to leave a little early to catch my plane, and didn't have the time to post the latest update. So here it is.

During the afternoon, Abdi Mohamadi (Sun) presented design and deployment considerations for scaling directories, Kostas Kalevras explained how Greek School Network centralized all LDAP data creation and modifications through Web services, and Felix Gaehtgens from Symlabs exposed in a fast and lively presentation some best practices when building LDAP based applications.

Overall it was a great conference, with interesting presentations and numerous long passionate bar discussions.

A toast to LDAP

Above members of 3 open-source Directory Server projects (OpenDS, OpenLDAP, Apache DS) raise their glasses in a toast to the LDAP community.

More photos...

Technorati Tags: , , ,

Friday Sep 07, 2007

Apache Directory Server, Stored Procedures and Triggers for LDAP.

Ersin Er from the Apache Software Foundation exposed his experimentations with Stored Procedures in LDAP and how they are used with Triggers.
Stored Procedures are code (java bytecode) stored in LDAP objects executed by a generic LDAP Extended request to pass parameters and get returned result and values.
Triggers are specifying an event, action,time and a scope in a single attribute definition, and leverage stored procedures for actions. Events are predefined, and triggers are run within an Administration domain (Subtree Specification). Pretty neat ! I think this is not a new idea, but it looks like a simplification in the use of the plugins and tasks that exist in Sun Directory Server and OpenDS. There might be value in a common representation of such LDAP directory server extensions, but I'm afraid this will not lead to better interoperability as Stored Procedures will be very specific to each implementation.

Technorati Tags: , ,

LDAPCon - Day 2

I've noticed that Jan-Piet Mens is also blogging live from LDAPCon. And yet we had a good evening with lively and hilarious discussions between the OpenLDAP, OpenDS, Isode, ApacheDS developers.

Steven Legg (eB2Bcom.com) exposed his work on XML enabled Directories also known as XLDAP. Most of the protocol and data model has been conducted through IETF. So far Steven has been the only one to produce an implementation. It's not really surprising: one need to be both an expert in LDAP and XML processing to get an idea of what XLDAP is. But I recently got a question indirectly from a customer about XLDAP and whether we had any plan to implemented. Could it be that XLDAP is starting to raise interest ?

Andre Posner from Sun showed the use cases and added value of Sun Directory Proxy Server 6.x for security, availability, integration of different Directory Servers, migration of services.

Technorati Tags: , , , , , ,

LDAPCon day 1, afternoon

It was a long afternoon at the LDAPCon with presentations until nearly 8pm. Thanks to the organizers it was followed by a social event with food and free drinks. A good occasion to relax, taste the local beer, recall the old LDAP stories and redo the world until exhaustion of fuel :-).

Frank Tröger exposed his work on a Reference Schema for Identity Management, searching, sort and linking all of the LDAP schema that have been defined in that area (with a focus on higher education).

Daniel Pluta from Munich University of Technology talked about Access controls for Group and Role management.

Giovanni Baruzzi from Syntlogo presented his thought on Designing a Directory Tree. In a nutshell, keep it simple:

"As flat as possible, as deep as needed"

Hilla Reynolds, Director of Development at CA revealed in a very animated and humorous presentation her secrets for a "Seamless Directory Backbone service": Standards, distribution, failover... Applications access front-ends that deal with the real sources of information.

Other sessions I did not attend (split sessions) included a presentation of the Apache Directory Studio (formelly known as LDAP studio). Impressive tool and progress since I last downloaded it. And a presentation on Spring LDAP.

Technorati Tags: , ,

Thursday Sep 06, 2007

Live from LDAPCon (Cologne)

I'm now in Cologne Germany participating in the 1st International LDAP Conference.

This morning, Kurt Zeilenga (Isode) started the conference with a Directory Standards Report, presenting the history of Directory Standards, LDAPv3 status and the current on-going effort.

I then presented the OpenDS project, the rational behind the project and its goals (I'll make the preso available later).

After lunch, Howard Chu (Symas, Chief Architect for OpenLDAP) introduced his talk with his traditional fiddle play and then presented the OpenLDAP 2.4 server. I must say that I've been impressed by the list of enhancements introduced such as N-way MultiMaster Replication.

Alex Karasulu (Apache Directory Project) presented his view of the LDAP community and his vision for the Apache Directory Server: a playground for experimentation and bridging LDAP and RDBMs.

More after the break.

Update on Sep. 10 2007.
Kurt's presentation was posted on Isode blog.

Technorati Tags: , , ,


This is the blog of a senior software engineer, specialized in LDAP, Directory Server and OpenDS. Ludovic Poitou works in France at the Grenoble Engineering Center, in the Directory Services Engineering team. Outside work, I love skiing and taking photo


« April 2014