Visit https://ebooknice.

com to download the full version and

explore more ebooks

(Ebook) LDAP Programming, Management and Integration

by Clayton Donley ISBN 9781930110403, 1930110405

_____ Click the link below to download _____

https://ebooknice.com/product/ldap-programming-
management-and-integration-975188

Explore and download more ebooks at ebooknice.com

Here are some recommended products that might interest you.
You can download now and explore!

(Ebook) Biota Grow 2C gather 2C cook by Loucas, Jason; Viles, James

ISBN 9781459699816, 9781743365571, 9781925268492, 1459699815,
1743365578, 1925268497

https://ebooknice.com/product/biota-grow-2c-gather-2c-cook-6661374

ebooknice.com

(Ebook) SAT II Success MATH 1C and 2C 2002 (Peterson's SAT II Success)

by Peterson's ISBN 9780768906677, 0768906679

https://ebooknice.com/product/sat-ii-success-
math-1c-and-2c-2002-peterson-s-sat-ii-success-1722018

ebooknice.com

(Ebook) Matematik 5000+ Kurs 2c Lärobok by Lena Alfredsson, Hans

Heikne, Sanna Bodemyr ISBN 9789127456600, 9127456609

https://ebooknice.com/product/matematik-5000-kurs-2c-larobok-23848312

ebooknice.com

(Ebook) Master SAT II Math 1c and 2c 4th ed (Arco Master the SAT
Subject Test: Math Levels 1 & 2) by Arco ISBN 9780768923049,
0768923042

https://ebooknice.com/product/master-sat-ii-math-1c-and-2c-4th-ed-
arco-master-the-sat-subject-test-math-levels-1-2-2326094

ebooknice.com
(Ebook) Cambridge IGCSE and O Level History Workbook 2C - Depth Study:
the United States, 1919-41 2nd Edition by Benjamin Harrison ISBN
9781398375147, 9781398375048, 1398375144, 1398375047

https://ebooknice.com/product/cambridge-igcse-and-o-level-history-
workbook-2c-depth-study-the-united-states-1919-41-2nd-edition-53538044

ebooknice.com

(Ebook) Solaris and LDAP Naming Services: Deploying LDAP in the

Enterprise by Tom Bialaski, Michael Haines ISBN 9780130306784,
0130306789

https://ebooknice.com/product/solaris-and-ldap-naming-services-
deploying-ldap-in-the-enterprise-973364

ebooknice.com

(Ebook) AN INTRODUCTION TO PROGRAMMING AND COMPUTER SCIENCE by Clayton

Cafiero ISBN 9798988709206, 8988709209

https://ebooknice.com/product/an-introduction-to-programming-and-
computer-science-52859214

ebooknice.com

(Ebook) Microsoft Direct3D Programming Kick Start by Clayton Walnum

ISBN 9780672324987, 9780768663280

https://ebooknice.com/product/microsoft-direct3d-programming-kick-
start-2167508

ebooknice.com

(Ebook) Practical Spring LDAP: Using Enterprise Java-Based LDAP in

Spring Data and Spring Framework 6 by Balaji Varanasi, Andres Sacco
ISBN 9798868800023, 9798868800016, 8868800020, 8868800012

https://ebooknice.com/product/practical-spring-ldap-using-enterprise-
java-based-ldap-in-spring-data-and-spring-framework-6-54527846

ebooknice.com
LDAP Programming, Management
and Integration
LDAP Programming,
Management and
Integration

CLAYTON DONLEY

MANNING
Greenwich
(74° w. long.)
For online information and ordering of this and other Manning books,
go to www.manning.com. The publisher offers discounts on this book
when ordered in quantity. For more information, please contact:
Special Sales Department
Manning Publications Co.
209 Bruce Park Avenue Fax: (203) 661-9018
Greenwich, CT 06830 email: orders@manning.com

©2003 by Manning Publications Co. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted,

in any form or by means electronic, mechanical, photocopying, or otherwise, without prior
written permission of the publisher.

Many of the designations used by manufacturers and sellers to distinguish their products are
claimed as trademarks. Where those designations appear in the book, and Manning
Publications was aware of a trademark claim, the designations have been printed in initial
caps or all caps.

Recognizing the importance of preserving what has been written, it is Manning’s policy to have the
books we publish printed on acid-free paper, and we exert our best efforts to that end.

Manning Publications Co. Copyeditor: Tiffany Taylor

209 Bruce Park Avenue Typesetter: Dottie Marsico
Greenwich, CT 06830 Cover designer: Leslie Haimes

ISBN 1-930110-40-5
Printed in the United States of America
1 2 3 4 5 6 7 8 9 10 – VHG – 06 05 04 03
contents
preface xi
acknowledgments xv
about this book xvi
getting started xix
about the cover illustration xxii

Part 1 Fundamental LDAP concepts 1

1 Introduction to LDAP 3
1.1 What LDAP is 4
Directory services and directory servers 4 ✦ LDAP and directory
services 4 ✦ Other directory services 5
1.2 What LDAP is not 7
LDAP is not a relational database 7 ✦ LDAP is not a file system for
very large objects 7 ✦ LDAP is not optimal for very dynamic objects 9
LDAP is not useful without applications 9
1.3 Current applications 10
White pages 10 ✦ Authentication and authorization 12
Personalization 13 ✦ Roaming profiles 14 ✦ Public Key
Infrastructure 14 ✦ Message delivery 15
1.4 Brief history 15
X.500 and DAP 15 ✦ A new standard is born 16
LDAP goes solo 17 ✦ LDAPv3 18
1.5 LDAP revisions and other standards 18
Replication and access control 19 ✦ Directory Enabled
Networking 21 ✦ XML and directories 22
1.6 Directory management 23
1.7 Directory integration 24
Integration via metadirectories 27

v
 1.8 Integration and federation via virtual directory technology 30
1.9 Why this book? 31
1.10 Summary 32

2 Understanding the LDAP information model 34

2.1 Information model overview 35
Entries 35 ✦ Attributes 36 ✦ LDAP entries vs. database records 36
2.2 Working with LDAP schema 37
Standard LDAP schema 37
2.3 Attribute types 39
Defining attribute types 39 ✦ Syntax definitions 40 ✦ Matching rules for
attributes 41 ✦ Support for multiple values 43 ✦ Inheritance 44
User modification 45 ✦ Variables in Java, Perl, and C 45
2.4 Object classes 46
Defining object classes 46 ✦ Required and allowed attributes 47
Object class inheritance 47 ✦ Multiple object class memberships 48
Object class types 48 ✦ LDAP object classes and Java or C++ classes 50
2.5 Using object modeling to design LDAP schema 51
Modeling classes 51 ✦ Modeling relationships 51
Modeling object instances 53
2.6 Summary 54

3 Exploring the LDAP namespace 55

3.1 What is a namespace? 56
Hierarchical namespaces 57
3.2 Specifying distinguished names 59
Choosing a relative distinguished name attribute 60
Determining the base 62
3.3 Assigning the root naming context 64
Traditional style of assigning the root name context 64
Domain component style of assigning the root name context 65
3.4 Selecting and designing a directory tree 65
Intranet directories 66 ✦ Internet directories 69 ✦ Extranet directories 71
3.5 Summary 74

4 Search criteria 75
4.1 Performing a search 76
4.2 Where to search: base and scope 76
Search base 76 ✦ Search scope 77

vi CONTENTS
 4.3 What to evaluate: search filters 78
Presence filters 79 ✦ Exact equality filters 80 ✦ Substring matching 81
Ordered matching (greater than/less than) 83 ✦ Approximate filters 84
Multiple filters: AND and OR operators 84 ✦ Negative filters: the NOT
operator 86 ✦ Extensible searching and matching rules 86
4.4 What to return: the attribute return list 87
4.5 LDAP search criteria vs. SQL queries 87
Similarities between SQL SELECT and LDAP search criteria 88
Differences between SQL SELECT and LDAP search criteria 88
4.6 Increasing search performance 88
4.7 Summary 89

5 Exchanging directory information 90

5.1 Representing directory information outside the directory 91
5.2 LDAP Data Interchange Format 92
Expressing entries in basic LDIF 92 ✦ Writing LDAP changes
as LDIF 94 ✦ Representing schemas in LDIF 95 ✦ Advantages
and disadvantages of LDIF 96
5.3 Directory Services Markup Language 96
Why use DSML? 96 ✦ Getting started with DSML 98
A DSML example 98 ✦ Handling binary values in DSML entries 99
Entry changes and DSML 100
5.4 Defining directory schemas with DSML 100
DSML object classes 100 ✦ DSML attribute types 101
5.5 XSLT and DSML 102
Converting DSML to HTML using XSLT 102
5.6 Summary 104

Part 2 LDAP management 105

6 Accessing LDAP directories with Perl 107
6.1 LDAP access from Perl 108
6.2 Getting started with Net::LDAP 109
Using the module 109 ✦ Opening a connection 109
Binding to the directory 110
6.3 Searching with Net::LDAP 111
Performing a search 111 ✦ Understanding search scopes 113
LDAP search filters 115 ✦ Using search results 115 ✦ Limiting
attribute retrieval 115 ✦ Handling referrals 116

CONTENTS vii
 6.4 Manipulating entries 116
Updating an entry 116 ✦ Adding new entries 117
Deleting an entry 117 ✦ Renaming an entry 117
6.5 Comparing entries 118
6.6 Handling errors 119
6.7 Support for encrypted/SSL connections 119
6.8 Summary 120

7 Managing directory entries, groups, and accounts 121

7.1 Common types of managed entries 122
7.2 Entry management models 122
Centralized administration 122 ✦ Distributed administration 124
User self-administration/self-service 125
7.3 Creating people entries 126
People entries via a web form 127 ✦ People entries based on
existing data 130 ✦ Summary of creating entries 134
7.4 Creating and maintaining groups 134
Explicit groups 135 ✦ Dynamic groups and LDAP URLs 136
7.5 Representing and managing account information 136
Unix user accounts 137 ✦ Linking Unix accounts to people 141
7.6 Managing other information 142
Security services information 142 ✦ DNS information 142 ✦ Directory
Enabled Networking information 143 ✦ Card catalog information 143
7.7 Summary 143

