Since LDAP is an open standard protocol, all the information needed to create an LDAPv3-compliant server is freely available (see the LDAP Specifications page for links to the relevant documents). As such, many organizations offer LDAP server software, whether proprietary or open source.
This page provides a list of some of the most significant commercial and open source LDAP server implementations. It is not intended to be a comprehensive list, so you should investigate the available options before selecting a product for your deployment.
Some of the most notable commercial LDAP server implementations include:
IBM Security Directory Server (formerly known as IBM Tivoli Directory Server and IBM SecureWay Directory Server)
NetIQ eDirectory (formerly known as Novell eDirectory)
CA Directory (formerly known as CA eTrust Directory)
Note that while the Oracle Directory Server Enterprise Edition (ODSEE) was once a very popular product, it has reached the end of its support life and is no longer being developed.
Some of the most notable open source LDAP server implementations include:
389 Directory Server (formerly Fedora Directory Server)
The former OpenDS open source project has been abandoned and is not recommended for use.
Although there are many fine LDAP directory servers on the market, we at UnboundID have worked hard to ensure that our suite of directory services products are the best. These products include:
UnboundID Directory Server: A full-featured, secure, high-performance, high-scale, and administrator-friendly LDAP and SCIM directory server.
UnboundID Directory Proxy Server: An LDAP and SCIM proxy server that can augment all of the benefits of the UnboundID Directory Server by adding improved high availability, load balancing, data scalability, security, and application-specific transformations.
UnboundID Identity Broker: A web services gateway providing authorization, policy enforcement, and consent management support for directory data using standard mechanisms like OAuth2, OpenID Connect, and XACML.
UnboundID Synchronization Server: A high-performance data processing engine that can provide one-way or bidirectional synchronization between LDAP directory servers, relational databases, SCIM endpoints, and other data repositories.
UnboundID Metrics Engine: A data collection and collation engine that provides access to near-real-time and historical performance, usage, and availability metrics for other components of the UnboundID directory services suite.
UnboundID LDAP SDK for Java: A fast, powerful, user-friendly, and completely free Java library for communicating with LDAP directory servers, and for performing other directory-related tasks.
Key advantages of the UnboundID Directory Services products are listed below.
Our products are built from the ground up with high performance, high concurrency, and high scalability in mind. They can take full advantage of systems with large amounts of memory, and with large numbers of CPUs, CPU cores, and hardware threads.
The UnboundID Directory Proxy Server can help provide improved horizontal scalability not only through advanced load-balancing techniques, but also through the use of entry balancing that allows the data to be divided into multiple replicated sets to take advantage of the aggregate CPU and memory capacities of any number of systems.
Our products are designed to provide high concurrency and throughput while still providing very low (and consistently low) response times for individual operations. The UnboundID Directory Proxy Server can help further improve response time consistency through intelligent load balancing.
Our vertical scalability is achieved not only through the ability to take advantage of large-memory systems, but also by storing data in a highly-compacted form that makes it possible to maximize the number of entries stored in the available capacity. This compaction reduces the amount of memory needed to cache the data, and the amount of disk space required for the database. The reduced database size also means that backups are smaller and are faster to create and restore.
The UnboundID Directory Server offers a fast and concurrent cache priming mechanism at startup to help ensure that the relevant data is in memory and quickly accessible before the server starts accepting connections from clients. This allows the server to provide maximum performance immediately with no warm-up time. The UnboundID Directory Proxy Server offers a similar mechanism for priming the global index used in entry-balanced configurations.
The UnboundID Directory Server provides the ability to exert fine-grained control over which entries should be stored in the cache, and even which attributes within those entries. If the data set includes a large number of entries, or large attributes within entries, that are infrequently accessed and for which you are willing to accept the reduced performance associated with always retrieving that data from disk when it is needed, then the use of partial caching can dramatically reduce the amount of memory required to achieve the necessary performance within your environment.
The UnboundID Directory Server provides very fast and highly-concurrent LDIF import and export mechanisms. In addition, while performing LDIF import processing, the server can provide cache sizing estimates and tuning recommendations based on the data set loaded into the server.
The UnboundID Directory Server makes it easy to fully encrypt all of the data stored in the server. This includes not only the user-supplied data, but also all references to that data in the replication database and the LDAP changelog. The server also provides support for encrypted backups and LDIF exports to ensure that the data-at-rest never needs to be stored in the clear.
The UnboundID Directory Server also provides support for fully encrypting all communication, and can be configured to reject requests received over an insecure connection. All replication traffic is automatically encrypted, and it is simple to enable encryption for all communication between UnboundID server products if desired.
