Minutes of the 2nd TF-LSD Meeting

February 2, 2001, TERENA Offices, Amsterdam
 
 

Agenda

1. Opening, introduction and agenda bashing
2. ToR and Status of the deliverables [PG]
3. Update from the NRNs

3.1. RedIRIS [DL]
3.2. Other NRENs [AL, BG, PG, LJ]
4. Internet2 update [TV]
5. EduPerson [PG]
6. DC/X.521 Gateway [LO]
7. IETF Update [RH]
8. Metadirectory [PV]
9. Experiences with OpenLDAP [SV]
10. Date of next meeting
11. Any other business
12. Summary of actions
Appendix. List of attendees
1. Opening, introduction and agenda bashing

The meeting was attended by 20 people representing 9 organisations/networks from 8 countries. A list of the attendees can be found in the appendix to these minutes.

2. ToR and Status of the deliverables

Peter Gietz discussed David Chadwickís proposition to extend TF-LSD ToR with new deliverable to describe experience of using all possible ways of finding and connecting LDAP server that are described in the recently published Internet draft on "Taxonomy of Methods for LDAP Clients Finding Servers" submitted by Roland Hedberg and Ryan Moats. The draft covers such methods as using client configuration, known DNS aliases (RFC 2219), referrals, DNS SRV records (RFC 2782), or using Service Location Protocol (RFC 2608).

The discussion was active and added some new information. One objection was that this item tends to lead to just academic exercises. It was agreed that the only methods relevant to the community besides the referral mechanism that is used in the CIP deliverables were DNS aliases and SRV records, which should be looked at in the frame of the PKI deliverables.

Peter then continued discussion about forming teams to work on deliverables of TF-LSD. He went through list of TF-LSD work items and deliverables with some initial suggestions about possible team members to work on those deliverables and asked for comments and volunteers. Enjoyabe enough volunteers were found for each deliverable. These teams are documented in a separate document (http://www.terena.nl/task-forces/tf-lsd/tf-lsd-tor-teams.html). All other TF-LSD members are welcome to participate in open discussion on the list.

Some discussion was on Deliverable B on CIP Interoperability testing. The implementations that should be tested are Rolandís GIDS, the DESIRE CIP index and the Ericson TISDAG implementation. Peter proposed timetable for work on this deliverable which is due in March 2001 and mentioned that there might be problems with testing commercial software in terms of publishing the results. Henny mentioned that he is not confident in doing test of Ericsson Directory Server in short term, however he promised to contact Ericsson. It was decided that all results will be published on the web and vendors must decide themselves whether they want to provide their products for testing.

Some details how to do testing were also discussed. It was decided that they start with performance and interoperability testing. It was agreed that it is essential to test performance on one machine and desirably with the same OS. Interoperability should include testing whether TIO of one product interoperate with the other products. Peter mentioned that internationalisation problem might also arise in CIP/TIO interoperability.

Particular remarks were also made on deliverable I. "Investigating the usability of services based on the new evolving directory related standards". It was agreed to make results of this deliverable available at TNC2002 and if appropriate to use it as base for a proposal for a possible TF-LSD follow-on.

Action 2-1. Teams to take up work on the deliverables

Action 2-2. Henny to contact Ericsson to find out about possible time of testing Ericsson Directory server.

Action 2-3. Peter to present the current status of the deliverables at TNC 2001

Action 2-4. Peter to present results of Deliverable I. "Investigating the usability of services based on the new evolving directory related standards" at TNC2002.
 
 

3. Update from the NRNs

3.1. RedIRIS

Diego Lopez informed about the deployment of Directory service in RedIRIS and among Spanish Universities.

They intend to migrate from current X.500 implementation using X.521 naming to LDAP with DC-naming but temporally maintain both structures. Their current task is to convince universities to implement DC-naming in their Directory services. RedIRIS prepared a respective migration guide for university Directory service managers.

Current experimental service connects/includes RedIRIS as top/root LDAP service and 3 universities which together run 6 LDAP servers (containing ~ 40,000 entries) using the LIMS CIP based index service. DC/X.521 naming mapping is done by 2 servers (one for each naming structure that include referrals to the actual data.