8 Synchronizing LDAP information 144

8.1 Approaches to data flow management 145
Replication 145 ✦ File export/import 146 ✦ Scripting 146
8.2 Data flow analysis 146
Schema mapping 147 ✦ Determining the authoritative source 147
Data transformation 148 ✦ Namespace translation 149
8.3 Interchange formats 150
LDAP Data Interchange Format 150
Directory Services Markup Language 151
8.4 Migration to LDAP 152
Migrating a simple table 152 ✦ Migrating from multiple sources 154
Adding new information to existing entries 157
8.5 Joining related information 159
Multikey matches 159 ✦ Fuzzy matching 160

viii CONTENTS
 8.6 Synchronization 162
Synchronization to LDAP 162 ✦ Synchronization from LDAP 163
Bidirectional synchronization 166
8.7 Summary 167

9 Accessing operational information in LDAP 168

9.1 Getting server information 169
Retrieving available root naming contexts 169 ✦ Extracting object class
information 170 ✦ Getting attribute type details 174
9.2 Monitoring with LDAP 178
Getting the monitor’s name 178 ✦ Reading the monitor information 178
Polling the monitor entry 180
9.3 Testing replication 181
9.4 Summary 184

10 DSML: getting under the hood 185

10.1 DSML parsing with SAX 186
Basics of parsing XML with SAX 186 ✦ A simple XML parser handler 186
Parsing a simple document 188 ✦ PerlSAX’s built-in error checking 189
10.2 Parsing DSML into a Perl object 190
Beginnings of a useful DSML parser handler 192 ✦ Handling elements in
the DSML file 193 ✦ Extracting characters between start and end tags 194
Preparing to use DSMLHandler 194 ✦ Invoking the SAX parser using
DSMLHandler 194
10.3 Generating DSML 196
Writing directory entries 196 ✦ Converting RFC-style LDAP schemas to
DSML LDAP schemas 199 ✦ Conversion example for object classes 199
Converting attribute types 204
10.4 Using Perl to convert DSML with XSLT 208
Converting DSML to HTML 209
10.5 Summary 211

Part 3 Application integration 213

11 Accessing LDAP directories with JNDI 215
11.1 Introduction to JNDI 216
JNDI versus the LDAP Java SDK 216
11.2 JNDI architecture 216
JNDI providers 217 ✦ The JNDI package 217

CONTENTS ix
 11.3 JNDI operations: the DirContext class 217
Handling basic exceptions 218 ✦ Closing the connection 218
Binding to the directory 218 ✦ A reusable LDAP connection handler 219
11.4 Searching with JNDI 220
Abstracting the entry 221 ✦ A search class 223
11.5 Adding entries 226
A simple add example 226 ✦ A generalized add example 227
11.6 Manipulating entries 229
Modifying entries 229 ✦ Deleting entries 230 ✦ Renaming entries 231
11.7 Summary 232

12 Java programming with DSML 233

12.1 Writing DSML with Java 234
12.2 DSML with JNDI 235
Automatic DSML output from LDAP URLs 236
12.3 Working with schemas in DSML 237
Reading schemas with SAX 238 ✦ Designing a basic SAX handler 240
12.4 Transformation with XSLT in Java 244
12.5 Enhancements with DSMLv2 248
Implementing interapplication communication 249 ✦ Creating DSMLv2
SOAP requests 249 ✦ Creating DSMLv2 SOAP requests with JNDI 252
12.6 Summary 252

13 Application security and directory services 253

13.1 The relationship between security and directories 254
What is security? 254 ✦ How LDAP provides security 256
13.2 Storing key and certificate data 259
Preshared secret keys 259 ✦ Public/private key pairs 261
13.3 Using digital certificates 262
Creating a digital certificate in Java 263
Storing and distributing digital certificates 264
13.4 Managing authorization information 268
Understanding access control rules 268 ✦ Directory authorization 269
Application authorization 269
13.5 Encrypting LDAP sessions using JNDI and SSL 270
13.6 Summary 271

A: Standard schema reference 273

B: PerLDAP 302
index 317

x CONTENTS
preface
This book will help you understand and use the most important directory services—
those based on the leading industry standards—without having to read the many eso-
teric standards documents available on the Web. I am tempted to start the book with
a motivating example from my experience to explain why directory services are so
important and why you should read this book from cover to cover, but I will resist.
There is no need to tell a story from my experience, because I can tell a story from
your experience. Every single one of you has had experience with directory services,
whether you know it or not.
Did you log in to a computer today? When the computer checked your password,
it was probably using a directory service.
Do you use a personalized start page, such as Netscape Netcenter? If so, your pref-
erences and login information were found in a directory service and used to customize
your experience.
Have you ever looked up the email addresses of long-lost friends on the Internet,
or located the telephone number of the woman in receiving who can track down your
lost package? Both of these tasks are also common uses for directories.
However, you don’t need to learn how to type someone’s name into a search
engine or enter your password. What you do need to learn, and what this book will
teach you, is how to apply the standards that make directory services accessible over
computer networks ranging from the Internet to your corporate intranet to business
partners’ extranets.
We won’t stop there. The most pressing issue in the area of directory services today
is simply that there are so many of them. Every application written in the last 30 years
seems to have come with its own proprietary directory. Operating systems also have
directories. Most of these directories don’t care about each other or even acknowledge
the others’ existence. This book will help you get these existing directories to work well
with new, important standards-based directory services.
Finally, what good is a data repository without useful applications? If you are an
application developer trying to get your existing applications to work with Light-
weight Directory Access Protocol (LDAP), Directory Services Markup Language
(DSML), and other directory standards, this book not only will help you get a handle

xi
 on important application program interfaces (APIs), but also will deliver an under-
standing of the best strategies for using these applications to derive important appli-
cation benefits.

WHO AM I, AND WHAT’S MY MOTIVATION?

Many of the people picking up this book may know my reputation as a long-time
developer in the directory space. My background in this area includes writing the first
comprehensive Perl module for accessing directory services via LDAP, as well as writ-
ing software for getting applications such as Apache, the Squid proxy server, and
Cyrus mail servers to check passwords against servers supporting LDAP.
My recent work in this area has included the development of complete Java server
software for providing data via the LDAP protocol. The server, originally a part-time
open source project, is now the cornerstone of a virtual directory and proxy service
product offering from OctetString. However, this book is vendor neutral; all major
LDAP vendors are discussed to some extent in the first chapter.
Like many of you, I stumbled onto LDAP by accident. In 1993, I was employed
as part of Motorola’s Cellular Infrastructure Group in Arlington Heights, Illinois.
Along with a small group of other colleagues, I cofounded one of Motorola’s first web-
based intranets.
Unlike today, when most major web sites are dynamic and filled to the brim with
personalized content and real-time access to databases and important applications,
there were few web-based applications in those days. Sensing the potential use of this
new technology, yet realizing that this grass-roots project would not receive funding
if we couldn’t adequately expose business information, many team members pro-
ceeded to develop applications, such as card catalogs for engineering documents and
similar things.
I decided that my small project would be an email directory. As the only person
on this project from the IT organization, I was aware of a service provided by corporate
mainframes that presented information culled from human resources and local area
network (LAN) administrators over a simple protocol called WHOIS.
Using WHOIS, you could open a simple network connection to the server (which
in this case resided on a mainframe) and type the data to be used for searching. The
search results were returned as free-form text. My application did nothing more than
read this text, parse it, and write it out as HTML that could be displayed graphically
by a web browser.
It was an instant hit.
I became known at Motorola Cellular as the “directory” guy, and was instantly
pushed onto most of the projects that dealt with directories. At the time, these projects
primarily related to email. Email is an important use of directories—after all, if you
cannot locate the address of people with whom you need to communicate, a large email
infrastructure doesn’t do much good. However, I began to realize that this directory

xii PREFACE
 wasn’t just a way to look up information; it was a key storage point for identity infor-
mation—the only network-accessible place in the company where a person’s email
address, login ID, department, name, and manager were linked together. I realized that
smart applications could use this information to identify users throughout the com-
pany and authorize them based on criteria, such as their department. Those applica-
tions could also provide customized presentations based on that same information.
I also knew that as good as this idea was, it would be hard to execute given the lim-
itations of WHOIS, unless we customized each application. At this time, I came into
contact with X.500.
Like WHOIS, X.500 is a standard for a kind of directory service. Unlike WHOIS,
X.500 is anything but simple. It is a detailed set of standards definitions that seems
to describe everything within a 10-mile radius of directory services, including client
access, real security, server-to-server communications, and similar areas. Also unlike
WHOIS, X.500 comes from the OSI networking world, which was left in the dust in
the wake of the Internet explosion and the mass adoption of loosely networked systems
built around standards such as TCP/IP.
Nearly every book or article written about LDAP talks about X.500 being perfect
except for that dastardly OSI protocol stack, which makes deployment on desktop-
class hardware difficult. (Although there is truth to this reasoning, the real reason most
X.500 directory projects didn’t take off is that getting the right data into the directory
and keeping it up-to-date was difficult—after all, garbage in, garbage out. Similarly,
few applications were X.500 aware, partly due to its complexity.) This difficulty
spawned LDAP, which was meant to replace X.500’s Directory Access Protocol (DAP)
as a client implementation.
After making the move from X.500 to LDAP for the same published reasons every-
one else did, the lack of integration tools and directory-enabled applications was obvi-
ous. So, I created things like Net::LDAPapi and PerLDAP to glue together information
from different sources into the directory. Not long afterward, I wrote the code that
allowed users to be identified and authorized to many services, such as web, proxy,
and mail.
Today many applications are directory-enabled—so many that these applications
drive most new directory deployments, rather than the other way around. People look-
ing at deploying and accessing directories are faced with many difficult choices in
design and execution. My goal for this book is to help simplify this complex technol-
ogy in a way that accelerates your projects and improves your end results.

