LDAP Deployment BoF

Minutes of the meeting held on May 12, 2000 at TERENA offices in Amsterdam

Agenda and presentations
1. Round of introductions

Present:
 
Peter Valkenburg SURFnet
Roland Hedberg Catalogix
Sigfrid Lundberg Lund University Library
Dan Brickley ILRT
Peter Gietz DFN Directory Services
Vincent Berkhout DANTE
Stig Venaas UNINETT
Thomas Lenggenhager SWITCH
Anders Lund UNINETT
Henny Bekker SURFnet
Yuri Demchenko TERENA

2. LDAP native DIT: Migrating from X.500 to LDAP technology - final report on DIRECT project

Peter Valkenburg presented current results of the DIRECT pilot project.

DIRECT project: the project is nearing completion; a final report is in work. DIRECT project is conducted in tight cooperation with DANTE NameFlow service. A number of implementations issues arose during the project working out. Some of them were discussed at the meeting.

There is no stable LDIF file format, some minor changes were made in the last IETF draft. There is also no standard way of replication and exchange of LDIF files between root LDAP servers. Pilot implementation was made by DANTE. They host LDIF file for existing/cooperating country-level LDAP services at NRNs. They have LDAP/LDIF crawler and will look for next step in establishing preferable replication method (curent method is based on FTP).

The current work around for automated replication is a daemon called Slurpd, provideded by University of Michigan, that reads replication log files and updates the server mentioned there. It was proposed to look into that instead of doing manually ftp transfers.

A standardized method for LDAP replication is discussed in the IETF ldup WG, where a multi master replication model is aimed at. Due to its complexity this work seems to be delayed and might not be finished befor the end of this year.

The latest version of Innosoft IDDS has a fix to support the necessary functionality to do efficient referrals in large scale LDAP DITs. The new IPlanet product (successor of Innosoft's and Netscape/Sun's LDAP servers) will also support this functionality.

Action 1. DANTE will investigate different ways of replication and will keep track of IETF developments.

Action 2. Catalogix (Roland Hedberg) will feed requirements/feedback resulting from DIRECT into the IETF's LDAP standardisation process.

Action 3. SURFnet will investigate an arrangement for obtaining the new IPlanet LDAP products for NRNs.
 

3. PKI and storage of X.509 certificates in LDAP [Peter Gietz, DFN Directory Services]

Peter Gietz from DFN Directory Services gave a presentation on problems of integration of X.509 PKI's and LDAP. He gave an overview of new developments in X.509 and the directory related work of the IETF pkix WG and stressed the importance of directories for PKI.

In the following discussion it emerged that different NRNs have different strategies for supplying their customers with PKI-solutions. As an example, SWITCH managed to agree with MS to include the commercial CA used by them into the list of CAs in Microsoft IE5 (together with VeriSign). Two kinds of certificates are used - personal and cooperative/organisational.

Other important questions regarding CA services for NRNs were discussed:

Action 4. Next meeting may look into specific proposals for CA policies across NRNs and for naming and storage of certificate entries.

Action 5. Yuri to contact ICE-CAR regarding use of their CA services for European Academic and Research community.

4. Global Indexed Directory System (GIDS) (follow-up on LDAP distributed indexing in DESIRE II and the SUNET TISDAG project)

Roland Hedberg (Catalogix), Henny Bekker (SURFnet) and Peter Gietz (DFN) gave presentations on various issues.

Roland Hedberg made introduction to GIDS, its pilot implementation as output of the project. He also reported about his current IETF standardisation work on knowledge information via LDAPv3 referrals, which should be taken into account in future work.

The following presentation by Henny Bekker gave an overview of current software and results of pilot implementation of the DESIRE II LDAP/TIO Indexing Server by SURFnet and DFN. Main problems/difficulties were described:

Henny also described results of testing of Ericsson DAG server and GIDS server by Catalogix.

A number of open issues were identified that should be answered in further development, e.g., crawler/client access restriction defined by local access policy (similar to robot.txt for Search Engines); security requirement, etc.

Peter Gietz gave extended presentation on index object schemas and replication infrastructure to be used in the pilot for an European White and Yellow pages service that will be set up in combined effort of DFN, SURFnet and Catalogix.

Discussion was focussed on following issues:

Crawler policy should be described explicitly and available from special file similar to robot.txt for Search Engines.

Main issues regarding White pages TIO schema addressed were: object classes and TIO elements; whether to use token or full text query; and impact of tokenisation on distributed Directory service throughout. It was agreed that further investigation is required.

The group agreed on a preliminary schema and tokenization, as follows: sn (FULL), cn (TOKEN), o (TOKEN), ou (TOKEN), mail (RFC822), c (TOKEN),  l (TOKEN). DANTE will provide a storage facility for the index objects for the purpose of the pilot. Regarding TIO update interval it was agreed that once per week may be enough for the pilot implementation.

Action 6. SURFnet, DFN, DANTE, Catalogix will establish a pilot system using the DESIRE II distributed indexing system and the GIDS server of Catalogix.

5. Any other LDAP-deployment related issues, e.g., character set issues, Directory Enabled Networking (DEN)

These issues should be discussed at the next meeting.

6. Next meeting and follow-on activity

The attendees felt that a TERENA activity in the form of an LDAP deployment task force was appropriate. A draft charter will be drawn up by Peter Gietz and Peter Valkenburg.

The next meeting should be held on September 19, 2000 in Amsterdam.

List of open actions

Action 1. DANTE will investigate different ways of replication and will keep track of IETF developments.

Action 2. Catalogix (Roland Hedberg) will feed requirements/feedback resulting from DIRECT into the IETF's LDAP standardisation process.

Action 3. SURFnet will investigate an arrangement for obtaining the new IPlanet LDAP products for NRNs.

Action 4. Next meeting may look into specific proposals for CA policies across NRNs and for naming and storage of certificate entries.

Action 5. Yuri to contact ICE-CAR regarding use of their CA services for European Academic and Research community.

Action 6. SURFnet, DFN, DANTE, Catalogix will establish a pilot system using the DESIRE II distributed indexing system and the GIDS server of Catalogix.

Action 7. Next meeting to establish TERENA Task Force on LDAP and PKI Deployment issues will be held on September 19, 2000 in Amsterdam. Peter Gietz to draft a charter for the Task Force. Peter Valkenburg to do the first review.