Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source X.500 Directory Projects?

Posted by Cliff on from the good-enough-for-government-work dept.

DangerTenor asks: "The United States Government is standing up a Bridge Certificate Authority to enable PKI Interoperability between different agencies (gov't and non-gov't). The PKI currently relies on the use of either meta-directory products or X.500 DSP Chaining in order to pass certificates and CRLs between directories. OpenLDAP doesn't fit the bill because it doesn't support chaining. Does anyone know of open source projects focused on full X.500 directory implementation, or on meta-directory capabilities?"

19 comments

  1. ISODE/quipu by sohp · · Score: 4, Informative

    A couple of search terms that you'd never come up with if you weren't already steep in the the arcane x.500 world: ISODE and quipu.

    Most of this stuff comes out of and is maintained in Europe. As the RFC 1330 says,
    "The ISODE is not proprietary, but it is not in the public
    domain. This was necessary to include a "hold harmless"
    clause in the release. The upshot of all this is that anyone
    can get a copy of the release and do anything they want with
    it, but no one takes any responsibility whatsoever for any
    (mis)use."

    You can still find the latest downloads via FUNET.

    Be aware, this stuff is a major effort to compile and get working. It's big and complex, but well documented. Have fun, and let me know when you get dish -user "@c=$(COUNTRY)@o=ORG@cn=Manager" to give you a prompt.

    1. Re:ISODE/quipu by Anonymous Coward · · Score: 0

      A linux port can be found at http://www.ibiblio.org/pub/Linux/system/network/is ode

    2. Re:ISODE/quipu by thogard · · Score: 1

      I msessed with ISODE back in the '92 time frame and it was some of the worst code I've ever seen. It started out as an X.400 mail/directory system and has grown.

      I figure X.?00 was wrong in '92, why should it be right today?

  2. Sorry, not open source. But.... by FreeLinux · · Score: 2

    Have you considered Novell's eDirectory it would do you proud, if your budget allows. It's not free but, it isn't expensive either.

    -- Do you count?

  3. Porting the CAM to Linux? by imrdkl · · Score: 2

    Assuming that's what you're thinking about doing, I understand that Mozilla claims compatibility with OCSP, which is the bit that CAM uses proprietary software for. It also looks like generating signatures is also tied to the MS API in the CAM, but there's likely workarounds for that.

  4. Chaining in OpenLDAP by kdz · · Score: 1

    The OpenLDAP server actually comes with an LDAP backend. If it doesn't fit the bill, you could extend it. OpenLDAP is, after all, open source.

  5. There's an old RFC... by Jason+Pollock · · Score: 1

    There's an old RFC that discusses this very thing: rfc2116

    It's from '96, so it's probably incredibly out of date, but it might be a good place to start?

  6. Other problems by lkaos · · Score: 3

    I would double check about OpenLDAP and chaining... I'm pretty sure it's at least on the development plan.

    A much larger problem with OpenLDAP is scalability. OpenLDAP will not handle a large number of entries (+100k). OpenLDAP is a reference implementation of the LDAP RFCs and I don't think Kurt plans to complicate the implementation with what's required for scalability (connection pooling etc.).

    The only usuable X.500 compatible directories other than OpenLDAP are all closed-source. Many are free though. I'd recommend taking a look at IBM Directory and Novell's eDirectory. There is much more involved in getting a directory environment going and having worked on Linux directories for IBM, I would of course recommend that out-source to experts to get things going ;-)

    --
    int func(int a);
    func((b += 3, b));
    1. Re:Other problems by MrChuck · · Score: 1
      OpenLDAP will smoke IBM and Novell's server.

      Tested.

      If you need help getting more than 100k entries, I'm sure something could be arranged for a consulting fee.

  7. You might be SOL by Will+Sargent · · Score: 1

    AFAIK OpenLDAP is the only reasonably complete open source LDAP implementation. There have been many reports about OpenLDAP not scaling up to larger enterprises and missing features, and this is basically because of TANSTAAL.

    Novell and iPlanet both sell working directory servers, but I don't know how well they support PKI, although I do know iPlanet supports SASL.

    In any event, consider that there may not be a solution in this case. You are talking about a very specialized field with an audience which is corporate almost by definition.

    1. Re:You might be SOL by Anonymous Coward · · Score: 0
      ...and this is basically because of TANSTAAL.
      There Ain't No Such Thing As A Lunch?
    2. Re:You might be SOL by Anonymous Coward · · Score: 0

      Gee,

      I've been involved in tests where we put several MILLION entries in OpenLDAP 2.0.x without a problem.

      It's in knowing how to tune the machine and how to work DB (sleepycat nee berkeley).

      It scales. MASSIVELY.

      Anyone who tells you otherwise is spreading FUD.

  8. APPLE ? by johnjones · · Score: 2

    well it might be worth a shot

    have a look at

    http://developer.apple.com/darwin/projects/opend ir ectory/

    I dont think its X.500 but they might have a plugin

    regards

    John Jones

    1. Re:APPLE ? by lkaos · · Score: 2

      No, this is a little different.

      OpenDirectory is more akin to ADSI in that it is an abstraction for accessing resources within a directory. It still relies on OpenLDAP for X.500 directory stuff.

      While not really announced yet, there's been a lot of talk about future integration of various components to create a much better open source directory services offering. Keep an eye on Samba and IBM in the future.

      --
      int func(int a);
      func((b += 3, b));
  9. LDAP standards are going the X500 way by cheros · · Score: 1

    The people that actually write the standards (like Dave Chadwick) appear to have given up on X500 as the trend is (VHS-like) towards LDAP. SO it's likely that LDAP will simply acquire the X500 attributes that made X500 so usable (but as always also too flexible to implement without having at least a clue about what you're doing). Give it time - or sponsor the guys that write the standards to do further work on it quicker ;-).

    --
    Insert .sig here. Send no money now. Owner may sue, contents will settle. Batteries not included.
  10. FBCA is doomed to failure anyway by Anonymous Coward · · Score: 0

    The FBCA is the Federal Government's attempt to follow up the success of OSI in the networking space with a similarly brilliant design for the PKI world. You can expect it to be just as successful as OSI.
    Worrying about the directory is a serious case of painting over rotted wood.

  11. None... by Anonymous Coward · · Score: 0

    I don't believe there are any open source x500 compliant directories available. If you mean LDAP compliance, then yes, as was pointed out, Open LDAP is something that can be used. It definitely does not scale well, just as iPlanet directory, Active Directory, etc... don't scale well.

    NDS is the best commercial directory, and has the broadest range of platform support. However, it does cost money. It is scaleable to multi-billion directory entries, has automatic and dynamic service location, has integrated PKI, used 3DES for authentication, and is FULLY LDAP 1,2, and 3 compliant.

    Not trying to push NDS just pointing out that is is a cut above the rest. If your need does not require the robustness of NDS, there is nothing wrong with using OpenLDAP, or iPlanet, etc...

    regards.

    1. Re:None... by Anonymous Coward · · Score: 0

      QUOTE "NDS is the best commercial directory, and has the broadest range of platform support." QUOTE

      Actually, OctetString's VDE Directory Server has the best platform support available. It is the only pure Java LDAPv3 directory server implementation I am aware of.