LESSONS LEARNED, AND THIS BOOK’S FOCUS

Since discovering LDAP, I’ve spent nearly every day looking to develop solutions to
these types of problems. Much of the time, the solution is centered on creating enter-
prise directory services. I’ve learned a few things about creating successful directory
services. The most critical are:

PREFACE xiii
 • Access is access.
• Configuration is trivial; management is complex.
Although these may seem like insanely simple lessons, let me explain.
Access is access
Certain methods of access may be more efficient or provide more underlying func-
tionality, but at the end of the day, it is only important that the directory service can
share information in a way that clients and applications can use. Today, that standard
for sharing information in directory services is LDAP. Therefore, we use LDAP as the
primary access protocol throughout this book.
However, many of the more advanced techniques described in parts 2 and 3 of this
book will work just as well with another means of access. In fact, part 3 describes the
use of Directory Services Markup Language (DSML), which you can use to represent
directory services information as XML.
Configuration is trivial; management is complex
This is not to say that your mother should be installing and configuring your direc-
tory servers. It is merely an indication of the relative complexity of configuration ver-
sus management.
I cannot stress enough that unless the directory is running in a stand-alone envi-
ronment where it is the only source of data, there will be effort in getting information
into and out of the directory. Unless you understand and make this effort up front,
the data in the directory will either be stale and useless or require yet another manual
administrative process to keep it up to date.
New technology is coming out that removes some of the technical barriers to splic-
ing information into authoritative directories. However, such technology does not
remove the internal political roadblocks and the need for up-front planning that is
required in nearly all meaningful directory service deployments.

xiv PREFACE
acknowledgments
Creating a quality technology book involves a great deal of effort from many talented
and passionate individuals. There is simply no way to thank all of those involved
enough for their efforts in making this book as good as it could possibly be.
I must start by thanking my wife Linda for her support in this endeavor. Without
her patience and strong support, this book certainly would never have been completed.
A few weeks before the book went to press, we received the special delivery of our son
Ethan, who was certainly an inspiration as the book’s development came to a close.
Too many people to name looked at bits and pieces of this book. Some of the peo-
ple who looked through early drafts were Kurt Zeilenga of the OpenLDAP project, La
Monte Yaroll of Motorola, Booker Bense of Stanford, Jay Leiserson and Richard
Goodwin of IBM, Jauder Ho of KPMG, Ranjan Bagchi, Juan Carlos Gomez and Raul
Cuza. Nathan Owen of IBM and Phil Hunt of OctetString also offered some very
helpful feedback on several key sections later in the development cycle.
Extra special thanks go to Booker Bense, who did a detailed final review of the
entire text and made a number of quality suggestions that I feel contributed to the
technical accuracy and readability of the book. Don Bowen of Sun was also especially
helpful in his review of key sections of the book as it neared completion.
Many people at Manning Publications were incredible throughout the process.
Marjan Bace and Mary Piergies were on top of this project with their full attention
and enthusiasm from the start. Lianna Wlasiuk was phenomenal as a development edi-
tor and offered many significant ideas that vastly improved the final content of the
book. Tiffany Taylor did a fantastic job of editing the text and removing all of the
embarrassing errors that I left behind. Dottie Marsico had the Herculean task of mak-
ing sense of a vast number of graphics in a myriad formats, among other things. Syd
Brown came up with the book’s wonderful design, and Leslie Haimes did a great job
putting together a captivating cover. Ted Kennedy did a masterful job of staying on
top of the entire review process.
Finally, a special thanks to everyone I’ve emailed or spoken with over the years
about this technology. These discussions helped shape much of the thinking that went
into this book. So much was learned from sharing information with the users of the
LDAP-related technology I’ve developed. This learning and interaction was truly a
reward for any effort on my part.

xv
about this book
Part 1 of the book has five chapters:
• Chapter 1 introduces core LDAP concepts, with the understanding that you may
have little or no past exposure to the protocol.
• Chapter 2 introduces LDAP’s information model and schema. Information in
an LDAP-enabled directory is presented in a simple and uniform way that you
should understand before proceeding. This chapter covers object classes,
attribute types, and schema standards.
• Chapter 3 offers information about LDAP namespace and naming standards.
Because all entries in LDAP are uniquely named, it’s important for you to
understand the information in this chapter.
• Chapter 4 provides an overview of LDAP search criteria. Because searching is
the most commonly used and most complex LDAP operation from a client per-
spective, we spend considerable time introducing and explaining filters, scope,
and search bases.
• Chapter 5 introduces the LDAP Data Interchange Format (LDIF) and the
Directory Services Markup Language (DSML), an XML standard for represent-
ing directory information, and shows how these standards can be used to easily
store and share directory information.
Part 2 is as follows:
• We begin exploring LDAP management in chapter 6. This chapter introduces the
Net::LDAP module, which lets you use Perl to access and manage an LDAP-
enabled directory.
• In chapter 7, we discuss administrative techniques. Examples include a web-
based tool that you can use to manage individual entries.
• Chapter 8 offers insights into synchronization and migration. No data exists in
a vacuum, so this chapter provides guidance about some of the ways data in
other directories and databases can be leveraged in an LDAP environment.

xvi
 • Chapter 9 explains how to monitor and manage information about the LDAP
server. Examples include schema retrieval scripts and tools for generating syn-
thetic transactions that can be used to check server availability.
• Chapter 10 expands on our previous discussion of DSML. Many examples are
provided, in Perl, including ones for generating DSML and transforming it to
HTML using XSLT.
Part 3 comprises the book’s final three chapters:
• In chapter 11, we begin discussing the best methods for directory-enabling your
applications. This chapter offers an introduction to the Java Naming and Direc-
tory Interface (JNDI), an API for accessing directory services based on many stan-
dards, including LDAP.
• In chapter 12, we refocus on DSML in an application context. Examples are
given that relate DSML to other technologies, such as web services and SOAP.
An exploration of DSML version 2 operations is also provided.
• Security ranks with messaging as a critical area for directory integration. For
that reason, we spend chapter 13 going over authentication, authorization, dig-
ital certificate storage, and LDAP security issues in general.
The book ends with two appendixes:
• Appendix A provides a compilation of standard schemas from Request for Com-
ments (RFCs), Internet Drafts, and other sources that you should consider prior
to the creation of new schemas. The LDAP schema is discussed in chapter 2.
• PerLDAP is a popular alternative to the Net::LDAP module discussed in part 2.
Appendix B offers an overview of PerLDAP and translation of many of the
examples in part 2.

WHO SHOULD READ THIS BOOK

This book is written for network and system administrators, as well as application
developers. Little or no past LDAP exposure is required.
Part 1 of this book uses command-line tools to demonstrate LDAP features. Part 2
provides examples in Perl that can be used unmodified in many cases or as the basis
for more advanced tools.
Finally, part 3 of the book is focused on application development issues with exam-
ples in Java. Although less directly useful to system and network administrators, it cov-
ers many important aspects of directory-enabled application development.

AUTHOR ONLINE
When you purchase LDAP Programming, Management and Integration you gain free
access to a private web forum run by Manning Publications where you can make

ABOUT THIS BOOK xvii

 comments about the book, ask technical questions, and receive help from the author
and from other users. To access the forum and subscribe to it, point your web
browser to www.manning.com/donley. This page provides information on how to get
on the forum once you are registered, what kind of help is available, and the rules of
conduct on the forum.
Manning’s commitment to our readers is to provide a venue where a meaningful
dialogue between individual readers and between readers and the author can take
place. It is not a commitment to any specific amount of participation on the part of
the author, whose contribution to the AO remains voluntary (and unpaid). We suggest
you try asking the author some challenging questions lest his interest stray!
The Author Online forum and the archives of previous discussions will be acces-
sible from the publisher’s web site as long as the book is in print.

SOURCE CODE
Source code for all examples presented in LDAP Programming, Management and
Integration is available for download from www.manning.com/donley.
Code conventions
Courier typeface is used for code examples. Bold Courier typeface is used in
some code examples to highlight important or changed sections. Certain references to
code in text, such as functions, properties, and methods, also appear in Courier
typeface. Code annotations accompany some segments of code.

xviii ABOUT THIS BOOK

getting started
Throughout this book, examples are provided wherever possible. This section details
where to get the tools you will need to use the examples.

DIRECTORY SERVERS
A directory server supporting LDAP is required to run these examples. The examples
should work with almost any LDAP-enabled directory server, except where noted
prior to the example.
This book is about getting the most from directory services, not installing and con-
figuring all the directories on the market. Following are pointers to some of the more
common directory servers available at the time of publication. Additionally, we
include basic instructions for obtaining a special LDAP server that has been precon-
figured to work with the examples in this book.
Directory server vendors
The LDAPZone (http://www.ldapzone.com) web site is a good place to begin when
you’re looking for answers to many directory issues. It has active community pages
and links to other sites related to LDAP. It also has links to the most popular LDAP
server implementations.
Among the servers currently listed are
• Novell eDirectory
• iPlanet Directory Server
• Oracle Internet Directory
• Critical Path InJoin Directory Server
• Microsoft Active Directory
• IBM SecureWay Directory
• Open Source OpenLDAP Directory
• Data Connection Directory
• OctetString Virtual Directory Engine

xix
 Each of these vendors provides a server that is directly LDAP accessible, with solid
documentation for installation and configuration.
Basic configuration parameters
The examples in this book assume the server will be listening on TCP port 389,
which is the standard LDAP port. This is usually easily configurable within the server,
although certain implementations (such as Microsoft Active Directory) cannot be
configured to listen on a different port.
The root of the directory tree used in the examples is dc=manning,dc=com.
This will be acceptable to most implementations, but some older servers may not be
aware of dc-style naming. If that is the case, substituting o=manning,c=us or any
other name for the root in configuration and examples should be acceptable. You can
find more information about naming and directory trees in chapter 3.
Most of the examples in this book use standard schemas related to people and
groups that can be found in virtually all LDAP implementations. If an example pro-
duces an error related to a schema violation, you may need to add the schema being
referenced by that example. Different directories have different files and configuration
options for adding new schemas.

COMMAND-LINE TOOLS
In part 1 of the book, no programming languages are used. Instead, we use com-
monly available LDAP tools to demonstrate key components of LDAP, such as infor-
mation model, entry naming, and search filters. These tools come with many
operating systems, such as Solaris and some Linux variants. They are also distributed
with many directory server products.
You can determine if the tools are available by attempting to run commands such
as ldapmodify and ldapsearch. If these commands exist, they should be suitable
for the examples in this book.
The source code to these tools can be found in at least two places:
• The OpenLDAP project (www.openldap.org)
• The Mozilla Directory project (www.mozilla.org/directory/)
Both of these versions are suitable for use with the examples in this book.
If you prefer to download precompiled versions of these tools, you can most easily
obtain them as part of the iPlanet Directory Software Development Kit (SDK). This
kit is available at http://www.iplanet.com/downloads/developer/.

