title: What ever happened to x.500? Or, can we get real for a second about "standards"? link: https://onemoretech.wordpress.com/2007/09/01/what-ever-happened-to-x500-or-can-we-get-real-for-a-second-about-standards/ author: lembobro description: post_id: 648 created: 2007/09/01 17:43:00 created_gmt: 2007/09/01 17:43:00 comment_status: open post_name: what-ever-happened-to-x500-or-can-we-get-real-for-a-second-about-standards status: publish post_type: post

What ever happened to x.500? Or, can we get real for a second about "standards"?

The ubiquitous “dc=example,dc=com” root context hasn’t always been the “standard” for LDAP directories. In the beginning (1987), influenced by the .x500 standard, most directories used something like “o=example,c=US” for their directory root. Those were different times, when it looked like networks, the Internet most of all, was going to be big, global, and most of all corporate.

A funny thing happened on the way to the millenium though. As the developers of LDAP had predicted, x.500 and the DAP (Directory Access Protocol) that accompanied it, were too inflexible, too complex, for even the largest companies to cost-justify implementation. The dream of an interconnected, fully interoperable, world-wide directory passed into history. What we were left with was the simpler, more nimble and still barely structured LDAP (Lightweight DAP) protocol and servers to provide standalone directory services for organizations and individuals, first from the University of Michigan team that invented the protocol, and then Netscape and others after these developers moved out into the commercial market.

The “dc=example,dc=com” root dn format, where the “dc” is short for “domainComponent”, is only the most visible sign of this shift to a different approach to directory services.

There are many systems that still default to the old x.500 root dn, most notably IBM’s Lotus Domino product. This should be a tip-off that things might not work exactly like other directory products that sport the “dc-example,d=com” format. And they don’t. This isn’t always a good litmus test though. Microsoft has used the new format in it’s Active Directory product from the beginning, but AD very definitely has some un-LDAP like qualities that become painfully apparent very soon after you begin working with it.

As they are wont to do, commercial vendors often equate the Internet standard LDAP v3 protocol with it’s implementation by one or more vendors. An application written to interface with Lotus Domino may claim to be “LDAP compliant” but in reality it’s interoperability with other LDAP servers may be less than seamless. Another may claim “LDAP compatibility” and then give you a choice between Microsoft Active Directory and Sun (often “iPlanet”) Directory.

A close look at their code will usually reveal a custom interface for each directory. The MS interface using (or, inexcusably not using) Simple Paged Results Control to page results from deep searches that would otherwise get truncated or fail because of AD’s aggressive limits on search results (default 200 entries, hard of 2,000). The Sun interface might instead use Sun’s proprietary Virtual List View (again, or not) to achieve the same result. Sometimes you see really stupid, embarressingly stupid, parameters hardcoded in like requiring a single dn for person entries and only providing a level 1 search (one level down from the base given, so searches won’t recurse down into subcontainers) — making the product useless where your DIT (Directory Information Tree) either nests user entries several levels down, or spreads them out several branches across.

Copyright 2004-2019 Phil Lembo