Like most LDAP directory servers, the UnboundID Directory Server provides a fine-grained access control mechanism that can provide a great deal of control over the ways in which users and clients can interact with entries, attributes, and attribute values. However, the UnboundID Directory Server also includes a number of other mechanisms for granting or restricting access to data and operations:
A privilege subsystem that makes it possible to grant administrative capabilities to users on a fine-grained manner. This eliminates the need to use all-powerful root accounts in order to perform some action that might only require one elevated capability. Root users get all of their elevated capabilities through privileges, but privileges can also be assigned to normal users.
A client connection policy system that makes it possible to enforce absolute restrictions over which types of operations a client may request and which portions of the DIT a client may access. These restrictions can be based on criteria like the address and protocol the client is using, the identity of the client, and the authentication mechanism that was performed. These restrictions can even be enforced for root accounts that would otherwise be allowed to perform any operation in any part of the data.
A sensitive attribute subsystem that can enforce absolute restrictions over access to certain attributes (e.g., to ensure that the attributes are only accessed in a secure manner, or to ensure that certain values can be updated and compared but not retrieved). These restrictions can also be enforced for root accounts that would normally be allowed access to any data.
While the privilege subsystem reduces the need for root users, root accounts are still useful because they exist outside of the user data and are available in cases in which the data may not be (e.g., during a restore or LDIF import). Some directory servers include support only a single root account (which means that it likely needs to be shared by multiple administrators). The UnboundID Directory Server supports the ability to have any number of root accounts, each of which has its own set of credentials and can be subject to password policy enforcement. This makes it possible to better audit the activities of individual administrators, and to more easily handle the removal of an individual administrator.
The UnboundID Directory Server provides support for a number of authentication mechanisms. In addition to simple authentication, a number of standard SASL mechanisms are supported, including ANONYMOUS, CRAM-MD5, DIGEST-MD5, EXTERNAL, GSSAPI, and PLAIN. The server also provides support for a number of two-factor authentication options, including those that combine a user's static password with a certificate, a time-based one-time password, a one-time password delivered through an extensible mechanism like SMS or email, or a one-time password generated by a Yubikey device. The server also provides an extensible framework that can be used to add support for additional authentication mechanisms.
The UnboundID Directory Server provides a wide range of password policy capabilities, including strong password storage schemes, a number of password quality validators, password expiration, account lockout after a specified number of failed attempts or if the account remains idle for too long, login time and IP address tracking, and count-based or time-based password history. It also offers a password retirement feature that makes it possible to change the password for an account in a way that allows the previous password to continue to be used for a period of time while any applications with knowledge of the password are updated to use the new value.
Both the UnboundID Directory Server and Directory Proxy Server can be configured to enforce constraints on operation rates (per-server, per client connection policy, per-user, or per-connection), maximum number of connections (per-server, per client connection policy, per-address, or per-bind DN). Per-user restrictions can be enforced for operation time limits, number of entries returned per search, maximum connection time, and maximum idle time.
All UnboundID server products provide a powerful logging subsystem that can be used to record and audit the activities requested by clients. You can create any number of log files of any type, and you can use filtering criteria to control what types of messages go to each log file (e.g., you can create one access log with just failed operations, one access log with just privileged operations, one with just operations that took longer than one second to complete, etc.). Log contents can be digitally signed to provide tamper-evident assurances, and you can log to remote repositories like syslog or a relational database to make it harder to alter or delete all copies.
The UnboundID Directory Server includes an audit-data-security tool that can be used to examine the data set and identify entries of interest from a security perspective, including locked or disabled user accounts, users with expired or weakly-encoded passwords, users assigned special privileges, etc.
Some of the standard/publicly-defined controls supported by UnboundID server products include:
Active Directory DirSync
Authorization Identity (RFC 3829)
LDAP Assertions (RFC 4528)
LDAP Subentries (draft-ietf-ldup-subentry)
ManageDsaIT (RFC 3296)
Matched Values (RFC 3876)
Password Expired / Password Expiring (draft-vchu-ldap-pwd-policy)
Password Policy (draft-behera-ldap-password-policy)
Persistent Search / Entry Change Notification (draft-ietf-ldapext-psearch)
Pre-Read / Post Read (RFC 4527)
Proxied Authorization v1 (draft-weltman-ldapv3-proxy-04)
Proxied Authorization v2 (RFC 4370)
Server-Side Sort (RFC 2891)
Simple Paged Results (RFC 2696)
Subtree Delete (draft-armijo-ldap-treedelete)
Transaction Specification (RFC 5805)
Virtual List View (draft-ietf-ldapext-ldapv3-vlv)
UnboundID server products also provide support for a number of proprietary controls that offer advanced functionality. Some of the most notable of these controls include:
Assured Replication: Indicates that the server should delay the response to the client until the changes associated with that operation have been replicated in accordance with the requested criteria.