LDAP PERL MODULES

Part 2 of this book, which focuses on directory management, uses the Perl language
to populate, synchronize, and otherwise manage information in directories. These
examples require a modern version of Perl (at least 5.005 is required, but 5.6 or

xx GETTING STARTED
 higher is recommended) and the Perl-LDAP module. This is not to be confused with
PerLDAP, which is the module previously released by Netscape and the author of this
book. Although both modules do the same job, Perl-LDAP is becoming more widely
used; and, because it is completely written in Perl, it is portable to any platform where
Perl is available.
The Perl-LDAP module is written and maintained by Graham Barr and can be
found at perl-ldap.sourceforge.net along with detailed installation instructions.
Active State Perl users can use these commands to install the necessary module
automatically:
C:\ >ppm
PPM interactive shell (2.1.6) - type 'help' for available commands.
PPM> install perl-ldap

Users of other versions of Perl can access the module on the Comprehensive Perl
Archive Network (CPAN) (http://www.cpan.org).

JAVA
Java is used extensively throughout part 3 of this book. We use core Java functional-
ity found in J2SE as well as extensions for communicating with LDAP and parsing
XML/DSML.

Java LDAP Access

There are two primary ways to access LDAP in Java:
• Java Naming and Directory Interface (JNDI)—You can use this generalized inter-
face to access LDAP and non-LDAP directory and naming services.
• Netscape Java SDK—This set of Java classes was created specifically to talk to
directory servers via the LDAP protocol.
This book uses JNDI. JNDI comes standard as part of Java development kits and
runtimes at or above the 1.3 version. It is available for download at java.sun.com for
earlier Java development kits.
DSML/XML
The examples in chapter 12 use both JNDI and the Java API for XML (JAXP). The
JNDI examples that read DSML files require the DSML provider for JNDI. This pro-
vider is a preview technology on java.sun.com at the time of publication. The JAXP
reference implementation from Sun is included with Java 1.4 and available for earlier
Java releases from Sun’s Java site at http://java.sun.com/.

GETTING STARTED xxi

about the cover illustration
The figure on the cover of LDAP Programming, Management and Integration is called
an “Aga de los Genizaros,” an officer in the Turkish infantry. The illustration is taken
from a Spanish compendium of regional dress customs first published in Madrid
in 1799. The title page of the Spanish volume states:
Coleccion general de los Trages que usan actualmente todas las Nacionas del Mundo des-
ubierto, dibujados y grabados con la mayor exactitud por R.M.V.A.R. Obra muy util y en
special para los que tienen la del viajero universal
which we translate, as literally as possible, thus:
General Collection of Costumes currently used in the Nations of the Known World,
designed and printed with great exactitude by R.M.V.A.R. This work is very useful espe-
cially for those who hold themselves to be universal travelers.
Although nothing is known of the designers, engravers, and workers who colored this
illustration by hand, the “exactitude” of their execution is evident in this drawing. It
is just one of many figures in this colorful collection. Their diversity speaks vividly of
the uniqueness and individuality of the world’s towns and regions just 200 years ago.
This was a time when the dress codes of two regions separated by a few dozen miles
identified people uniquely as belonging to one or the other. The collection brings to
life a sense of isolation and distance of that period and of every other historic period
except our own hyperkinetic present. Dress codes have changed since then and the
diversity by region, so rich at the time, has faded away. It is now often hard to tell the
inhabitant of one continent from another. Perhaps, trying to view it optimistically, we
have traded a cultural and visual diversity for a more varied personal life. Or a more
varied and interesting intellectual and technical life.
We at Manning celebrate the inventiveness, the initiative, and the fun of the com-
puter business with book covers based on the rich diversity of regional life of two cen-
turies ago brought back to life by the pictures from this collection.

xxii
 P A R T
1
Fundamental
LDAP concepts
The Lightweight Directory Access Protocol (LDAP) has emerged as the standard for
accessing directory services over networks. In this first part of the book, we will look
at everything you need to know about LDAP.
Chapter 1 begins with an exploration of the many uses and benefits of LDAP, as
well as its origin. From there we move on to an overview of current directory man-
agement and interoperability issues. At the end of chapter 1, we glance at the available
and emerging tools that allow for easier integration between different data sources.
Information is exchanged between LDAP clients and servers using containers called
entries. These containers are formed based on a particular information model that we
discuss in chapter 2.
Entries in a directory are given unique, hierarchical names in an LDAP directory.
In chapter 3, we look at how these names are formed, naming issues, and best practices.
Chapter 4 covers LDAP search criteria. The focus here is on simplifying the some-
times complicated combination of search filters, scopes, and bases that make up an
LDAP search request.
You will get your first look at Directory Services Markup Language (DSML), the
latest standard for representing directory information and operations in XML, in chap-
ter 5. Chapter 5 also formally introduces the LDAP Data Interchange Format (LDIF),
which is a commonly used format for sharing and storing directory information.
 C H A P T E R 1

Introduction to LDAP
1.1 What LDAP is 4 1.6 Directory management 23
1.2 What LDAP is not 7 1.7 Directory integration 24
1.3 Current applications 10 1.8 Integration and federation via virtual
1.4 Brief history 15 directory technology 30
1.5 LDAP revisions and other 1.9 Why this book? 31
standards 18 1.10 Summary 32

In this chapter, we introduce the Lightweight Directory Access Protocol (LDAP) and
attempt to answer the following questions:
• What is LDAP? Who needs it? How is it used?
• What are directory services? Where do they fit in the grand scheme of things?
Which ones exist? What is their relation to LDAP?
• What are common issues in planning and deploying directory services?
• Where do metadirectories, provisioning tools, and virtual directories fit
with LDAP?
• What standards organizations and industry consortia are responsible for further
development of directory services and LDAP standards?

3
1.1 WHAT LDAP IS
LDAP is a standard that computers and networked devices can use to access common
information over a network. The ability to provide network access to data in itself
does not make LDAP stand out from dozens of other protocols defined for data
access, such as Hypertext Transfer Protocol (HTTP). As you will see in this chapter
and those following, a number of features and vendor efforts make LDAP very well-
suited for access and updates to many types of common information.
For example, information about employees might be stored in a directory so that
people and applications can locate their contact information. Such contact informa-
tion might include email addresses and fax numbers, or even additional data that
unambiguously identifies employees’ attempts to access enterprise applications.
1.1.1 Directory services and directory servers
A directory is simply a collection of information. For example, the telephone book is a
directory used by virtually everyone to find telephone numbers.
Directory services provide access to the information in a directory. A simple direc-
tory service that most people use from time to time is the directory assistance offered
by most telephone companies. By dialing a telephone number, anyone can receive
instant access to information in the telephone directory.
In the computer world, directories exist everywhere. The Unix password file can
be considered a directory of computer accounts. The Domain Name Service (DNS)
acts as a directory service providing information about network hosts.
Computer applications often have their own directories. The Apache web server
can store usernames and passwords in a data file, which is thus a directory of users.
Customer information stored in a database can also be considered directory informa-
tion if it is of a common nature with applications outside a single program or system.
Directory servers are applications that primarily act as directory services, providing
information from a directory to other applications or end users. This functionality is
most applicable in client/server environments, where the service may be located
remotely from the calling application or system. For example, on Unix or Linux com-
puters running the Network Information Service (NIS), the ypserv program can be
considered a directory server.
1.1.2 LDAP and directory services
LDAP provides client-server access to directories over a computer network and is
therefore a directory service. In addition to offering the ability to search and read
information, it defines a way to add, update, and delete information in a directory.
Two general types of directory server software implement the LDAP standards:
• Stand-alone LDAP servers
• LDAP gateway servers

4 CHAPTER 1 INTRODUCTION TO LDAP

 Stand-alone LDAP servers focus exclu-
Local
sively on LDAP as their only access
Data mechanism; their proprietary internal
data stores are tuned for LDAP access.
LDAP Directory These are typically what people mean
when they use the words LDAP server.
Instead of being tied to a local data
store, LDAP gateway servers translate
Data between LDAP and some other native
LDAP Gateway network protocol or application pro-
gram interface (API) to provide access to
directory information that is more
directly available via other means. One
Data example is the original use of LDAP: to
gateway to other directory services sup-
LDAP-Enabled porting the X.500 standards. Another
Directory Service
more modern example of such an LDAP
Figure 1.1 LDAP directories and LDAP gate- gateway is a server that provides LDAP
ways are different types of products that access to information residing in Oracle
provide LDAP-enabled directory services.
database tables.
Figure 1.1 illustrates the two types of services that can be used to provide LDAP-
enabled directory services.
The examples throughout this book will not address one type of server over the
other—the idea behind LDAP is that it shouldn’t matter where the end data is stored,
as long as the client and server can use LDAP to communicate that information in a
standard way understood by both sides.
In addition, we will focus primarily on accessing and managing information and
services through the LDAP protocol. Each directory server product is installed and
configured differently, usually in ways that are well-documented in product manuals.
It would be of little use to duplicate such information, because installation and con-
figuration of the software is relatively trivial.
1.1.3 Other directory services
LDAP is not alone in providing computerized directory services. It is also not the first
or even the most completely defined directory service.
Other directory services that have been popular in the past, and that are still in use
in many organizations, include those based on standards such as X.500, WHOIS,
NIS, PH/QI, and various proprietary directories from companies such as Novell, Ban-
yan, and others.
X.500 is a set of standards that originated in the late 1980s, with significant updates
as late as 2001. The standards are extensive and cover everything from access to rep-
lication. In many respects, X.500 is more mature as a protocol than LDAP, including
such technologies as multimaster replication and access control, but its relative

WHAT LDAP IS 5
 complexity has made it less popular for access. However, it is still very popular, and
a number of vendors sell servers that support these standards. These vendors tend to
focus on X.500-based protocols for interoperability between servers, while exposing
the data using an LDAP gateway.
WHOIS was an early attempt at a simple protocol for Internet-accessible white
pages. The services supporting this protocol took a simple string and returned free-
form text in response. A WHOIS server could be written on most operating systems in
a short amount of time, but lack of standard data representation made it difficult to do
anything but display the results as they arrived. Unfortunately, this limitation makes
programmatic use of the resulting data in non–white pages applications very difficult.
NIS, originally called Yellow Pages (YP), was Sun’s remote procedure call (RPC)-
based operating system directory. Most Unix-based servers support some variant of
this protocol. With a relatively simple replication model and access protocol, as well
as the ability to discover servers on a local network, its creation was necessary due to
the growth in client-server computing where users might exist on a number of serv-
ers. However, it was not well-suited for wide area networks (WANs) offered little in
the way of security, and was not easily extensible for storing additional information
in existing maps.
PH/QI was very popular at about the time HTTP became widely used. It was a
multipurpose client-server directory service developed by Paul Pomes at the University
of Illinois at Urbana-Champaign (UIUC). It was especially popular at universities in
North America and was used to store not only white pages information, but also infor-
mation that could be used for security, such as logins and credentials. One of the ear-
liest applications to take advantage of the Common Gateway Interface (CGI) that
shipped with the original National Center for Supercomputing Applications (NCSA)
HTTP server was a gateway that presented an HTML interface to a PH server. Some
mail applications, such as Eudora, were also able to perform PH queries for address
books. LDAP’s acceptance in the industry curtailed any serious move to PH/QI; in
addition, the service was somewhat limited. The protocol was relatively simple and
text-based; it was easy to access programmatically but designed to run on a central
server, limiting its scalability and scope.
Banyan was an early leader in MS-DOS/Windows operating system directories,
but it didn’t fare well as Microsoft and Novell became more directory-aware. Banyan
eventually changed its name to ePresence and is currently one of the larger integrators
focused on directory services.
Novell based the proprietary directory service for its Netware Network Operating
System (NOS) on the X.500 standards. Netware’s directory has long been regarded
as one of the more solid operating system directories, and Novell has a long history
of directory integration in its products. As LDAP picked up steam, Novell separated
the NOS from the directory and created eDirectory; it is now a popular LDAP-
enabled directory service with the broadest platform support of any directory services
vendor’s product.

