A section of An LDAP Roadmap & FAQ: A tutorial aid to navigating various
LDAP and X.500 resources on the Internet
by: Jeff Hodges
Note: This is the old list of "flashes" from the main LDAPRoadmap
page. some of them may be interesting, some not, your mileage may vary, etc.
[Noteworthy stuff for folks to be aware of. This list is nominally a push-down
stack - most recent stuff on top. I timestamp 'em as I add 'em. Some stuff may
be kinda stale. Your mileage may vary. ]
- RECOMMENDED: Secrets
and Lies: Digital Security in a Networked World, by Bruce Schneier.
I just finished reading it. It is effectively a comprehensive survey of networked
computer security, told as a story, with the story broken down into three
main facets: Landscape, Technologies, and Strategies. In other words, he discusses
the lay of the security landscape today, what tools we have to work with,
and then discusses the possible strategies for dealing with it. Overall, he's
Geer's mantra of Risk
management is where the money is, but he's also filling-in the surrounding
context in detail, and ultimately describing a practical framework with which
to think about networked computer security in the context of getting on with
our lives even though there is no such thing as perfect security. Bruce's
own web pages for the book are here (they include the Table
of Contents, the Preface,
a couple of chapters, and other goodies) [6-Nov-2000]
- NSI's research folk are
also working on an LDAP-based replacement (I'm assuming that it'll eventually
be a replacement) for the (ancient) whois-based access to domain information.
The new service is called "Referral
LDAP Service". It's a pretty cool application of various LDAP features.
- We at Oblix completed & shipped
last month (Sep-2000). It's a cool directory-based Identity Management + Web
Access Management solution. Check it out. [1-Oct-2000]
- Well, I've been informed by a couple of correspondents that we've been
dethroned and are now only #2 at Google.com
for "LDAP" sites
(see the item two bullets down). Thanks for lettin' me know! [5-Jul-2000]
- Another new directory services book has appeared...
I picked up a copy for myself. Archie's done a very good job IMHO.
The book is somewhat more broad than HSG
aka the "LDAP
Bible") in it's presentation. Both books do attempt to provide a "soup-to-nuts"
coverage of directory services themselves, how they fit in an enterprise's network
infrastructure, and deployment case histories. One can probably get by with
one book or the other. But, with stuff as complex as directory services and
their deployment, it's arguably worth it to have both books in order to have
two different perspectives on whatever subtopic one's particularly interested
in. Reed provides a pretty thorough terminology discussion (Appendix A) and
a good overview and analysis of directory standards (in Appendix C) that are
wothwhile to have. Additionally, the book contains a CD that itself contains
several directory server implementations, various tools, and applications (most
of which appear to be trial-ware (aka evaluation copies)). He has the CD available
as a web site here: DirectoryService.com.
Also, I must disclose that I'm personally pleased to see the Oblix
Services Administration v3.5 included on the CD (!). [7-May-2000; minor
editorial updates 5-Jul-2000]
- Holy Searching Engine, Batman, we're #1!
Enter "ldap" as a search
string at Google, and see this page
come up on top. Wow. I just noticed last week.
Uh, please lemme know if anyone notices that it's not #1 anymore so I can then
remove this claim from this page 8^) Thanks. [24-Apr-2000]
- There's a fair amount of consternation in various quarters over whether
the US Patent system is being abused by folks who're patenting business processes
and/or various software algorithms (among other stuff, another example being
those folks who want to "patent" the very genes that're in my (& your)
DNA. Chutzpa (or whatever) doesn't begin to describe it IMHO) -- Amazon.com
being the present poster-child example. Personally, I believe they (Amazon
et al) are going too far. However, I'm otherwise a presently happy customer-and-affiliate,
and so don't (presently) feel motivated to terminate my affiliation over this.
I'm nosing around establishing affiliations with other parties (ZeroKnowledge
being an example). I do encourage folks to read about Tim O'Reilly's efforts
towards trying to facilitate mitigation of this alarming trend. An example
of his work in this area is
available here. Also, there's been a sporadic thread on the topic on Dave
Farber's Interesting People
mailing list (go here,
and use your browser's [Find] tool to search for "patent"). [14-Mar-2000]
- A talk reporting on the results of "a random [security] survey of ldap
enabled sites" is available on toaster.sun4c.net/papers/
(which in itself is a nifty site imho). Some folks apparently went out on
the 'Net and poked about and found other folks' ldap-based directory servers
and probed them and found security postures generally lacking. Ineresting
read. The applicable talk is the one entitled "blackhat
briefings 07/08/1999" and is a powerpoint file. [2-Dec-1999]
- Whoa -- I hadn't noticed how outre' that Zero Knowledge banner up there
is until I poked at my page from a machine that didn't have InterMute
running on it. If you're not using a tool such as InterMute or something similar
(see also Junkbusters.com), you're
seriously missing out (in terms of the level of "noise attenuation" provided)
and putting out (in terms of the level of info about yourself and your system(s)
you dribble across the web). Anyway, if the Zero Knowledge banner is too noisy
for you, use your "stop animations" browser button, or better yet, use something
like InterMute. [2-Dec-1999]
- Concerned about your privacy whilst surfing the Internet? I'm concerned
about mine. I've been using InterMute
for 1.5 yrs now. Another product to consider is ZeroKnowledge's
Freedom (disclaimer: I'm honestly interested in this product, but haven't
had the time to check it out in detail, tho I have been following discussions
about it's workings on various cypherpunk & crypto discussion lists/groups.