LDAP Join: Indicates that entries matching the search criteria should also include information from related entries.
Matching Entry Count: Indicates that, instead of processing the associated search, the server should instead return an estimate of the number of entries matching that criteria and the degree of confidence in that estimate.
Retain Identity: Indicates that the server should perform all appropriate processing for the associated bind operation, but should not alter the authentication state of the underlying connection regardless of whether the bind is successful or unsuccessful.
Retire Password / Purge Password: Indicates that a password change should cause the user's former password to be retired (temporarily retained in the user's entry so that it can continue to be used to authenticate for a period of time) or purged (immediately removed from the user's entry).
Route to Server / Route to Backend Set: Indicates that the Directory Proxy Server should attempt to route the request to the specified backend server or entry-balancing backend set.
Soft Delete / Hard Delete: Indicates that the associated delete operation should be processed as a soft delete (in which case the entry will be temporarily retained in a hidden form so that it can be restored if desired) or a hard delete (in which case the entry should be completely removed from the server).
Undelete: Indicates that the add request is intended to restore a soft-deleted entry rather than specify the contents of a new entry.
Some of the standard extended operations supported by UnboundID server products include:
UnboundID server products also provide support for a number of proprietary extended operations that offer advanced functionality. Some of the most notable of these include:
Deliver One-Time Password: Indicates that the server should generate a one-time password and deliver it to the specified user via some out-of-band mechanism (e.g., email, SMS) for use in multifactor authentication.
Get Changelog Batch: Indicates that the server should retrieve a set of changelog entries matching a given set of criteria in a manner that can wait for changes if necessary and can be easily resumed on the same or different server in a way that ensures no changes are lost.
Get Configuration / List Configurations: Retrieves information about the server's current configuration, or previous configurations that it might have had.
Get Subtree Accessibility / Set Subtree Accessibility: Indicates that the server should retrieve or alter the accessibility state for one or more subtrees. Subtrees can be made accessible, read-only, or hidden.
Multi-Update: Indicates that a specified batch of changes should be processed together, optionally as a single atomic unit.
Password Policy State: Retrieves and/or alters password policy state information for a specified user.
Stream Directory Values: Quickly retrieves a list of all unique values for an indexed attribute, and/or a list of all DNs matching a given base and scope.
Validate TOTP Password: Indicates whether a given value is currently a valid time-based one-time password for a specified user.
UnboundID server products can be configured to enforce a number of constraints on the data, in addition to the constraints imposed by the associated attribute syntax. Some of these additional constraints include:
Attribute uniqueness: Enforces the requirement that all values for a specified set of attributes will be required to be unique. Uniqueness can be enforced in simple replicated environments as well as in entry-balanced environments in which the data is split into multiple independent sets.
Referential integrity: When an entry is removed or renamed, the server can automatically remove or update references to that entry. This processing can be performed in simple replicated environments as well as in entry-balanced environments.
Value count requirements: Enforces constraints on the number of values a multivalued attribute is allowed to have.
Value length requirements: Enforces constraints on the length of the string representations of the values an attribute is allowed to have.
Numeric value range requirements: Enforces constraints on the range of values a numeric attribute is allowed to have.
Explicit value list requirements: Ensures that an attribute is only allowed to have values from an explicitly-specified list.
Value regular expression requirements: Ensures that the values of an attribute must match a given regular expression.
UnboundID server products are designed to be highly extensible and customizable. The UnboundID Server SDK provides a framework that can be used to create custom extensions to alter the behavior of these server products in a number of ways. Some of the most notable types of extensions that can be created include:
Access, error, and HTTP operation loggers
Administrative alert handlers and account status notification handlers
Certificate and identity mappers
Connection, request, result, search result entry, and search result reference criteria
Extended operation handlers
One-time password delivery mechanisms
Operation interception plugins
Password validators, password storage schemes, and password generators
Proxy transformations, health checks, and entry placement algorithms
SASL mechanism handlers
Synchronization sources and destinations
Uncached entry and uncached attribute criteria
Virtual attribute providers
The UnboundID Directory Server provides full support for a high-throughput and low-latency replication of changes to any data in the server with no limit on the number of servers that can accept write operations.
The replication topology can be configured so that all of the servers are aware of the locations of the other servers. This can be used to optimize communication to minimize the amount of data sent over WAN links, and the server can also be configured to compress WAN communication in order to further reduce the amount of network traffic.
The replication mechanism uses a loosely-consistent model that ensures that ensures that all replicas will eventually (usually within a matter of a few milliseconds) provide a consistent representation of the data. The server provides automatic detection and handling of conflicts resulting from simultaneous changes across servers (e.g., if clients make changes to the same attribute in the same entry on different servers at the same time).