6 CHAPTER 1 INTRODUCTION TO LDAP

1.2 WHAT LDAP IS NOT
LDAP is an access protocol that shares data using a particular information model. The
data to which it provides access may reside in a database, in memory, or just about
anywhere else the LDAP server may access. It is important that the data be presented
to an LDAP client in a way that conforms to LDAP’s information model.
LDAP is being used for an increasing number of applications. Most of these appli-
cations are appropriate—but some aren’t. To get a better idea what LDAP should and
shouldn’t be used for, we begin this section with an overview of LDAP limitations that
make it a bad choice for certain types of applications.
LDAP is not:
• A general replacement for relational databases
• A file system for very large objects
• Optimal for very dynamic objects
• Useful without applications
1.2.1 LDAP is not a relational database
LDAP is not a relational database and does not provide protocol-level support for rela-
tional integrity, transactions, or other features found in an RDBMS. Applications that
require rollback when any one of multiple operations fails cannot be implemented
with the current version of LDAP, although some vendors implement such function-
ality when managing their underlying datafiles. LDAP breaks a number of database
normalization rules. For example, 1NR states that fields with repeating values must be
placed into separate tables; instead, LDAP supports multi-valued data fields.
Some LDAP server vendors proclaim that directories are somehow faster than rela-
tional databases. In some cases, this is true. In other cases, databases are both faster and
more scalable. Nothing inherent in the LDAP protocol makes it in any way faster than
other data access mechanisms, such as Open Database Connectivity (ODBC). Every-
thing depends on how the underlying data store is tuned.
LDAP lacks features found in relational databases even in cases where LDAP sits
on top of a relational data store, as is true with Oracle and IBM directory server prod-
ucts. The LDAP protocol currently has no standard for transmitting the type of infor-
mation necessary to take advantage of the powerful relational and transactional
capabilities present in the underlying data store.
1.2.2 LDAP is not a file system for very large objects
LDAP provides a hierarchical way of naming information that looks remarkably like
that found in most file systems. Many people see this aspect of LDAP as an indica-
tion that it might be a great way to centrally store files to make them accessible over
a network.

WHAT LDAP IS NOT 7

 In fact, LDAP is not a great way to do network file sharing. Although it allows
information (including binary data) to be transmitted and stored, it does not have the
locking, seeking, and advanced features found in most modern file-sharing protocols.
Figure 1.2 shows some of the disadvantages of using LDAP in this manner.

Big File LDAP

Figure 1.2
LDAP Client LDAP is not a network file system. Here you
P
LDA LDAP Server see that if you stored a large file using
LDAP, clients would need to read the entire
file via LDAP rather than page through the
Entire Big File applicable sections. If either client died in
midtransfer, it would need to start again
LDAP Client from scratch.

The Network File System (NFS) and similar file-sharing protocols have this
advanced functionality and are well-tested and accepted for use on local intranets.
Web protocols such as the HTTP and File Transfer Protocol (FTP) are more appro-
priate when you’re providing Internet access to data on local file systems.
In a similar vein, LDAP is often only marginally useful to store serialized objects,
large structured documents (such as XML), and similar types of data in the directory.
Because the LDAP server may not know how to parse these blobs of data, it will not
be able to search on attributes within them.
For example, if you store XML documents in the directory, you will not be able
to search for all XML documents in the directory that implement a particular docu-
ment type unless you also store the document’s type in the directory. Such a process
involves duplicating information already stored in the XML document.
Without storing this metadata, the XML document is an opaque object that can
only be stored and retrieved in full. By contrast, a good file-based XML parser has the
ability to seek through parts of the XML document and retrieve or manipulate only
those sections that are pertinent to the current operation. This situation may be chang-
ing as LDAP vendors become increasingly XML savvy and begin supporting such
functionality as XPath searching.
Note that because the LDAP protocol is separate from the data to which it pro-
vides access, it is possible for a particular LDAP server to be extended to handle par-
ticular types of objects more intelligently. For example, the server might include an
XML parser that indexes XML documents for easier search and retrieval with LDAP.
We’ll explore this process briefly in the context of attribute syntax and matching rules
in chapter 2.

8 CHAPTER 1 INTRODUCTION TO LDAP

1.2.3 LDAP is not optimal for very dynamic objects
Generally speaking, LDAP is not the place to store very dynamic information. For
example, there are a number of reasons it would be unwise to write extensive audit
logs to an LDAP entry each time a user accesses a system.
First, most LDAP servers optimize for search performance at considerable cost in
write performance. Updating a single attribute in some LDAP environments generally
takes a longer time than comparable updates to a well-designed database.
Second, even with high write performance, LDAP as a protocol does not have facil-
ities to ensure that a set of transactions will happen in the right order. This complicates
even the simplest updates to dynamic information involving multiple applications or
threads. Even a simple counter can get corrupted when two applications try to update
it simultaneously.
Finally, even if a particular server supports tuning for updates and adds proprietary
protocol extensions to support better locking that allows for better multiapplication
updates, using these special features may avoid a major benefit of LDAP. This benefit
is the ability of application developers to use LDAP without having to take note of the
server implementation being used.
1.2.4 LDAP is not useful without applications
LDAP lacks an SQL-like general reporting language of the kind found with most
general-purpose databases. Such reporting languages can often be used to generate
sophisticated reports from a database. Because directories are used for more generally
useful information, such as account information usable by many applications, this
lack of report generation support is insignificant.
Lack of generalized report generation makes it even more important that LDAP
directories be built around the notion that applications will be using them. In addi-
tion, it’s important that LDAP directory services be designed and deployed with full
cooperation from the application developers who will use the service.
Although it lacks a general report-generation language, LDAP offers a number of
powerful APIs. Many of these APIs are based on well-documented industry standards
whose wide acceptance has been one of the strongest drivers of early LDAP adoption.
Unlike databases, directories using LDAP have a wire protocol that can be used with-
out using special vendor drivers, making directories important for information that
can benefit many applications that otherwise have nothing in common.
Thanks to the ease with which these APIs can be used, a large number of applica-
tions now provide native support for LDAP where it makes sense. You can find some
of these LDAP-enabled applications, such as those providing shared address book or
white pages functionality, on the Internet and in nearly all modern email and web
browser software.

WHAT LDAP IS NOT 9

 LDAP is now mature technology used by a wide variety of applications for many
critical purposes. These applications include everything from authentication, autho-
rization, and management of application and operating system users to routing of bil-
lions of email messages around the world. New applications are developed every day
that ensure that LDAP’s importance will continue to grow.

1.3 CURRENT APPLICATIONS

As we just discussed, successful directory services depend on application support. In
this section we begin to examine the types of applications that normally leverage
LDAP-enabled directories.
1.3.1 White pages
One of the first uses of enterprise directories was to provide electronic shared address
books, called white pages (see figure 1.3). LDAP has long been used to provide access
to information that enables white pages functionality. In fact, white pages applica-
tions are the most widely deployed and visible LDAP-enabled applications.

Figure 1.3 This screen from the Outlook Express email client is an example of a
white pages application.

Both Netscape and Internet Explorer have built-in support for searching LDAP
directories and presenting the results in the form of an address book. Most email
applications released in the past few years provide this same functionality, although
some still support their own proprietary standards to remain compatible with legacy
workgroup-oriented directories. Figure 1.4 shows how such a client might talk to a
directory to retrieve this information.
A quick chat with most corporate intranet webmasters would reveal that the most
frequently accessed application on an intranet is usually a corporate contact database.
Everyone from the mailroom clerk to the CEO needs to be able to locate their peers;

10 CHAPTER 1 INTRODUCTION TO LDAP

 Data

LDAP
Address Book
Client LDAP Server

Figure 1.4 An address book client talks directly to an LDAP server.

therefore, it is the simplest application available to demonstrate the power and sim-
plicity provided by directory access.
Web-based white pages applications are useful for extending LDAP information to
points beyond an intranet environment when firewalls or a lack of installed clients pre-
vent pure LDAP communication. Figure 1.5 shows how a web server might act as a
gateway for white pages requests from an end-user’s web browser.