RedIRIS also has the intention to define an "iris-x skeleton" as a minimum common set of attributes to provide searching in university Directories for scientists working in specific research areas.

Diego will publish the definition of iris-x skeleton in English.

Diego described tests with index server. Particular problem encountered was LIMS functionality. He mentioned that LIMS needs some extra modules or modification concerning character encoding and interpretation of LDAP filters and promised to contact Roland about possible development.

One of the technical issues in searching LDAP directories or X.500 Directories through LDAP tree is the hierarchical presentation of organisational structure. Notwithstanding Internet2 recommendation to use flat structure, e.g. for university directory, sometimes itís essential from users point of view (or local cultural traditions as well) to follow organisational hierarchy. The solution can be found in on the fly generation of directory hierarchy that could be done by LIMS. However Diego mentioned that problems might appear from DC/X.521 cross-naming.

Peter Valkenburg pointed that trust relations should be established between communicating LDAP servers/indexers, e.g. in sending LDIF file to LDAP crawler/indexer, i.e. institutions producing data should trust consumers of this data. Even if something might be acceptable for experimental service, production service should change to more formal trust relations in data exchange between LDAP servers and crawler/indexer.

It was agreed that trust model should be an issue for future discussion in TF-LSD.

Action 2-5. Diego to publish definition of iris-x skeleton in English.

Action 2-6. Diego to discuss with Roland possible extension of LIMS functionality.
 
 

3.2. Other NRENs

Anders Lund described situation in UNINETT. They have experimental LDAP implementation using LIMS. He also told that UNINETT applied for NORDUNET2 funding for Directory related project. If successful, future projects will allow wider participation of NORDUNET people in TF-LSD activity.

Brian Gilmore informed that JISC in UK formed a special Committee on Security and Privacy. Privacy and Security are among main JISC concerns in deploying country wide Directory and PKI services. Only a few organizations use LDAP.

Michalis Konstantopoulos from GRNET reports that it is hard to find LDAP users in his community. A pilot project is proposed to steam up things.

Sebastian Szuber from the Polish research network reports that the last Directory efforts have been 3 years ago. Since 6 months there is a new funding programme for projects, they intend to start a new LDAP project within this programme.

Thomas Lenggenhager from SWITCH reports of a similar situation. A new PKI project in cooperation with Catalogix is supposed to push LDAP developments.

Peter Gietz informed that he established the new limited company DAASI International (Directory Application for Advanced Security and Information Management) as the successor of the DFN Directory projects. Funding DAASI via Directory related projects DFN intents to use directories, e.g., for support of PKI and for building central LDAP authentication service for each university. Other plans of DAASI include metadata storage for educational material.

Leif Johansson from SUNET informed that he will be doing a lot of promotional work on LDAP deployment to rise awareness among Sweden Universities in the frame of a new project mainly concerned with telephony. He agreed to make his presentations and documents available for TF-LSD.

A problem in LDAP implementation/deployment typical for a lot of countries is the little awareness among universities on benefits of deployment of LDAP/Directory based network services that may include personal information, account and access management.

Peter Valkenburg commented that the main argument in Directory promotion in commercial world is cost saving when enabling company/university central Directory based services for personal information and account management. The main benefit comes from avoiding problems (and costs) with synchronizing different corporate directories, e.g., for personnel management, for account management, etc. particularly when employees get hired or resign.

Action 2-7. Leif and others to inform TF-LSD members about available LDAP/Directory promotional documents and presentations.
 
 

4. Internet2 update [TV]

Ton informed about recent Directory and PKI related development in Internet2.

NFS sponsors a test bed for pilot implementation of middleware technologies in 11 institutions of higher education, the project is called Early Adopters (http://www.internet2.edu/middleware/earlyadopters/). The project has very practical orientation on LDAP deployment for Directory based Network services. In particular the Shibboleth Project intends to build inter-institutional web authentication and authorisation services (http://middleware.internet2.edu/shibboleth/shibboleth-project.html). The  implementation will use a specially developed Apache module for LDAP support.

