LDAP as the COBOL of Identity?
By Clayton on May 08, 2008
Dave Kearns says LDAP is the COBOL of Identity.
Jeff Bohren says it's actually the SNMP of Identity.
So now that we're talking about LDAP's role in the universe...
There's no pressing need to get rid of LDAP in existing applications. None at all. It works. The applications support it and will continue to support it indefinitely.
Even in next-generation application I see LDAP support being integrated -- hardly what I see of COBOL and not as the afterthought that SNMP always seems to be.
What does this say about any future identity services?
They must support LDAP-enabled applications.
Does this mean that they will only support LDAP? No.
Does this mean that we shouldn't move new applications to frameworks like the Identity Governance Framework that make it exponentially easier to build identity-aware applications? No.
It simply means that if you want your existing applications to support your new identity service, it had better support LDAP or most of what you have won't work with it.
That said, movement requires motivation. If LDAP is good enough, we'll be talking about next generation identity services for a dozen years before anything meaningful gets shipped. After all, it was almost a decade ago that Bowstreet and others talked about replacing LDAP with DSML. This went nowhere.
So what great advance would provide this motivation? It won't be security, audit, and compliance. These things can be achieved today with LDAP and strong identity management software. If you can do it today, why rework everything?
What's likely to drive the move from LDAP to identity services is the enablement of new applications that have enormous potential for driving business growth.
An application that can take advantage of the extensive information available around identity in a way that relates that identity to its peers, communication, transactions, and other elements can really contribute to business. Since the full picture of identity and its relationships is much richer than LDAP's information model can describe, we will then need to move beyond the LDAP data model -- not by simply rewriting LDAP in XML, but by redefining what an identity representation for applications should look like.
There are many candidates for next-generation LDAP. Which one will win out? I've got my opinions, but in the end it may not matter.
Why? Because virtual directory technology insulates applications from the underlying changes in technology. This technology will easily adapt to add new listeners and adapters for emerging standards while retaining LDAP for the applications that have been written and will continue to be written to that model.