Data

HTTP LDAP

Browser
LDAP Server
Web Server

Figure 1.5 The same directory shown in figure 1.4, with a web application rather than the
end-user’s client communicating via LDAP

Most people already have an LDAP-enabled browser or email client, or can access
white pages via a web interface. This simplifies deployment and allows for more wide-
spread access.
In fact, creating an application that can search for information in LDAP is not par-
ticularly difficult. The following is a full code listing in Java using the Java Naming
and Directory Interface (JNDIJ) for a program that can search for information in an
LDAP-enabled directory service:
import javax.naming.directory.*;
import javax.naming.*;
import java.util.Vector;
import java.util.Enumeration;
import java.util.Properties;

public class SearchLDAP {

public static void main(String[] args) {

String base = "";
String filter = "(objectclass=*)";

CURRENT APPLICATIONS 11
 Properties env = new Properties();
env.put(DirContext.INITIAL_CONTEXT_FACTORY,
"com.sun.jndi.ldap.LdapCtxFactory");
env.put(DirContext.PROVIDER_URL,"ldap://localhost:389");

try {
DirContext dc = new InitialDirContext(env);

SearchControls sc = new SearchControls();

sc.setSearchScope(SearchControls.OBJECT_SCOPE);

NamingEnumeration ne = null;
ne = dc.search(base, filter, sc);

while (ne.hasMore()) {
SearchResult sr = (SearchResult) ne.next();
System.out.println(sr.toString()+"\n");
dc.close();
}

} catch (NamingException nex) {

System.err.println("Error: " + nex.getMessage());
}
}
}

The results of this code are not pretty, but they show how easy it is to tie LDAP into
a new or existing application for white pages or other lookup functionality.
Another benefit of using a web-based white pages application is that whereas most
browsers and email clients enable LDAP searches, a web-based application can offer
a point of self-administration for contact information. Information such as phone
numbers and mailing addresses can be managed using a simple interface that is inte-
grated with the search tools. This approach makes it easy for someone to change his
or her information quickly when necessary.
1.3.2 Authentication and authorization
It is virtually impossible to discuss user access and system security today without
LDAP being part of the conversation. Although it isn’t as visible to the casual user,
LDAP is emerging as the de facto way to access the identity information and creden-
tials needed to support authentication. Authentication is the process of validating the
identity of a user (or any other object, such as an application).
This process allows identity information to be managed and distributed much
more easily than via traditional means. Information stored in an LDAP-enabled data
store can be segmented for simpler management while presenting a unified view to
applications and authentication services.
Using LDAP also has the benefit of reusing identity information. This approach
offers a significant advantage over authentication processes that use an operating
system or proprietary mechanism. For example, using LDAP allows both Unix- and

12 CHAPTER 1 INTRODUCTION TO LDAP

 Windows-based servers running a particular application to authenticate users in the
same manner and from the same repository. In effect, application development time
is reduced, authentication code is relatively static between platforms, and the admin-
istrative cost of managing two identity repositories is removed. Figure 1.6 shows how
an application might use LDAP to authenticate a user.

Login as: Bob Smith

Password: abc123

Browser
Bob Smith HTTP

Figure 1.6
Bob Smith uses a browser
LDAP (bind) to access information on a
protected web server. The
SUCCESS! web server first binds to
LDAP-enabled LDAP the LDAP directory to
Web Server Directory authenticate him.

After authenticating, it is possible to use other available information about the

authenticated user (such as department, company, age, and so on) to determine
whether he or she is authorized to perform a particular action on resources within a
particular computing environment or application.
We will cover the use of LDAP as an authentication and authorization resource in
chapter 13. This discussion will include more sophisticated authentication mecha-
nisms, single sign-on issues, and many other related security concerns.
1.3.3 Personalization
Once a person has been identified through authentication, it is useful to personalize
the user’s experience based on their identity and preferences. In some cases, personal-
ization may simply mean placing the current user’s name at the top of a web page. A
more sophisticated use might be to pull the customer’s location information from the
directory to prepopulate an order form.
In a complex web environment with a variety of features, LDAP-enabled directo-
ries are a useful place to store information about users’ preferences. For example, you
might allow users to choose a particular product line as their primary interest when a
site covers a large number of products.
Capturing this information and enabling access to it via LDAP allows a variety
of applications to customize users’ experiences based on their interests. Doing so
offers an important benefit: personalized content can be consistent between multi-
ple applications.

CURRENT APPLICATIONS 13
 LDAP has been gaining wide acceptance as a place to store and retrieve personal-
ization information in enterprise applications. For example, most enterprise portals
support LDAP as a means of obtaining the information needed for personalization.
1.3.4 Roaming profiles
Closely related in many respects to personalization, but focused more on operational
preferences than content preferences, is the concept of roaming profiles. Roaming
profiles allow users to authenticate to an application on any machine and get an
identical environment. You do so by storing considerable individual configuration
options in a directory.
In addition to enabling roaming, directory-based security also offers the potential
to lock down certain configuration items or create organizational or group defaults.
In environments with less-sophisticated users, doing so makes it possible to update
user configurations without a system administrator needing to make a trip to each
cubicle or spend time on the phone walking a user through complicated steps within
an application.
Few stand-alone applications provide roaming profiles. Part of the reason is that
most applications vary widely in their configuration. Thus each application may
require additional information in the directory server to enable storage of that appli-
cation’s configuration values.
This requirement showcases a common conflict between application developers,
who often want to change schema to meet their applications’ needs, and system
administrators, who realize that changes in schema require a great deal of administra-
tive effort. The challenge is deciding where to draw the line between generally useful
information that belongs in a directory and application specific information that
belongs elsewhere. We will discuss this conflict further in chapter 2.
1.3.5 Public Key Infrastructure
Traditional authentication and encryption systems use secret keys. Generally speak-
ing, a secret key system requires both ends of a communication to know a secret pass-
word that will be used to hide the communication. The right secret password
produces a legible message, which both protects the message in transit and proves that
the message must have been written by the other party, because they were the only
other ones with knowledge of the secret. This approach works well as long as the
secret isn’t compromised and you communicate with few enough people that you can
remember a shared secret with each one.
Public key technology changes all this and makes the process more scalable. In this
system, two keys are produced. One key, called the private key, is still secret. However,
unlike the secret key in a shared-secret system, the private key is never shared with any-
one. Instead, a second key called the public key is distributed. A public key can be
placed in a digitally signed container called a digital certificate. Such certificates are
commonly used to distribute public keys.

14 CHAPTER 1 INTRODUCTION TO LDAP

 A successful deployment of public key infrastructure is highly dependent on a well-
designed directory services infrastructure. An LDAP-enabled directory answers the
question of where to store and locate digital certificates. Centrally storing digital cer-
tificates in a directory allows people and applications to find certificates on demand
for business partners and peers with whom they need to communicate securely.
In addition to helping you locate certificates for encryption, directories let you find
a list of certificates that have been revoked prior to their expiration time. These cer-
tificate revocation lists (CRLs) are commonly stored in LDAP-enabled directories.
This book is not specifically about Public Key Infrastructure (PKI), but PKI is one
common application that uses directories. We discuss the use of directories with PKI
in much more detail in chapter 13.
1.3.6 Message delivery
On the Internet, messages are routed based on the fully qualified host name to the
right of the at sign (@). Such routing is typically done by using the DNS to identify
the IP address associated with the human-readable fully qualified host name.
Once a message has been routed to the correct machine, it is delivered on that
machine based on the username to the left of the @. Many mail systems now support
the use of LDAP to determine how to deliver a message.
The delivery process can include advanced operations, such as locating the exact
mail drop for the user in a cluster of mail servers. However, the most common usage
is for allowing full-name email aliases and implementing email lists.
As mentioned in section 1.3.3, directories can help you target mailings based on
information associated with identities. In an LDAP directory, users are often placed
together in groups, either as a list of users or as a dynamic specification (such as all
users in department A). These groups can be used for authorization, personalization,
and even mailing lists.
We discuss group schemas in chapter 2. Examples of managing groups appear in
chapter 7.

1.4 BRIEF HISTORY

The previous section makes it obvious that there are a wide variety of uses for LDAP-
enabled directory services. Many of these uses first came about with earlier stan-
dards—particularly X.500, which we mentioned briefly earlier in this chapter. In this
section we will take a quick look at how LDAP came to its latest incarnation.
1.4.1 X.500 and DAP
LDAP is a TCP/IP-based client/server directory access protocol originally based on a
subset of the X.500 Directory Access Protocol (DAP). X.500 is a comprehensive set
of standards from the ITU Telecommunication Standardization Sector (ITU-T) that
describes all aspects of a global directory service. X.500, like many standards, has

BRIEF HISTORY 15
 gone through many revisions; work is still in progress to update it further. As shown
in figure 1.7, a client originally talked to an X.500 server using the DAP protocol.
Designed to be the standard directory service for the Open Systems Interconnec-
tion (OSI) world, X.500’s fortune has risen and fallen over the years, but it still has a
substantial following. Early on, X.500 was accepted by many large information tech-
nology (IT) organizations as the direction for global directory services. Although early
products had their problems, they also showed a great deal of promise. Many large
companies and universities implemented pilot projects, usually involving the hosting
of white pages.

Figure 1.7
P The X.500 client uses
DS X.500 DSA
DAP to communi-
cate with the X.500
X.500 Client DAP Directory System
X.500 DSA Agent (DSA).

One big issue arose very quickly with X.500: the fact that its access protocol required
an OSI protocol stack and complex binary encoding of structures represented in a
language called Abstract Syntax Notation One (ASN.1). Most desktop computers at
the time were ill equipped to deal with DAP.
As Internet Protocol (IP) became the dominant networking standard, DAP’s OSI
origins made it less attractive. Many of the organizations piloting X.500 directories
had already adopted IP and were looking for a protocol with less baggage for client
access. Even worse, X.500’s complexity and the lack of freely available standards doc-
uments or easy-to-use APIs made it difficult to develop clients without paying fees to
the ITU-T.
As we’ve stated since the beginning of this chapter, even the best directory is useless
when applications are not available to take advantage of it. Several white pages appli-
cations were available, but an electronic phone book is often not enough to justify the
expense of collecting and cleansing all the information necessary to make a directory
truly useful.
1.4.2 A new standard is born
In 1991, after a few false starts with other potential standards, LDAP was brought
forth as a lightweight means for accessing the DAP-enabled directories of the X.500
world. The first set of standards, LDAPv2, were eventually defined and accepted by
the Internet Engineering Task Force (IETF), an important standards body responsi-
ble for many important Internet standards, as RFCs 1777 and 1778.
These standards provided basic authentication, search, and compare operations, as
well as additional operations for changing the directory. From the start, LDAP made

16 CHAPTER 1 INTRODUCTION TO LDAP

 LDAP DAP
LDAP Client LDAP Server X.500 DAP

Figure 1.8 The X.500 client goes away, replaced by an LDAP client
talking to an LDAP server. Here, the LDAP server acts as a gateway
between LDAP-aware clients and DAP-aware X.500 DSAs.

