Comments on: Beyond LDAP – have a look at system.identity

By: Identités : faut-il sacrifier LDAP ? — SecurityVibes Magazine

Identités : faut-il sacrifier LDAP ? — SecurityVibes Magazine — Wed, 23 Mar 2011 13:45:43 +0000

[...] la gestion des identités ? C’est en tout cas une piste explorée par Martin Kuppinger dans un récent billet. Deux reproches principaux sont faits à LDAP dans le domaine de la gestion des identités : [...]

By: Kim Cameron

Kim Cameron — Mon, 28 Jun 2010 07:57:06 +0000

Emmanuel, just for the record, I've worked with X.500 and LDAP since the very beginning, and my company, ZOOMIT, did the first commercial implementation of LDAP. So there is no need to be derisive – I do actually understand how it works. The essence is that it implements the X.500 model. This model is based on named entities that represent real-world objects. The distinguished name (DN) is the base identifier of the objects, and consists of attributes strung together in a sequence out of which a hierarchy is constructed. Thus the identifier and hierarchy are conflated with the semantic contents of the object.

X.500 also has the concept of aliases. The alias is an obect that points at another object. It has its own name as a sequence of distinguished attributes. So the aliases are a second set of objects that live within a second hierarchy and point at objects living within a first hierarchy.

The main problem is that neither of these hierarchies have much to do with what programmers need. Let's face it. Hierarchical databases went out around 1980. People who build the vast majority of the world's applications don't use hierarchical databases – they use relational databases. They build hierarchies out of relationships, and don't hard-code them. This has a great many advantages, and these advantages explain why, in most aspects of development, relational databases have won out. Further, hard-coding causes a great many difficulties which we could drill into when we have more time. Now those of us who work in identity need to bring directory into alignment with relational databases so the world's programmers understand it and can benefit from the advantages it brings.

I can't discuss all the issues here, but will do so more in upcoming days on my blog, and I do invite you to continue this discussion with me there.

By: Martin Kuppinger

Martin Kuppinger — Fri, 25 Jun 2010 07:50:23 +0000

It is not about having multiple directories with different schemas and different hierarchies on one server. That is not the point, obviously. The point is that within one directory I have one schema. Within this schema, I have one hierarchy (which again is obvious when looking at the concepts of LDAP, the DNs, and so on). Thus based on the same set of data I end up with some inflexibility. I can for sure use Virtual Directory Services on top to create different hierarchical views but that is just a workaround.
Thus it is not about whether an RFC is implemented correctly (I assume that M$ is a biased abbreviation for Microsoft). It is also not about LDAP being broken, but LDAP being limited. By the way: For sure I know not only Microsoft Active Directory but many other directory services.
Aliases are not sufficient. That is again very obvious to any practicioner, because it is an inefficient workaround. Thus there is the obvious need to rethink this issue.
I’m pretty sure that I’ve got some of the points (which were examples). And just because the new concept has been developed by someone from Microsoft it is not necessarily bad. The real bad thing, from my perspective, is being narrowminded.

By: Emmanuel Lecharny

Emmanuel Lecharny — Thu, 24 Jun 2010 10:41:10 +0000

Funny, but totally off base.

LDAP allows more than one hierarchy. You can even have more than one schema used in a Ldap Server. My be M$ not implementing the RFC correctly is a reason not to support that, but it has nothing to do with LDAP being broken

LDAP allows you to refer data in many places through aliases. No need to invent another mechanism.

LDAP is not perfect, but you missed to point out the real problem in your article.

By: Tweets that mention Beyond LDAP – have a look at system.identity | Martin Kuppinger -- Topsy.com

Sun, 20 Jun 2010 17:11:39 +0000

[...] This post was mentioned on Twitter by Kuppinger Cole, Laura E. Hunter. Laura E. Hunter said: RT @kuppingercole: Beyond LDAP – have a look at system.identity http://is.gd/cWfic [...]