The UnboundID Directory Server offers an assured replication feature, which makes it possible for the server to delay returning the response for a write operation until a specified minimum amount of replication processing has been performed for that change. The server can be configured to automatically apply different levels of assurance to different changes based on customizable criteria, and clients can explicitly specify assurance settings via a request control. There can be different replication assurance levels for servers in the local data center (no local assurance, ensure a change has been replicated to at least one other local server, and ensure a change has been replicated to all local servers) than for remote data centers (no remote assurance, ensure a change has been replicated to at least one other server in another data center, ensure a change has been replicated to at least one other server in all other data centers, and ensure a change has been replicated to all servers in all data centers).
The server provides a substantial amount of replication monitoring data for all servers in the topology, including information about the average length of time required for changes to be replicated, and information about the current backlog of changes to be replicated. The UnboundID Directory Server can be configured to generate administrative alert notifications if replication falls behind for some reason, and the UnboundID Directory Proxy Server can attempt to route away from servers with a replication backlog that has become too high. When starting up after having been offline for any period of time, the Directory Server can be configured to wait for replication to catch up before accepting connections so that clients are not exposed to outdated information.
Replication is only supported between instances of the UnboundID Directory Server and cannot be used to synchronize changes with directory servers from other vendors, or with non-LDAP servers. However, the UnboundID Synchronization Server can provide this capability, including both one-way and bidirectional synchronization. This can be used as a temporary mechanism during the course of migrating data into the UnboundID Directory Server, or as a long-term solution for keeping two disparate data repositories up to date. If desired, the UnboundID Synchronization Server can synchronize a specified subset of the data (e.g., only certain entries, or only certain attributes within entries), and can apply advanced transformations to the data in the course of copying it from one repository to another.
UnboundID server products provide the ability to generate administrative alert notifications in response to significant error and warning conditions that arise in the server, as well as for other notable events that occur. These notifications can be made available to administrators through a wide variety of ways, including email messages, SNMP traps, JMX notifications, and SMS messages. In addition, the UnboundID Server SDK can be used to develop custom alert delivery mechanisms.
UnboundID server products provide an extensive amount of monitoring information about a wide range of server components, operation processing, and information about the underlying JVM, operating system, and hardware. This information is accessible over LDAP, and the Commercial Edition of the UnboundID LDAP SDK includes support for retrieving and parsing this monitor information. Much of this information is also available via JMX and SNMP and can be consumed by most enterprise monitoring software.
UnboundID server products support defining thresholds for most monitor data. Information about these thresholds is available over LDAP and as SNMP alarms. The server can also generate administrative alerts if a monitored value falls outside an acceptable range.
The UnboundID Metrics Engine can collect and collate a wide range of monitor data, and can make that information available in graphical form over customizable ranges of time, individually or with multiple metrics correlated together. This information can be used for a wide range of purposes, including detecting performance and behavioral trends, and for identifying potential causes for anomalies.
All UnboundID server products have simplified installation and initial configuration process that can allow you to set up a complete directory services environment in a matter of minutes. The setup can be fully scripted to completely automate everything, or it can be an interactive process that walks the administrator through all of the necessary steps. The setup process can also apply automatic tuning based on information about the underlying system (e.g., number of CPUs, amount of available memory, etc.) to eliminate the need to hand-tweak a lot of settings to get the best performance and scalability.
All UnboundID server products provide a consistent set of configuration interfaces with command-line tools that provide interactive and non-interactive modes, and an interactive web-based interface. The interactive interfaces provide a complete set of documentation for all of the configuration settings, and can provide the appropriate usage for making the same change in a non-interactive manner. Most configuration changes take effect automatically as soon as the change is applied, and those that require some additional action for the change to take effect will indicate the necessary action in the course of making the change. Configuration changes can be easily applied to just a single server or to all servers in the topology.
It's easy to keep track of configuration changes within the environment. All servers provide a log of all configuration changes made to that server in a format that makes it easy to script the change, or to revert the change. Servers also provide a complete archive of all configurations they have held while running. A config-diff tool makes it possible to identify differences between the configurations of different servers, as well as to identify changes from the default baseline configuration. In addition, the server will generate an administrative alert whenever a configuration change is applied, in order to make it harder for configuration changes to go unnoticed.
UnboundID server products come with a number of tools that can perform configuration and data validation to identify potential problems that may arise, or to help diagnose problems that have been encountered. A collect-support-data tool can help bundle a lot of useful diagnostic information together in a form that often allows support personnel to quickly identify the problem or at least better understand the conditions that cause it to arise. Further, the Commercial Edition of the UnboundID LDAP SDK for Java includes a number of APIs that make it easy to access and parse log files, monitor data, administrative alerts and alarms, changelog records, and other key information.