X.500 more accessible, as intended. Figure 1.8 shows an X.500 server being accessed
by an LDAP gateway service that is forwarding requests from an LDAP client.
Almost as important as the protocol itself was the release of a standard API and the
production of a client development kit. For the first time, it was possible to access
these servers programmatically without wandering knee-deep into an arcane protocol.
1.4.3 LDAP goes solo
As time went by, some people began to wonder what made X.500 so special in the
first place. The University of Michigan, which had developed the reference imple-
mentation of LDAP, released a stand-alone server called Slapd that would allow the
LDAP server to present data from a local data store rather than simply act as a gate-
way to an X.500 server.
Slapd was followed by a second service called Slurpd, which read the changes from
one server and replicated those changes via the LDAP protocol to other Slapd servers.
Figure 1.9 shows a typical stand-alone LDAP environment.

LDAP Replica
AP
LD (Slapd)
P
LDA pd)
l u r
(S

LDAP Client LDAP

LDAP Server
(Slapd)

Figure 1.9 An LDAP client talks to a Slapd server. X.500 is no longer involved.

At this point, Netscape hired most of the original developers from the University of
Michigan Slapd server to develop the Netscape Directory Server. Netscape, which was
riding high with an incredible share of the Internet browser market, decided that net-
works would require directories and that LDAP, not X.500, should be the standard.
Nearly 40 other companies announced support at that time, bringing LDAP the focus
and support it needed to become the de facto standard for directory services.

BRIEF HISTORY 17
1.4.4 LDAPv3
LDAP may have gained acceptance as a stand-alone service, but it was far from com-
plete. Due primarily to its reliance on X.500 servers to provide the server-to-server
communications, access control, and other functionality, LDAP was still only a skele-
ton of a full directory service by the mid-1990s.
Many interested parties pushed forward with the development of the next gener-
ation of the LDAP standards. In December 1996, the new version was published as
RFCs 2251 to 2256. These new specifications covered items including the protocol
itself, mandatory and optional schema, and LDAP URLs. A set of standard authenti-
cation mechanisms and a standard for session encryption were added to the list of core
specifications in 2000. Figure 1.10 shows the core specifications that make up the
LDAP standard.

Core LDAP Standards

Protocol
(RFC 2251)

Mandatory Schema User Schema

(RFC 2252) (RFC 2256)

Distinguished Names Authentication Methods

(RFC 2253) (RFC 2829)

LDAP URLs Transport Layer Security

(RFC 2254) (RFC 2830)
Figure 1.10
The IETF has been the primary stan-
Search Filters Digest Authentication dards body for most of the existing
(RFC 2255) (RFC 2830) LDAPv3 specifications. This figure
shows a list of published RFCs that are
considered the core LDAP standards.

1.5 LDAP REVISIONS AND OTHER STANDARDS

LDAPv3 was considered a great leap forward in several key areas, but it takes more
than a protocol to make a directory service successful. It is now up to several stan-
dards bodies and industry consortia to enhance the LDAP core specifications and
build a framework that allows directories from different vendors to interoperate, or at
least share some of the most crucial information in a standard way, and play a more
pivotal role in e-business. Figure 1.11 shows some of the many standards bodies and
industry consortia that shape directory standards and define best practices in deploy-
ment and management.

18 CHAPTER 1 INTRODUCTION TO LDAP

 Distributed Management
OASIS
Task Force (DMTF)
Directory Services Markup
Common Information Model
Language (DSML)
(CIM)

Internet Engineering Task Force (IETF)

LDAP Standards

Figure 1.11
Open Group
Network Applications Many industry consortia and
Directory Interoperability
Consortium (NAC) standards bodies are
Forum (DIF)
Users Group involved with LDAP and
LDAP2000 Interoperability
related standards, but most
have a narrow focus.

1.5.1 Replication and access control

Version 3 of the LDAP protocol was greatly improved from version 2, but lacked two
important items: replication and access control. The IETF has created workgroups to
deliver these missing pieces and others, as shown in figure 1.12.

LDAPExt Workgroup LDUP Workgroup

Access Control Replication

Controls
LDAPbis Workgroup
Figure 1.12
APIs LDAPv3 Protocol IETF workgroups are trying to fill
Revisions in the gaps left after the initial
publication of LDAPv3.

Lack of a standard replication process has since become an interoperability nightmare

as each LDAP server vendor implemented its own proprietary solution. Many prod-
ucts use simple LDAP protocol operations to distribute data as shown in figure 1.13.
However, even those solutions using the LDAP protocol sometimes require propri-
etary controls or attributes.
Many parties recognized that replication was critical to obtaining scalability,
redundancy, and other important benefits. To resolve this issue, the Lightweight
Directory Update Protocol (LDUP) working group was created within the IETF. At
the time of this writing, the group has completed draft documents detailing require-
ments, a model for meeting those requirements, conflict resolution processes, and a
protocol specification. The use of replication is discussed further in chapter 6.

LDAP REVISIONS AND OTHER STANDARDS 19

 LDA
New Entry
P LDAP

Supplier Consumer
Directory Directory

Figure 1.13 Supplier-to-consumer replication exists in some products

using the LDAP protocol. Unfortunately, most need to use proprietary
attributes or controls to get around current limitations in the specifications.

In addition to the supplier-consumer model of replication available in most existing

directory servers, LDUP was chartered with allowing for multiple directory masters
for the same information, which is shown in figure 1.14. It also documents a process
for resolving conflicts that may arise when different and potentially conflicting
changes are made independently to the same entry on each master. In addition,
LDUP defines a protocol that can be used for both supplier-initiated and consumer-
initiated replication.
Security was further along in some respects. The Simple Authentication and Secu-
rity Layer (SASL), originally developed for the Internet Mail Access Protocol (IMAP),
was added as a core LDAP standard early on as a way to negotiate an appropriate type
of client and/or server authentication and even session encryption.
Developing a standard for access control has proven to be much more time con-
suming and has produced fewer results. As shown in figure 1.15, such a standard will
allow a server to determine if an authenticated entity should be able to read or update
a particular entry or an entire portion of the directory.

LD
New AP AP
Entry LD Another
New Entry
LDUP
Multimaster Replication
Master Master
Directory LD Directory
UP

Read-Only
Replica

Figure 1.14 Multimaster replication will allow changes to the same directory
tree in multiple directories.

20 CHAPTER 1 INTRODUCTION TO LDAP

 Bob Smith Can Bob Smith Add Entries to XYZ, Inc.? ACLs

YES
LDAP-enabled LDAP
Application Directory

Figure 1.15 LDAP access control standards will include a mechanism for determining in
advance whether an operation will be permitted.

The task of creating such a standard fell into the hands of the LDAP extensions
(LDAPEXT) workgroup within the IETF. This workgroup was formed to handle any
extensions needed to the LDAPv3 standards outside of replication. As this book is
being written, most activities of the LDAPEXT workgroup have been moved to indi-
vidual submissions and will likely become an informational RFC rather than a full
standard. Some aspects of access control may be pursued as part of the interoperabil-
ity requirements for replication.
To understand why access control might be bundled with the replication work-
group, think about the fact that any replication of information outside a vendor’s
products will render that data insecure—other vendors will not know the access con-
trol rules of the source data. Any practical solution for replication is dependent on a
standard for access control. We will look at access control further in chapter 13 when
we discuss directory security in more detail.
1.5.2 Directory Enabled Networking
As computer networks evolve to support more variety and depth of services, the com-
plexity of network management increases accordingly. Most network devices, includ-
ing routers and switches, have traditionally been configured using command-line
shells. Although this configuration enables relatively consistent management of a sin-
gle device, it does nothing to simplify the coordination of configurations across large
numbers of devices. Such coordination is critical when you’re enabling guaranteed
quality of service and other offerings that span multiple devices.
Directory Enabled Networking (DEN) provides a way for devices to configure
themselves based on information in a directory. Originally an initiative from
Microsoft and Cisco, DEN is now part of the CIM defined by the DMTF.
CIM is a set of object-oriented, implementation-neutral schemas that represents
logical and physical attributes of hardware and software. The DMTF, rather than
being protocol architects like the IETF, focused primarily on creating common
object definitions that allow two CIM-aware applications to store and use informa-
tion consistently.
Contrary to popular belief, CIM and DEN are not LDAP-specific information
models, but are instead “meta” models that can be specialized for a number of

LDAP REVISIONS AND OTHER STANDARDS 21

 environments, of which LDAP is one. XML is an example of another way that CIM
objects can be represented.
Momentum behind DEN as the killer application that would drive directories has
died down to an extent over the last few years, and most of the work around directories
has moved to identity management solutions. In this book, we will not focus on DEN
as a specific application due to the current lack of software and hardware that can truly
exploit this technology.
1.5.3 XML and directories
The eXtensible Markup Language (XML) is an industry standard language used to
define structured documents. It offers a set of common tags for defining data about
data, or metadata. This metadata can be used to describe particular document types.
Instances of documents implementing these types can then be shared and used by
XML-aware applications.
DSML is an XML document type that can be used to create structured documents
representing information in a directory service. This information represented in
DSML can include both directory entries and schema information. DSMLv2 extends
the specification to cover the representation of directory operations. Documents con-
forming to these standards can be exchanged using non-directory protocols like
HTTP, as shown in figure 1.16. Many new services that support DSML are becoming
available from both large vendors (Sun and Microsoft) and startups.

LDAP Entry

AP
DSML File LD LDAP Server
HTTP/FTP/
SMTP/etc.
DSML-Enabled DSML
Application Service

Figure 1.16 Here a DSML-enabled application talks to a DSML service that acts
as an intermediary between an LDAP server and the DSML-enabled application.

DSML is most useful in applications that are already XML enabled. These include
most modern application servers. DSML is especially useful in cases where direct
access to the directory would normally not be permitted. For example, consider a sit-
uation in which a firewall is blocking all traffic except HTTP. To get around this lim-
itation, a DSML encoding of a directory entry can be transmitted over the HTTP
protocol for interpretation and presentation. Such a situation is shown in figure 1.17.

22 CHAPTER 1 INTRODUCTION TO LDAP

 Firewall

LDAP Entry

AP
DSML File LD LDAP Server
HTTP/FTP/
SMTP/etc.
DSML-Enabled DSML
Application Service

Figure 1.17 DSML is useful for sharing directory information across fire-
walls that might limit direct access to directories.

Emerging standards like Simple Object Access Protocol (SOAP) make it clear that
LDAP will not be the only standard for sharing directory information in the future.