KingsMountainSystem's pages are sponsored in part by ZeroKnowledge
Systems, so if you purchase something from them via the web, a portion
of the proceeds go to help support this site. See my personal
home page for more crypto/privacy
- KLDAP -- A directory
browser from the KDE Project; a quote from
the KLDAP page: "kldap is a LDAP client for the KDE Project. It is similar
to the Novell Administrator. You can browse the LDAP tree, search for Objects
and modify their attributes". I haven't yet tried this, but definitely plan
to [I now have a linux box available]. I haven't yet played with KDE, cuz
I've been using Gnome, which RedHat
6.0 sets up as the default environment. I hope/plan to mess with KDE some
over the next few months (I've got somewhat higher priority things to work
on these days at my day job ;) [28-Nov-1999]
- Directory Services Markup Language announced!
Industry consortium looking to work on schema standardization (the core issue
apparently) via creative use of technologies such as XML.
- Other involved-with-directory-service colleagues' web pages I need to add
to the Roadmap proper but gonna list 'em here for now..
- I just stumbled across this
interview with Tim Howes on Netscape's
site. He discusses LDAP's history from his perspective as a key contributor.
- Yet another talk is available -- this time being a live webcast I did with
the CREN folk. I, along with Frank Grewe
of Univ. of Minnesota, were interviewees.
All the info including (nicely done) transcripts
and audio are available
- I have a new talk available on the web that's an updated version of the
Registry & Directory Infrastructure talk pointed to below. The new one
..Steve Kille's talk on Why
do I need a Directory when I could use a Relational Database? is still
quite relevant, though. [10-May-1999]
- Another new book is on the horizon..
- New LDAP books are available..
Ldap. Mark Wilcox, University
of North Texas. I have a copy (thanks Mark!), but haven't been able
to do more than just skim it (sigh, when are we getting more hours in the
day? I keep askin'...). It looks quite good and has many examples. Mark
is a frequent cogent contributor to various LDAP and Directory Service-oriented
newsgroups and email distribution lists. Recommended.
Distributed Applications with XML, ASP, IE5, LDAP and MSMQ. Stephen
F. Mohr. I do not yet have a copy, but I'm going to order one and check
it out. I need to learn more about XML as it is. (seems to be a steamroller
headed in my/our general direction..)
- [Note, this article is apparently no longer available at the DataCommunications
site. Innarested folks should perhaps bug DataComm directly about this and
see if they can make it available again. JDH 18-Jul-2000]
This article by Tim Howes does a good job of laying out what LDAP is good
for and what it is not..
Use as Directed -- The co-author of LDAP sets the record straight
on what the protocol can and can't do. Tim
Howes (who at the time was of the Office of the CTO, SUN-Netscape
Alliance, but now is co-founder and President of Product Operations of
Communications, Feb 1999.
..although I think I have slight differences of opinion about his thoughts
wherein authentication is concerned. I'll have to write something up about
I did write somthing about this, in a round-about fashion. Please see..
Directory Services: Security, WebSec'99, MIS
Training Institute, 12-Aug-1999, San Francisco CA.
- Version 2.0a of these pages is available for "beta" (mebbe "alpha" is really
more appropriate, but what-the-heck) HERE.
- Wow. Well, I received my first "weekly activity report" from Amazon.com
a day or two ago and, shucks, some of you have linked over there from here
and bought stuff and I'm going to see some remuneration as a result. Not a
lot, but if folks keep it up steadily, it's enough to cover my ISP costs.
Way cool. Sincere thanks to those of you who've participated in my
little "sponsorship" experiment here. [10-Feb-1999]
- The Horton Project here @Stanford, which has been entirely soaking up my
life for many months now, is almost deployed. We entered organizational-wide
pilot in ITSS last week.
Links that you may find informative and useful are..
When we finally go production with it, you'll all have access to a Stanford
enterprise directory web page that will be directly querying our LDAP-based
directory service. Stanford community members will be able to tailor what information
they wish to present to (a) the Internet-at-large, (b) the Stanford community,
or (c) keep private. Additionally, our enterprise-wide whois- and finger-based
directory access services will become frontends to the LDAP-based directory
- I have been getting asked many questions along the lines of "I should
want to run a substantial ldap-based directory using an RDBMS as a backend
datastore (as opposed to LDBM), right?", and "I can get by running a substantial
directory using only a standalone LDAP-based directory server from
essentially any manufacturer, right?". I define "substantial" to mean either
or both (a) number of entries on order of from 10^4 to >> 10^6, and/or (b)
one having a complex schema with relationships between attributes within entries
and between attributes of different object classes. My short answer to the
two former questions is to say, "you really should consider mastering
your data in an RDBMS and disseminating it via LDAP/X.500 directory
technology," and pointing at these talks...
- This site is now shareware in the sense that contributions towards
its maintenance are gratefully accepted. One way to contribute is to follow
links to Amazon.Com (like the one in the next item) and purchase a book(s)
from them. This site is now an official Amazon Associate [1-Feb-1999]. Note:
if you honestly want to make a purchase that will contribute towards this
site, then be sure not to "leave" Amazon's site once you've entered it from
here and before you've purchased anything. If you're curious about Amazon's
associate program, click
- Notes on Kerberos
support in OpenLDAP and Netscape Directory Server, and the UMich kerberos
plugin for the NS DS. [11-Nov-1998]
- Current state of LDAPv3 docs included below
(stuffed in from my under-construction revamped version of this page -- which
I will get done one of these days Real Soon Now. No, like, fer shure.).
- Added www.devoto.com to resources
- I am working on a major re-write of these pages. I (perpetually,
it seems) hope to have them "beta" released in a week or two. I will
announce their availability to..
..or you can email me, and
I'll add you to the list of folks I'll copy the announcement directly to.