Another Internet2 project DoDHE (Directory of Directories for Higher Education) has in some ways similar aims than LIMS and GIDS deployed in Europe, but uses less sophisticated technology. Anyway interoperability would be very useful/beneficial.

Ton informed that he had discussion with Ken Klingenstein, coordinator of the I2 Middleware Initiative, on issues related to using DC/X.521 naming for Certificate profiles. It was agreed that both naming conventions may be used.
 
 

5. EduPerson [PG]

Peter Gietz made presentation about Internet2 LDAP Schema related development on EduPerson Object Class.

Peter provided an overview of EduPerson development in the framework of I2 PKI initiative. The EDUCAUSE/Internet2 eduPerson task force has the mission of defining an LDAP object class that includes widely-used person attributes in higher education. The base of EduPerson is InetOrgPerson defined in RFC 2798. For the purposes of Higher Education some new attributes were added. However, it was mentioned that I2 EduPerson is quite US oriented.

Peter commented on main attributes of EduPerson and some technical issues related to EduPerson implementation. He told that his current presentation is based on eduPerson Draft of Version 1.0 of 3-Dec-2000, however new Draft of January 22 has been announced but not yet published.

It was decided to wait for the new version of the document to be published and send Peterís/TFís comments to the I2 EduPerson mailing list.

Other possible actions in respect of participation in I2 EduPerson Initiative were discussed: just comment on I2/US EduPerson document; define European EduPerson; or try to find common basis for definition of the global EduPerson.

Some suggestions were expressed how we could cope with EduPerson development and possible cooperation. First we should think what applications we are targeting at in using EduPerson, apparently this will include authorisation, authentication and PKI for local/university use. However, spreading of global Directories and digital libraries will definitely increase importance of common identification/definition/description of education/scientific type of users. Common feeling was that we need to look closer at I2/US EduPerson in context of expected/target applications and make suggestion whether we need to define EU EduPerson, profile EduPerson for European needs or try to find compromise with I2 EduPerson group to define common Object Class.

Since the definition of person schema for persons connected to the European educational community is not a part of the deliverables the proposal was made to define a TERENA project proposal, which should be further discussed on the mailing list.

Action 2-8. Peter to send comments on Internet2 EduPerson definition to I2 EduPerson mailing list.

Action 2-9. TF-LSD to consider further possible activities related to development/harmonization of the Internet2 EduPerson.
 
 

6. DC/X.521 Gateway [LO]

Luuk Oostenbrink of SURFnet made presentation on DC/X.521 Gateway they installed recently at SURFnet. He explained how the Gateway works and displayed diagram showing interaction between client, gateway, default DC and X.521 LDAP servers, DNS. Actually DC/X.521 Gateway translates the DN to DC-DN and X.521-DN and queries default server; DNS is queried for SRV record; it finally returns referral. He also described Gateway problems and further development.

All agreed that after completion, this development will be very useful and may solve long awaiting problems.

Action 2-10. Luuk/SURFnet to inform TF-LSD about DC/X.521 Gateway development and experience.
 
 

7. IETF Update [RH]

Roland Hedberg made short update of work at IETF on LDAP related topics. Three working groups are currently active at IETF: LDAPbis (http://www.OpenLDAP.org/lists/ietf-ldapbis/), LDAPext (http://www.ietf.org/html.charters/ldapext-charter.html), LDUP (http://www.ietf.org/html.charters/ldup-charter.html). LDAPbis revises the LDAPv3 drafts to make them proper standards, which mainly includes the reference to mandatory security mechanisms, elimination of some bugs and clarification of the wording. The basic data structures and protocol operations will not be changed. LDAPext finished almost all items of the charter and now it is discussed whether to close the WG or to enhance the charter. LDUP is still far behind its roadmap due to the complexity of multi master replication. More information about recent published RFCs and submitted Internet-drafts can found e.g. at TF-LSD information page at http://www.terena.nl/task-forces/tf-lsd/lsd-info.html.

Roland expressed his impression that work in these WGs is being carried our very slowly, although use of LDAP in other IETF WGs/developments is increasing.
 
