On November 11th, a group of enthusiasts gathered in Edinburgh, Scotland, to attend the fifth edition of LDAPCon. This biennal conference on LDAP and, more broadly, on Identity Management, authentication and permission issues is the opportunity to meet the major players in these fields. Directory Services and management tools developers, recognized integrators and advanced users shared loads of informations in these two days, taking stock of the activity of the community and ensuring that it is alive and well!
Personally, I was there primarily as a member of the LemonLDAP::NG, LDAP Tool Box and LDAP Synchronization Connector communities. I had the opportunity to give a talk on the OpenID Connect protocol. It was the first time I was going to represent Savoir-faire Linux, one of the event’s corporate sponsors, whose « I ♥ LDAP » badges have been much appreciated. 😉
Opening conference: LDAP in 2020?
The opening conference was given by David Goodman — a prominent figure in the field that has worked since the 1990s on X.500 and then on LDAP in organizations such as IBM, Nokia or Ericsson.
David picked up with Ludovic Poitou’s 2011 conference and its provocative title: “Is LDAP dead?” Two years later, it is clear that this is not the case and David tries to imagine what it will be like in 2020.
To this end, he traces the history of the protocol starting with X.500 that he helped publicize via PARADISE (Piloting A ReseArchers’DIrectory Service for Europe), a project for telecom providers to prove that it was a viable protocol. But facing X.500 complexity and integration issues with Mac and Windows clients, the designers of X.500 imagined LDAP — first as a gateway to X.500, then as an independent standard. Finally, Netscape announced it would support LDAP in 1996 and a year after, LDAPv3 came out and X.500 was considered dead.
So what about today? Key players (Oracle, IBM, CA, Microsoft, to name a few) are all offering solutions based on LDAP. However, the Cloud revolution appears to leave this standard out. Azure AD, for example, does not offer LDAP access. It is also noted that developers are now more keen on API XML or JSON than they are on native LDAP — not to mention the NoSQL database popularity.
Finally, what does the future hold for LDAP? This standard is still significantly established in the current ecosystem and will not be forgotten five years from now. But in order to make sure it does not turn into another obsolete technology it must address new needs related to cloud computing, performance, development tools, combination with other standards such as SCIM, for instance.
Compared to SAML, OpenID Connect is the next-generation — REST implementation, offline mode, mobile application-ready, and so on.
I have noticed that, despite its youth — it was not a standard until 2014 — this protocol is already well known and attracts a great deal of corporate players and community interest, both having already integrated it in their products or preparing themselves to do so in the upcoming months. This is the case for LemonLDAP::NG which will support OpenID Connect starting with version 2.0.
All the talks given during these two days were fascinating and it would be challenging to summarize them in this article. Check the presentations available on the LDAPCon 2015 website if you are interested.
Key points to bear in mind:
- LDAP can also be used in asynchronous mode and directory publishers have made suggestions on ways to improve the performance of this kind of requests. OpenLDAP will propose the back-asyncmeta module in version 2.5.
- Transaction support is on its way in OpenLDAP 2.5 as well as other products.
- LDAP is cool! GitHub itself uses it…
- You can get rid of NIS thanks to DBIS (but it is not the only solution).
- Directory replication is still a big issue and FreeIPA will publish soon a new implementation based on their topology module.
- LDAP only goes faster with the WiredTiger backend or the new improvements of LMDB. It’s almost too fast since syslog deamons are no longer be able to keep up!
- Samba rocks with an OpenLDAP backend! And it will also be supported in OpenLDAP 2.5.
- We also know that this new version (no official release date yet) will offer
slapmodify/slapdelete tools, OpenSSL elliptic curve support, a TOTP module, database or overlay deactivation in
cn=config and everything that was discussed above.
- Check also Ludovic Poitou’s great pics of the conference.