Novell is now a part of Micro Focus

Novell Delivers First Full-Function LDAP Server for the Network

Articles and Tips: article

01 Feb 1997


On January 13, Novell announced the availability of LDAP Services for Novell Directory Services (NDS), an important milestone in its efforts with industry partners and customers to commercialize Internet standards and establish LDAP-enabled NDS as the directory standard for business intranets and the Internet. The new Novell software enables customers to access NDS information from any Lightweight Directory Access Protocol (LDAP) Web browser and use NDS as a single interface into directory information located in multiple applications and operating systems. By offering the industry's first full-function LDAP server for the network, Novell provides the solution for businesses who need a method to access, manage, secure, and synchronize directory information stored in different applications and platforms across their intranets and the Internet.

The new LDAP Services evolve NDS into the industry's most robust implementation of LDAP and the only LDAP directory that can be efficiently distributed and scaled across organizations of all sizes. In contrast to competing solutions, which use LDAP only for access to user information, LDAP Services for NDS provide customers with a comprehensive set of replication, security, management, and administration features for access and control of directory information. To ensure interoperability with other standards-based directories, the new Novell software is an RFC1777-compliant implementation of the Internet Engineering Task Force (IETF) LDAPv2 specification.

"Novell is committed to accelerating the adoption of the LDAP standard in the Internet and intranet arena so that users in any environment will have easy access to network services and information," said Tom Arthur, vice president and general manager of Novell's Internet Infrastructure Division. "By combining two complementary technologies-the LDAP access protocol and NDS-we create a powerful synergy and give customers a solution today that is years ahead of the competition."

As a "door" to the "directory", LDAP now gives users access to NDS information over the Internet or intranet through any LDAP-enabled web browser or application. LDAP Services for NDS also includes security features that allow users to specify the directory information they want to make available across the Internet to the public, and to the groups and individuals in their organization. Users have the flexibility to securely access the organizational information they need across the Internet or intranet from anywhere in the world. As a management tool, LDAP Services for NDS allows customers to centrally monitor, update and control client access to directory information from anywhere on the intranet or Internet. This multi-server, multi-directory administration from a single utility, and the reliability of being able to access directory data even when your primary server is down, is a unique and valuable benefit of NDS' replication capabilities. By bringing these capabilities to the LDAP protocol, Novell hopes to accelerate the adoption of the standard.

Novell is supporting developers by providing easy access to network services through a common set of application programming interfaces (APIs) for all platforms, including Internet standard APIs such as LDAPv2. These common, platform-independent APIs streamline software development cycles and enable developers to leverage NDS and other network services in applications that can be accessed and distributed across multiple platforms on intranets and the Internet. Novell's initiative to implement NDS across a broad applications and major operating platforms is paving the way for developers to designate NDS as the LDAP directory of choice.

Product Availability LDAP Services for NDS runs today on any IntranetWare, NetWare 4.11 or NetWare 4.1 server, and will also be available on major UNIX operating system platforms and Microsoft's NT Server in 1997. LDAP Services for NDS is downloadable today, free of charge from Novell's world wide web site located at http://www.novell.com/nds.

About NDS Novell Directory Services is the most widely-used directory service in the world with an installed base of over 17 million users. NDS provides a universal directory service for organizations' corporate networks, business intranets and the Internet allowing you to quickly locate and access resources and users. NDS today is the only directory with a fully distributed architecture to enable scaling from small to global intranets, and allows 24 x 7 operation so network administrators can customize and reconfigure the directory without bringing down the network. NDS provides a single point of access and management, increasing user productivity, reducing network administration costs and easing application development.

LDAP and Directory Services What is LDAP? As the X.500 directory specifications were being developed, a directory access protocol (DAP) was formulated. The DAP protocol specification had a lot of overhead and not many people developed clients or application to DAP. A group of people at the University of Michigan realized that if they could reduce the overhead in the DAP specification, they could get the same directory information out quicker and with smaller clients. They named this new protocol specification the Lightweight Directory Access Protocol (LDAP - RFC 1777). LDAP is quickly becoming the standard for clients on the Internet and on intranets to access directory information.

How Important is LDAP? LDAP is becoming the de facto standard for accessing directory information over the Internet or intranets. Novell is leading the charge for LDAP adoption by providing a scalable, secure, manageable, replicated LDAP directory via Novell Directory Services (NDS).

