Directory services and beyond: The future of LDAP

From its remarkable debut in 1993 as a directory access system, LDAP has evolved to become one of the premier directory management services, rivaled only by Active Directory. But how implementable is LDAP in the current Microsoft market? Is it really compatible outside of Unix and Linux footprints? Security pro Joel Dubin looks at the past, present and future of LDAP.

Though LDAP is the predominant directory service for Unix and Linux, it can support user access via other operating systems, and has become the main directory protocol on the Internet.
,
The popularity of Lightweight Directory Access Protocol (LDAP) as a directory service continues to grow. Its tree-like structure for grouping network users was revolutionary when it premiered in 1993. Since then, it has become the primary model for directory services, including Microsoft's Active Directory.

Not being confined to Unix and Linux where it has frequently debuted, its flexibility, allows it to mesh with other directory services -- not just Active Directory -- and support newer types of authentication, such as smart cards and biometric devices.

Though LDAP is the predominant directory service for Unix and Linux, it can support user access via other operating systems, and has become the main directory protocol on the Internet.

So where is LDAP headed? To answer that question, we need to see briefly where LDAP has been, as well as explain what LDAP is, what it does and why it's unique.

LDAP history
First, LDAP is defined as a standard for directories, which are services that hold user account information. Directories can also hold other structured data, but for our purposes we'll limit the discussion to user accounts. LDAP began as a gateway service between other directory services before developing into a directory specification itself, complete with standards for details down to the structure of its own user databases.

Prior to LDAP, directory services were developed by the telecommunications industry to keep track of customers. Directory services were originally seen as computerized phone books. Not surprisingly, the first standard, X.500, was developed by the International Telecommunications Union (ITU) in 1988.

LDAP was developed in 1993 at the University of Michigan as a simple way to access the first X.500 directories. Those first directories sat on servers called Directory Service Agents, which communicated with clients by the more complex X.500 Directory Access Protocol. LDAP was meant to make that easier, or more "lightweight," as the "L" in LDAP implied.

More information:
Learn more about trends in indentity and access management.

Read these pros and cons of stand-alone authentication not based on Active Directory.
Two years later, the next version, LDAPv2, was released in a series of three RFCs. LDAPv2 removed the dependence on X.500, including changing network connectivity from the Open Standards Intercommunication (OSI) to the more nimble TCP/IP model -- the communications protocol for the Internet. This made it more compatible for Internet communications.

Then, in 1997, came LDAPv3. LDAPv3 improved support for directories not based on X.500, created a format for LDAP URLs, added security features like authentication and extensions for TLS -- the latest version of SSL -- and cleaned up schemas and string formats.

LDAP features
What makes LDAP unique is its tree structure, organizing users into hierarchies of groups. Each user is called an entry with its own unique identifier, or Distinguished Name (DN). Each DN has a series of attributes about the user, making it possible to mirror fine-grained access controls to users in the directory tree.

Though the details are beyond the scope of this brief introduction, each DN is an object, making it accessible to object-oriented programming languages, and it can also be constructed in a URL, making it accessible over the Internet via DNS.

Since the flurry of activity over a decade ago, there haven't been any new LDAP RFCs, nor has a new version come out. So does that mean LDAP is dying out? Far from it. LDAP has evolved and is stronger than ever.

Its ability to mesh with object-oriented programming languages and DNS makes it perfect for today's Internet-connected world. It also forms the basis of other Internet protocols, such as XML Enabled Directory (XED) and the Directory Service Markup Language (DSML).

LDAP's tree structure inspired Microsoft to take a similar approach with Active Directory, and the software giant has since made a commitment to LDAP: Active Directory in Windows 2000 Server was LDAP-compliant. Microsoft expanded LDAP support in Active Directory in Windows Server 2003 and included the LDAP API in the Microsoft Developer Network (MSDN) Platform SDK.

Besides Microsoft, LDAP is supported in products from a veritable who's who of IT vendors, including Sun Microsystems, Inc., IBM Corp., Hewlett-Packard Company, Novell Inc., Red Hat Inc., Oracle Corp., Apple Inc. and Siemens AG. Each of these companies offers directory services that support LDAP and are LDAP compliant.

LDAP's future
The future of LDAP lies in refinements to LDAPv3 rather than a new version. Most recent improvements added by vendors include upgrades to management GUIs that allow easier modification of users and their attributes. In other cases, as with Windows Server 2003, Microsoft added LDAP security and dynamic directory services that were already in LDAPv3 but not in Active Directory.

LDAPv3 is not without blemishes. There have been issues with its smart referral feature, which maps a directory entry to a specific URL, but these have been due to issues with vendor implementations and not LDAP itself.

If there is a lesson to be learned for an enterprise implementing LDAP, it's to choose a vendor that can take advantage of all the features LDAPv3 has to offer. And, of course, make sure that vendor is LDAP-complaint with certification from the Open Group -- a vendor-neutral organization that sets IT standards, including those for identity management. The key is in the front end to LDAP, whether Active Directory or some other product.

Perhaps LDAP's greatest challenge is one shared with any other directory service, including Active Directory: Its ability to adapt to the changes in the delivery of identity and access management, whether through new types of authentication like biometrics or through Software as a Service (SaaS) models. Its flexibility, scalability and ability to work with new technologies are what will keep LDAP alive. LDAP remains at the core of many directory services today because of this flexibility. And, it will remain so for the foreseeable future.

About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in web and application security, and the author of The Little Black Book of Computer Security, Second Edition, available from Amazon. He hosts a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.


This was first published in August 2008

Dig deeper on Active Directory and LDAP Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close