PMDF-X500 : A user's experience ================================ This file documents this user's experience of the PMDF-X500 product from Innosoft International, Inc. I will be glad to answer any further questions about our experiences. Jeremy Begg VSM Software Services Pty Ltd jeremy@vsm.com.au 2nd September 1996 ------------------------------------------------------------------------------- My understanding is that PMDF-X500 is basically a port of the ISODE X.500 software and the University of Michigan's LDAP library and LDAP server. (LDAP = Lightweight Directory Access Protocol, a TCP/IP-based interface to X.500.) On first impressions, PMDF-X500 looks pretty good. It's not until you start really pushing it that you find the flaws (as with many products). I've just finished a project which has run for about 8 months or so, integrating PMDF-X500 into a large email network composed of many disparate email systems (PMDF/VMS MAIL, IBM NOTES, Lotus cc:Mail, assorted UNIX mailers, etc). The major part of this project was to build a system capable of updating the X.500 database from flat files extracted from each email system's user list, and then use the X.500 database to update the user lists on each email system so that each email system has an entry for all users. (Of course X.500 is supposed to do away with the need for complete user lists on all email systems, but to do so requires that each email system has an X.500 query tool, which wasn't the case here.) The PMDF-X500 database itself is pretty solid although we did find a couple of bugs with the way it contructs the on-disk structure. These were quickly fixed. Similarly, the LDAP server seems OK and it's capable of generating lots of tracewrite information which proved very useful in debugging my own programming efforts. Be warned however that the X.500 server is particularly heavy on CPU and memory so if you're serious about doing X.500 and you expect it to hold a large database, find a dedicated machine. The PMDF-X500 support utilities are disappointing to say the least. There is one utility which interacts with the X.500 database directly. This is "Dish" and while powerful and useful, is definitely NOT a user query tool (nor is it intended to be). This is the only tool which allows you to manage the X.500 server directly and is the preferred way for creating the X.500 directory structure. The PMDF DIRECTORY utilities use LDAP to interface with the X.500 database and they all suffer from problems. (A list of the problems we found can be provided if you really want it.) For example, they have a tendency to drop their LDAP connections part way through processing which usually causes an immediate exit -- but not always with an error status. Or in some cases they simply failed to process particular entries. One thing I found annoying from a purely functional point of view is that PMDF DIR/LOAD (the utility which is intended to be use to populate the X.500 database) creates only leaf nodes (users etc) in the X.500 database; it won't create non-leaf nodes such as organizations and organizational units. Also, the PMDF DIR/IMPORT utility, which allows you to convert MS mail, cc:Mail and WPO mail user lists to X.500 data, is only barely configurable and you'll be lucky if you don't have to write a program to do this task. No screen-based user-friendly utilities are provided, except for PMDF DIR/BROWSE, which is the same as the X500-FORM in PMDF MAIL. It's easy to use but the current release (5.0) provides no support for modifying the X.500 attributes which are displayed. My role in the project was to devise a procedure (programs and/or DCL) to compare that X.500 database with the contents of a large flat file (30,000+ records) and update the X.500 database appropriately. After I found that PMDF DIR/LOAD was not going to do the job I decided to write a program which uses LDAP calls to directly interract with the X.500 database, avoiding the PMDF DIRECTORY utilities entirely. However, first I had to find the LDAP library. Innosoft supply it in the form of a VMS RTL but it's totally unsupported for use by customer-written programs and it's an old version of the LDAP library anyway. I had to ftp it from UMich which was OK but took several attempts because of network load etc. Craig Watkins from Innosoft has modified the LDAP library and server to compile under VMS and it was pretty easy to get the library compiled on my system. Dan Newman sent me some sample programs which show how to dump the X.500 database. The main problem was that the LDAP documenation comprises a collection of RFCs and Unix man-pages. The RFCs contain introductory material and are pretty easy to read; the man pages are not so straightforward (especially if you don't have a man viewer!) and contain a number of errors anyway. Most of these I found in the process of converting the man pages to a DECwrite document. My program is written in Pascal and works quite nicely. I developed a Pascal environment file from the LDAP .H include files and Dan's sample code (also in Pascal) suggested how to handle some of the C constructs. To sum up: Base X.500 server and LDAP server are OK. Support utilities are less useful except in the simplest of environments. You can expect to do a lot of programming for directory maintenance operations. Please note that Innosoft have been for the most part very helpful even though some problems remain unresolved at this time. If you want more information, or help with programming tips & tricks, feel free to ask! Regards, Jeremy Begg