The LDAP standard will bring common, platform independent, APIs to developers. This means that products leveraging a directory service, like NDS, will come to market quicker and will be less expensive to develop.

LDAP Services for NDS v1 allows you to easily publish your organization's information to your intranet and to the Internet, while still maintaining control, through NDS, over who can access your information.

What is the Role of a Directory Service? A directory service is simply a database of objects, representing everything on your network, that helps manage relationships between people and networks, network devices, network applications, and information on the network. These managed relationships identify whether a person or object can be authenticated and authorizated to the network and the access allowed to other network objects and information. The bigger networks get (like the Internet) and the more people and resources you need to locate and access, the greater the need for directories and standard methods of accessing directories.

The name Lightweight Directory Access Protocol suggests that there is an accessible directory behind it, right? The only way for LDAP to succeed is to have access to an expansive directory service, like NDS. With the advent of the Internet and the need for a comprehensive directory, many companies are realizing that they must have a directory service. There are very few directories that are tried and tested, and no directory is better proven than NDS.

NDS is a directory service that is designed to service a world wide network and NDS is the most widely used directory service in the world with more than 17 million users. No other directory has as much third-party support and no other directory has as much content. In other words, the NDS is secure, stable, easy to use and it has lots of information to access and expand upon.

Why is NDS the LDAP Directory Service of Choice? LDAP is very valuable, but it is in its early stages of development and is evolving to support capabilities found in vendor-specific access protocols. The RFC 1777 specification for LDAP is solely a client to directory access protocol. In the future, LDAP will be used for directory to directory communications and changes. Until the specification is available, directories that are built only on LDAP cannot support replication, scalability, etc.

Adopting LDAP as a standard access protocol and NDS as your directory service, allows you to deploy Internet protocols today without waiting. NDS provides the management and scalability that won't arrive in the LDAP specifications for a few years. So, NDS is the LDAP Directory of choice, today. In fact, it is the only choice for a scalable, manageable, reliable LDAP directory.

What Does A Fully Distributed Directory Service Have to Do with LDAP? The entire power of an LDAP client lies in the fact that a user can interact with the information he or she is accessing. That means changing information. In order to make a change you have to have some mechanism that ensures that everyone sees the changed information and that the changes don't break anything.

Most Directories Use a Master-Slave Model The master-slave model is not a very robust and dynamic method of changing information for the Internet or any other distributed "net." Since all changes happen at the master server before they can be replicated to the others, your administration must be completely centralized. That is unless you don't mind crossing a WAN link to administer or access your network.

The NDS Environment Enter the age where you make a change and any waiting or communication between servers is done by the network and not by you. In other words, a fully distributed model allows your LDAP client to talk to various masters that do all the updating between servers behind the scenes. That means your LDAP clients can interact with information quicker and the changes they make are replicated throughout the network. The NDS distributed environment is more robust and you won't have to wait to make a change. It also allows you to put the network data wherever users need it.

Specifics About LDAP Services for NDS v1 LDAP Services for NDSJ v1 is based on the IETF RFC 1777 LDAP version 2 protocol. LDAP Services for NDS v1 provides the following key benefits:

  • A way to expose information stored in NDS to any LDAP enabled browser or application

  • Levels of security not implemented in the current LDAP 2 standard

  • Managing LDAP users

Exposing NDS Through LDAP LDAP Services for NDS v1 gives you the freedom to specify exactly the information you would like to expose to an LDAP client. You can identify the NDS information you want published using class and attribute mappings, which define the relationship between objects in LDAP and NDS. A class is a type of object such as a user object or a server object. An attribute defines information related to a specific object. For example, a User object attribute might be the user's surname or phone number.

Levels of Security LDAP Services for NDS v1 supports most NDS security features and adds an LDAP access control layer that provides additional security features. These security features allow you to make certain types of directory information independently available to the public, to your organization, and to those groups or individuals that need to see your information.

