Not being confined to Unix and Linux where it has frequently debuted, its flexibility, allows it to mesh with other directory services -- not just Active Directory -- and support newer types of authentication, such as smart cards and biometric devices.
Though LDAP is the predominant directory service for Unix and Linux, it can support user access via other operating systems, and has become the main directory protocol on the Internet.
So where is LDAP headed? To answer that question, we need to see briefly where LDAP has been, as well as explain what LDAP is, what it does and why it's unique.
First, LDAP is defined as a standard for directories, which are services that hold user account information. Directories can also hold other structured data, but for our purposes we'll limit the discussion to user accounts. LDAP began as a gateway service between other directory services before developing into a directory specification itself, complete with standards for details down to the structure of its own user databases.
Prior to LDAP, directory services were developed by the telecommunications industry to keep track of customers. Directory services were originally seen as computerized phone books. Not surprisingly, the first standard, X.500, was developed by the International Telecommunications Union (ITU) in 1988.
LDAP was developed in 1993 at the University of Michigan as a simple way to access the first X.500 directories. Those first directories sat on servers called Directory Service Agents, which communicated with clients by the more complex X.500 Directory Access Protocol. LDAP was meant to make that easier, or more "lightweight," as the "L" in LDAP implied.
Then, in 1997, came LDAPv3. LDAPv3 improved support for directories not based on X.500, created a format for LDAP URLs, added security features like authentication and extensions for TLS -- the latest version of SSL -- and cleaned up schemas and string formats.
What makes LDAP unique is its tree structure, organizing users into hierarchies of groups. Each user is called an entry with its own unique identifier, or Distinguished Name (DN). Each DN has a series of attributes about the user, making it possible to mirror fine-grained access controls to users in the directory tree.
Though the details are beyond the scope of this brief introduction, each DN is an object, making it accessible to object-oriented programming languages, and it can also be constructed in a URL, making it accessible over the Internet via DNS.
Since the flurry of activity over a decade ago, there haven't been any new LDAP RFCs, nor has a new version come out. So does that mean LDAP is dying out? Far from it. LDAP has evolved and is stronger than ever.
Its ability to mesh with object-oriented programming languages and DNS makes it perfect for today's Internet-connected world. It also forms the basis of other Internet protocols, such as XML Enabled Directory (XED) and the Directory Service Markup Language (DSML).
LDAP's tree structure inspired Microsoft to take a similar approach with Active Directory, and the software giant has since made a commitment to LDAP: Active Directory in Windows 2000 Server was LDAP-compliant. Microsoft expanded LDAP support in Active Directory in Windows Server 2003 and included the LDAP API in the Microsoft Developer Network (MSDN) Platform SDK.
Besides Microsoft, LDAP is supported in products from a veritable who's who of IT vendors, including Sun Microsystems, Inc., IBM Corp., Hewlett-Packard Company, Novell Inc., Red Hat Inc., Oracle Corp., Apple Inc. and Siemens AG. Each of these companies offers directory services that support LDAP and are LDAP compliant.
The future of LDAP lies in refinements to LDAPv3 rather than a new version. Most recent improvements added by vendors include upgrades to management GUIs that allow easier modification of users and their attributes. In other cases, as with Windows Server 2003, Microsoft added LDAP security and dynamic directory services that were already in LDAPv3 but not in Active Directory.
LDAPv3 is not without blemishes. There have been issues with its smart referral feature, which maps a directory entry to a specific URL, but these have been due to issues with vendor implementations and not LDAP itself.
If there is a lesson to be learned for an enterprise implementing LDAP, it's to choose a vendor that can take advantage of all the features LDAPv3 has to offer. And, of course, make sure that vendor is LDAP-complaint with certification from the Open Group -- a vendor-neutral organization that sets IT standards, including those for identity management. The key is in the front end to LDAP, whether Active Directory or some other product.
Perhaps LDAP's greatest challenge is one shared with any other directory service, including Active Directory: Its ability to adapt to the changes in the delivery of identity and access management, whether through new types of authentication like biometrics or through Software as a Service (SaaS) models. Its flexibility, scalability and ability to work with new technologies are what will keep LDAP alive. LDAP remains at the core of many directory services today because of this flexibility. And, it will remain so for the foreseeable future.
About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in web and application security, and the author of The Little Black Book of Computer Security, Second Edition, available from Amazon. He hosts a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.
This was first published in August 2008