 

8. Metadirectory [PV]

Peter Valkenburg gave presentation on current development and use of Metadirectories based on ePresence Solutions experience/concept. The main benefits in use of Metadirectories for Internet/intranet applications can be found in personalization of content.

He pointed in his presentation that the main message that can be taken from commercial world for Metadirectory implementers is overall economy of information management (e.g., data input, duplication and synchronisation). He explained industryís view on Target Directory Architecture containing single logical directories and applications related LDAP clients and servers.

He also described Directory implementation issues that includes:

Case study of his own experience was given as demonstration how all discussed issues work together in a real project.

It was discovered in discussion that some policy should be applied to registration/indexing of local or lower layer directories in (organisational) Metadirectory to avoid danger of information pollution by short term and local purpose information. Another danger exists when flattening directory structure into Metadirectory, some collisions may happen.
 
 

9. Experiences with OpenLDAP [SV]

Stig Venas from UNINETT made short presentation about his experience with OpenLDAP 2.0.

His general impression was that OpenLDAP developers focused on correctness and stability, not so much on speed, therefore many things can still be optimised. Stability and reliability still remains the challenge for current version of the OpenLDAP software.

He suggested some things TODO which are also in the scope of OpenLDAP Release Road Map (http://www.openldap.org/software/roadmap.html):

When asked, he expressed his opinion that OpenLDAP 2.0. software is still not ready for heavy weight production services, particularly in cases when speed and database size are important. Everybody may use it on their own risk.

In view of importance for European Research and Education Community to have a free LDAP product it was decided to look into possible contribution to OpenLDAP development in the frame of a TERENA Pilot Project.

Action 2-11. Discuss in TF-LSD mailing list about possible contribution to OpenLDAP development for benefits of European NRENs.
 
 

10. Date of next meeting

It was agreed that the next meeting will take place on May 13, 2001 during TNC2001 in Antalya, Turkey. Benefits of having TF-LSD meeting at that time will be the possibility to also attend and contribute to 2nd European Middleware Workshop.
 
 

11. Any other business

No AOB.
 
 

12. Summary of actions

Action 2-1. Teams to take up work on the deliverables

Action 2-2. Henny to contact Ericsson to find out about possible time of testing Ericsson Directory server.

Action 2-3. Peter to present the current status of the deliverables at TNC 2001

Action 2-4. Peter to present results of Deliverable I. "Investigating the usability of services based on the new evolving directory related standards" at TNC2002.

Action 2-5. Diego to publish definition of iris-x skeleton in English.

Action 2-6. Diego to discuss with Roland possible extension of LIMS functionality.

Action 2-7. Leif and others to inform TF-LSD members about available LDAP/Directory promotional documents and presentations.

Action 2-8. Peter to send comments on Internet2 EduPerson definition to I2 EduPerson mailing list.

Action 2-9. TF-LSD to consider further possible activities related to development/harmonization of the Internet2 EduPerson.

Action 2-10. Luuk/SURFnet to inform TF-LSD about DC/X.521 Gateway development and experience.

Action 2-11. Discuss in TF-LSD mailing list about possible contribution to OpenLDAP development for benefits of European NRENs.
 
 

Appendix. List of the 2nd TF-LSD attendees

2 February 2001
 
 
 
1. Peter Gietz DFN DS / DAASI Int.
2. Roland Hedberg Catalogix 
4. Peter Valkenburg ePresence 
5. Anders Lund UNINETT 
6. Stig Venaas UNINETT 
7. Thomas Lenggenhager SWITCH
8. Leif Johansson Stockholm University
9. Henny Bekker SURFnet
10. Luuk Oostenbrink SURFnet
11. Ton Verschuren SURFnet
12. Ivana Belgers SURFnet
13. Sebastian Szuber PSNC, Poland
14. Javier Masa RedIRIS
15. Diego R. Lopez RedIRIS
16. Michalis Konstantopoulos GRNET
17. Michael Ströder  
18. Brian Gilmore TERENA
19. John Dyer  TERENA
20. Yuri Demchenko TERENA