LDAP Services for NDS provides two security layers, that allow you to control the publishing of network information:

  • The NDS access control layer is always enabled and operates on the NDS server side of LDAP Services. The NDS access control layer can be accessed by the following connection methods:

    • Anonymous bind

    • Proxy user anonymous bind

    • NDS user bind

  • The LDAP access control layer is an optional layer that operates on the LDAP client side of LDAP Services for NDS. Access Control Lists (ACLs) are part of the LDAP access control layer. These access control lists specify the rights an LDAP client has to specific LDAP information. The following rights are maintained by the LDAP Server Object ACLs:

    • Search - Allows clients to search for LDAP object attributes that are defined in the Access To List.

    • Compare - Compare access rights allow clients to specify LDAP object attribute values that are compared to the corresponding (mapped) NDS values.

    • Read - Allows users to read the values of the object attributes defined in the Access To List. Read access also provides Search and Compare rights. You also receive Search access with the Read access rights.

    • Write - Allows users to change the values of the object attributes defined in the Access To List. Write access also provides Read, Search, and Compare rights.

LDAP Access Management and Monitoring LDAP Services for NDS v1 is not just a door to NDS, it is also a management tool that allows you to enhance performance of LDAP client connections and moderate LDAP access activity. Some of the features that help you manage LDAP Services include the following:

  • Management can be done through NWAdminJ for Windows NT or Windows 95

  • User E mail Address - The user e mail address page contains a list of Internet e mail addresses that are returned when an LDAP client requests a user's e mail address.

  • Search Entry Limit - The Search Entry Limit specifies the maximum number of objects for which the LDAP enabled server will return data.

  • Search Time Limit - The Search Time Limit specifies the maximum amount of time in seconds that the LDAP enabled server will use to return data.

  • Idle Timeout - The idle timeout defines the maximum amount of time in seconds that an LDAP connection can be inactive.

  • Bind Limit - The bind limit defines the maximum number of simultaneous LDAP binds or connections.

  • Log Event - Track user NDS access activity such as; Trace function calls, LDAP request information, Connection information, BER encoding, Search filter processing, Configuration file processing, LDAP ACL processing, Client request summary, Search response summary, Error messages from all log options, and Server console messages for LDAP

  • Setting the Suffix - The Suffix text box defines the Directory tree or subtree that the LDAP servers can access.

  • Setting the Referral - The Referral text box specifies the URL of an alternate LDAP server that is to handle any requests that cannot be completed by the servers in this group.

Hardware Requirements NetWare 4.10 servers: Machine type

  • Standard Intel 80386, 80486 Pentium and Pentium Pro Systems

  • Contact the Novell Labs group for a list of certified systems

Disk requirements

  • 1MB for Novell LDAP Services

Additional RAM requirements

  • 1 MB for Novell LDAP Services

  • 80k for each LDAP connection

IntranetWare or NetWare 4.11 servers: Machine type

  • Standard Intel 80386, 80486 Pentium and Pentium Pro Systems

  • Contact the Novell Labs group for a list of certified systems

Disk requirements

  • 1MB for Novell LDAP Services

Additional RAM requirements

  • 1 MB for Novell LDAP Services

  • 80k for each LDAP connection

Software Requirements Windows 95 or Windows NT

  • NetWare Client 32 for Windows 95 (from NetWare 4.11 release) or NetWare Client 32 for Windows NT

  • Network connection to the tree in which the LDAP server is installed

  • NWAdmin for Windows 95 (from NetWare 4.11 release) or NWAdmin for Windows NT

LDAP Outlook

Why Should I Care About LDAP and Directory Services? Because LDAP is opening so many doors for directory services, life looks good in the future for users who want to access organizational information across the Internet or intranet. That means people can be a part of an organization's synergy with connections to people, information and resources from anywhere in the world.

What Will Novell Be Doing with LDAP? As NDS is ported in 1997 to every major server operating system, all the benefits of LDAP access will be available to UNIX, NT, IntranetWare and NetWare 4.1. Novell will continue to push for standards, like LDAP and implement those standards as they evolve.

In 1997, Novell will lead the way in providing directory information synchronization between NDS and other LDAP enabled directories that people are building. This means that a change in NDS, like a user's phone number, will be updated in another directory through the LDAP protocol or vice versa.

LDAP, in it's current state (version 2), is best used as a protocol for client to directory information access. LDAP, as it matures, will become a directory to directory protocol and Novell will be in the forefront making it happen. When LDAP provides server to server or directory to directory replication, Novell will lead the way in implementing it.

