Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The pros and cons of deploying OpenLDAP: Windows and Unix

Randall Gamby discusses how OpenLDAP should (or shouldn't) be used in conjunction with enterprise directory implementations.

As time passes, memories begin to fade and get jumbled up in our minds. As it turns out, the same thing applies...

to technologies: Back in the 1980s, Lightweight Directory Access Protocol (LDAP), as the acronym implies, was created as a communications idiom for applications to get/put information from/to an open system interconnection (OSI) X.500 directory service. (As a historic note, LDAP was originally created because X386 PCs running DOS couldn't load X.500's usual access protocol -- Directory Access Protocol (DAP) -- into DOS's required 640K of RAM, and a "lightweight" version of DAP was needed so these platforms could query the directory.) Though X.500 directories and x386 PCs have gone the way of the dinosaur, the ideal of a generic, open architecture repository for people and identities continues to live.

While only LDAP remains of the original X.500 directory services standards, it has now moved from a low protocol in support of DOS PCs to the name for the directory service itself. But not only has the memory of LDAP been jumbled up with the repository it was used to access, the concept of an open architecture -- OpenLDAP -- has also been confused with LDAP itself. Many companies now have "LDAP-compliant" directories -- e.g. Microsoft's Active Directory, IBM's Tivoli Directory Service, Oracle Corp.'s Java System Directory Server Enterprise Edition, etc. -- yet they all carry internally proprietary architectures. When X.500 died, so did the ideal of an open architecture repository.

The X.500 concept of an open, standardized directory with the ability to directly replace one vendor's repository for another has been replaced with today's LDAP-compliant directories, which provide interoperability, namely the ability for two vendor's products to work together. But there is one interoperable product created using the long-standing OSI model of community-developed standards, OpenLDAP. OpenLDAP, unlike today's commercial offerings, is an open source implementation of an LDAP-compliant directory. It's actually composed of many of the remnants of its older sibling, X.500. OpenLDAP is maintained and supported by the OpenLDAP organization and coordinated by the OpenLDAP Foundation. The OpenLDAP Foundation is a non-profit corporation with a charter to promote open source LDAP development through corporate sponsorships and individual donations. OpenLDAP follows, as most LDAP-compliant products do, the Internet Engineering Task Force (IETF) RFC-4510 standard. This standard defines the standards and protocols needed to interoperate with an LDAP-compliant directory.

Best use cases for OpenLDAP So what's the value of OpenLDAP and how can it be used by an organization? OpenLDAP runs on both Windows and Unix platforms and is a freeware, LDAP-compliant directory. This means it can be used as a standalone repository or as source code by commercial vendors in their own repository and application software.

Deploying OpenLDAP for Windows doesn't replace Microsoft's Active Directory because, as stated above, all commercial LDAP-compliant repositories are proprietary. That means that Active Directory implements additional Microsoft-specific objects and APIs used by other Microsoft-licensed products that leverage Active Directory's proprietary features. By purchasing the licensed product from Microsoft, a Windows-centric organization gains a number of advanced capabilities, but conversely, an organization using applications that aren't compliant with Active Directory must pay more to enable integration, purchase licensing add-ons or implement an alternative directory structure. OpenLDAP can be used as an alternative to Active Directory -- without the overhead or licensing needed to use Active Directory -- when there are heterogeneous applications that need access to an LDAP directory. For example, OpenLDAP can be used to emulate Active Directory's Global Address List (GAL) for internally developed applications that need this information. In addition, other applications and platforms that use LDAP for authentication and object storage can leverage this free repository for their use.

OpenLDAP is also community developed. This allows for more innovation than can be expected from a vendor with limited development personnel and budgets. With the latest LDAP standard (v3.3), there are numerous elective LDAP features and extensions supported by OpenLDAP that are not necessarily implemented in other commercial LDAP-compliant products. The current OpenLDAP release supports more than 30 elective features and extensions, including DNS-based service location (RFC 2247 & RFC 3088), X.509 Certificate Schema (RFC 4523), Password Modify operation (RFC 3062) and others. Because these features aren't consistently supported by commercial vendors, OpenLDAP may be the only way enterprises can get the features they need to support a broad variety of different applications. So what's the catch? Well, free doesn't necessarily mean free. As with any open source software, there are intrinsic costs in terms of time and resources that must be accounted for, such as:

  • There are no professional services associated with OpenLDAP, so the personnel responsible for installing, configuring and maintaining it must be knowledgeable about LDAP software and must create any integration programs needed to tie OpenLDAP into the applications that will consume its data.
  • OpenLDAP also doesn't come with a GUI interface. All installation and configuration is done through a command-line interface.
  • Multi-language support exists only through mailing lists, which are operated independently of the OpenLDAP Project (and, notably, without the endorsement of or approval by the OpenLDAP Project).
  • Product support is provided through the OpenLDAP website's issue tracking system, which is supported through independent contributions from OpenLDAP's members.
  • Updates and patches are not released on a regular basis, though new releases are planned and documented on the OpenLDAP technical support site.

Finally, it must be noted that there are no warrantees on the operation of the OpenLDAP software, and, as stated above, the source organization solely exists on sponsorships and individual contributions. But even with these limitations, OpenLDAP does offer features that other proprietary products don't and can't, which makes it worth considering for enterprises that maintain a diverse application infrastructure and can't get the level of customization they need with their commercial directory products. With OpenLDAP in the marketplace, vendors are constantly reminded of a time when repositories were interchangeable, and that they need to continue to provide innovative repository products, or the old granddad of directories could one day cause their products to go the way of X.500.

About the author:
Randall Gamby is an enterprise security architect for a Fortune 500 insurance and finance company who has worked in the security industry for more than 20 years. He specializes in security/identity management strategies, methodologies and architectures.

This was last published in October 2010

Dig Deeper on Active Directory security