So while you wait for someone else to build a proven directory service, you can already have access to the power and performance of the LDAP directory of choice - NDS. And if you're a developer, the infrastructure of a publicly accessible directory service is available right now for you to leverage and get your products to market more quickly. After all, as LDAP matures to provide directory to directory communications and when other directory services finally come out, NDS will already be in place, ready to manage them and give you seamless, secure access.

LDAP Questions & Answers


Question:

When will it be available?

Answer:

LDAP Services for NDS v1 was shipping as of December 27, 1996.

Question:

How can I get a copy of LDAP Services for NDS v1?

Answer:

You can download a copy off the Novell web site at http://www.novell.com/corp/esd/softform.html

Question:

What does LDAP Services for NDS v1 do now that couldn't be done before?

Answer:

It allows you to access information stored in NDS throughany LDAP enabled browser.

Question:

What kind of backwards compatibility is available?

Answer:

LDAP Services for NDS v1 will run on any NetWare 4.1 serveror IntranetWare server today. As NDS is ported to other platforms, full LDAP functionalitywill also be ported.

Question:

Will LDAP Services for NDS v1 ship in future versions of IntranetWare?

Answer:

Yes. It will be integrated in the next major release ofIntranetWare. LDAP Services will also be ported to the same major operating systemsas NDS.

Question:

Now that I support LDAP, do I still need NDS or an NDS client?

Answer:

There are still limitations with LDAP version 2, such asthe lack of security. If security is a big issue, accessing NDS is still preferablethrough an NDS client. Until LDAP matures, Novell's leadership in pioneering directoryservices will help LDAP evolve.

Novell, in the future, will use new versions of LDAP for communications between users and NDS,between NDS and other directories, and between NDS servers.

Question:

How important are standards to Novell?

Answer:

Standards, like LDAP, are crucial to interoperabilityfor customers and manufacturers. They also provide a fantastic opportunity for the companythat has a technological advantage with a product "near" the standard. A standard directoryaccess protocol moves the spotlight from the client access, since it is now "standard"across vendors, and on to the back end. That bright light will either show how strong youare or how weak. LDAP was a gift from Netscape and the IETF to prove the superiority ofthe NDS directory.

Question:

>How is LDAP Services for NDS v1 implemented?

Answer:

LDAP Services for NDS v1 is an NLM that runs on top ofIntranetWare or NetWare 4.1 and above.

Question:

What are other companies saying about LDAP?

Answer:

Some of the LDAP rhetoric can be confusing. LightweightDirectory Access Protocol is a quick and efficient protocol which opens the door toback end directories or directory services. The more wealth of information in a directoryservice and the ability to add new information, the more successful you will be with LDAP.

Microsoft has the right ideas; however, their vision of what their directory service will be isvery much what NDS is today. Down the road a year or two, when their directory vision firstships, they'll be looking to leverage NDS with LDAP to enhance their own directoryofferings.

Suggestion: Implement NDS today on IntranetWare, NetWare 4, and UNIX. Thenget NDS for NT as soon as it's available, and integrate Microsoft's directory withLDAP when it ships.

Netscape Communications is one of the many companies working to makeLDAP an industry standard. They are creating a little confusion, however, by referringto the directory they're building as an "LDAP Directory." LDAP is not the directory but the door tothe directory, the protocol. We're very glad that Netscape has helped bring this new methodfor accessing directories to the attention of the industry. Netscape shares many of thesame visions as Novell for using LDAP.

Suggestion: If all basic directories, like the one Netscapeis building, are openly accessible by LDAP, look for the directory that's the best value.A better directory value might be NDS, which costs $0.

Question:

Where can I find out more about LDAP?

Answer:

University of Michigan http://www.umich.edu/~rsug/ldap/

CriticalAngle http://www.critical-angle.com/ldapworld/Welcome.html

Question:

I would like to know if there is a list of products availablethat are already LDAP enabled?

Answer:

There are more than 60 organizations developing to the LDAPstandard. To name a few of the major players; Hewlett Packard, IBM, Netscape, Microsoft,SunSoft, and Santa Cruz Operations.For more information refer to the Critical Angle website - http://www.critical-angle.com/ldapworld/Welcome.html

* Originally published in Novell AppNotes


Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

© Copyright Micro Focus or one of its affiliates