1.6 DIRECTORY MANAGEMENT

Despite the importance of having well-defined standards, it is rarely the reason for a
directory services–related project to fail. Rather, the biggest headache with most new
directory deployments is proper management of information in the directory. In the
days when enterprise directories were used primarily for storing white pages informa-
tion, it was often adequate to simply import information into the directory periodi-
cally from other, more authoritative data sources. Due to the lack of sophisticated
management tools, there wasn’t much choice.
Today, directory management tools for users and groups are much more sophisti-
cated. In addition to giving a central administrator the ability to change information
about objects in a directory, these tools typically allow for delegation of administrative
duties and even user self-management, where appropriate.
This ability to distribute administration works well in intranet and Internet envi-
ronments, but it is especially critical in extranet environments where multiple organi-
zations are working together, potentially using the same applications and data. In such
environments, the segmentation of administration and access is very important (see
figure 1.18).
For example, a car manufacturer with just-in-time manufacturing facilities needs
to give its business partners access to certain systems in its extranet. Access to appli-
cations on the extranet is controlled based on identities in each of its distributors and
component suppliers. Tracking by identity offers audit trails, which will deter a ran-
dom individual from anonymously ordering unauthorized parts.
The problem is, in addition to the employees at the company, such an extranet
environment including suppliers and distributors may include hundreds of thousands,

DIRECTORY MANAGEMENT 23
 Directory with Delegated
Administration

Manufacturer
Employees

Supplier
Manufacturer Employees

Supplier
Distributor
Employees

Distributor

Figure 1.18 Directories can be segmented such that administration

can be delegated to business partners. Such separation may be logical
rather than physical.

if not millions, of users. Trying to manage all these users centrally would be an incred-
ible effort.
By segmenting users by company and other means, you can push administration
of identities to primary contacts within each of the business partners, thereby reducing
administrative overhead. Aside from reducing administration costs, this approach also
ensures better accuracy by pushing identity management closer to the identities being
managed.
Information that is not related to identities and groups can still be difficult to man-
age with off-the-shelf products. This is the case primarily because little attention has
been paid to other advanced uses of directories, such as DEN, which require manage-
ment of more exotic information.
In chapter 7, we will look at managing all types of directory entries, complete
with example applications to reduce manual data entry and allow some degree of user
self-management.

1.7 DIRECTORY INTEGRATION

Many organizations spend months designing the schema, entry naming, and other
related aspects of an enterprise directory service without considering the need for
integration with existing information repositories. What usually results is a

24 CHAPTER 1 INTRODUCTION TO LDAP

 well-designed, standards-based directory service that contains stale information and is
nearly useless.
Meanwhile, legacy data stores that contain mission-critical information continue
to thrive because they contain fresh information, although in a way that is often incon-
venient to access from new applications and nearly impossible to access from off-the-
shelf applications without substantial custom development. Figure 1.19 shows how
this typical scenario plays out.

User

Spoiled No Value! Useful! Important

Data Business
Data

Well Designed, Awful, Proprietary,

Standards-Based Legacy Directory
Directory Service

Figure 1.19 Data in legacy systems is nearly always more useful than data in poorly
integrated new systems.

By designing and implementing an appropriate level of directory integration between

legacy data stores and the new directory service, you can dramatically increase the
value of the new directory (see figure 1.20).

Directory Integration

User

Important Okay!
Business Important
Data Business
Data

Well Designed, Awful, Proprietary,

Standards-Based Legacy Directory
Directory Service

Figure 1.20 Some level of directory integration is important in increasing the value of
applications using new directory services.

Directory integration is far more complicated than simply synchronizing everything

from a legacy data store into a newly created directory. It demands that you evaluate
the needs of applications that depend on both new and legacy data stores. In many
cases, both new and legacy applications that utilize the respective data stores. Very
often, these applications need access to some set of the same information.

DIRECTORY INTEGRATION 25
 Without any directory integration, it is often difficult to get more than a small
group of pioneers to quickly adopt the new applications. A new application may have
substantially better functionality, but without the proper data it will be difficult to
move the masses that use the legacy applications to the new environment. This issue
is demonstrated in figure 1.21.

Standard New Legacy Legacy,

Directory Application Pioneers The Masses Application Proprietary
Directory

Figure 1.21 It is difficult to move the masses to new applications based around a standards-
based directory when important information still resides only in a legacy directory.

By using integration techniques, such as synchronization, you can create a high

degree of interoperability between the two environments. This approach, shown in
figure 1.22, provides the necessary data flow between the two directories, offering a
relatively easy migration path to the new environment. It also ensures that the infor-
mation in both environments is consistent.

Bi-Directional
Directory Integration

Interoperability!
Migration Path!

Standard New Legacy Legacy,

Directory Application Pioneers The Masses Application Proprietary
Directory

Figure 1.22 Synchronization is often necessary to offer a migration path from legacy to
new applications or interoperability where legacy applications will not be migrated.

Consolidating these two environments can vastly simplify management. For example,
you may find a way for a Unix-based system to use the same directory as your white
pages application to store password information.
However, not every connected data store is a candidate for consolidation. Take,
for example, a human resources application that relies on a set of database tables to
store information. It may not make sense from an application functionality perspec-
tive for that particular application’s data store to be consolidated into an enterprise
directory. Some of the information may fit better in relational databases for the rea-
sons we stated in section 1.2.1, whereas other information may not be a good

26 CHAPTER 1 INTRODUCTION TO LDAP

 candidate for synchronization because of privacy concerns. So, instead of attempting
to directly replicate everything from human resources into the directory, you need a
form of intelligent synchronization.
In the area of identity management, directory integration almost always seems like
a great idea in theory. For example, the management of users’ computer accounts in
a particular organization from hire to fire demonstrates the value of synchronization
and other advanced integration technology.
Today, it is often necessary to touch multiple data repositories to commit a single
change uniformly to all the places that store information about a person. These
changes are usually performed by different application and system administrators. In
more mature environments, changes may be synchronized with scripts to facilitate this
process. When administrators do not coordinate their changes, or if an automated syn-
chronization script fails, the data repositories are no longer synchronized, and at least
one of the repositories will contain stale data.
If this stale data is simply a telephone number, the impact is probably minimal.
However, if an account must be deleted or suspended due to an employee’s termina-
tion, the data repository with stale data is at risk from the terminated employee. If the
stale data resides in an enterprise directory that is used for authenticating and autho-
rizing users to all non-legacy systems and applications, this one failed change can
potentially put the organization’s entire intranet at risk. Proper directory integration
is key to reducing these types of risks. For this reason, it is important to spend an ade-
quate amount of time planning for integration.
A general integration planning process entails identifying which data elements exist
in each existing data source, selecting those that should be shared, and mapping
between the source and destination schema (see figure 1.23).
This process and ways of implementing it are described in detail in chapter 7.
1.7.1 Integration via metadirectories
We cannot emphasize enough that the consolidation of all data repositories into a sin-
gle enterprise directory within even the smallest of organizations is not likely to hap-
pen in our lifetimes. Even if it were possible to rewrite every legacy application to use
a single standard, different directory and database software is better for different
tasks. As shown in figure 1.24, this leads to many different environments within an
organization that have different variations of the same user.
In the past few years, a new breed of applications called metadirectories has come
to market to remove some of the burden associated with directory integration.
Although it may sound like yet another directory, a metadirectory is really a sophis-
ticated directory integration toolkit.
You can use metadirectories to connect and join information between data sources,
including directories, databases, and files. The connection process usually involves
identifying changes in each data source. Such a connection may be real-time moni-
toring of changes using a direct access method into the connected data store, an occa-

DIRECTORY INTEGRATION 27
 1
2 Oracle Normalized
Database View
sjones

3
White Pages 1 2
Integration 3 4
Directory 5
sam.jones

4
5 HR Sam Jones

Database
sam jones

Attributes
1 Password 4 Department
2 Telephone 5 Manager
3 Email

Figure 1.23 Multiple data repositories typically store information about a person.
Deciding which attributes come from where and mapping them to a normalized
schema is an important part of any directory integration process. Note that the
word normalized here should not be confused with database normalization rules.

sional scan of a file-based list of changes, or a review of a full export from the connected
data store.
The join process is much more complicated and usually involves several steps. Its
most important job is determining that an object in one data source is the same as an
object in a second data source. This aggregation of information from multiple data
sources is one of the most important features of a metadirectory and the heart of the
join process. Other tasks performed by a metadirectory may include unification or
mapping of schema and object names, filtering unwanted information, and custom
processing and transformation of data. Figure 1.25 shows a relatively logical view of
how a metadirectory might work to provide a linkage between key enterprise infor-
mation repositories.
With careful planning, you can create an environment in which users can be cre-
ated at a single point. Then, the metadirectory service will instantiate a subset of the

28 CHAPTER 1 INTRODUCTION TO LDAP

Exploring the Variety of Random
Documents with Different Content
between the belligerents barely permitting them doing so without
crossing the muzzles of their pieces,—and he will have some faint
idea of what passed on the plains of Vittoria, and be able to paint in
imagination a few of those extraordinary scenes to which we were
witnesses.
The admirable manner in which the troops employed against the
enemy's centre moved forward to the assault, was the theme of
general admiration among all ranks on the heights. Joseph
Bonaparte and his Major-General, Marshal Jourdan, had been at
great pains to strengthen this part of their position, aware that if
they were driven from it the battle was lost. Every little eminence
literally bristled with cannon, behind which 40,000 infantry at least
were drawn up in dense masses, ready to pounce upon all who
should attempt to attack them. The French troops being formed
within a very narrow space, the service in that quarter during the
early part of the action was extremely hot. Notwithstanding the cool
and determined conduct of our companions in their first rencounter,
it was not at all surprising that the thundering of the cannon, and
cheers of the combatants, should in a little time produce feelings,
which none but those who were on the heights can at all describe.
Although we never had the smallest doubt as to the issue of the
battle, yet I confess that it was with equal pride and pleasure that
we beheld from the heights a wavering in some of the enemy's
battalions, about half an hour after the engagement began in the
centre. Yes, it was with pleasure, for so close and murderous was
the conflict in that quarter, that had not the enemy given way,
thousands more of our countrymen must have fallen under the
terrific fire of their opponents,—it being well known that French
infantry will sustain a discharge of musketry for a long time with
unflinching courage. We were, therefore, not at all disappointed to
perceive that our small arms made sometimes but a feeble
impression on their ranks. For, in the first place, it convinced the
soldiers that they were opposed to troops against whom they would
require to use all the physical, as well as moral courage which they
possessed; and the officers that something besides powder and shot
would have to be employed before the French infantry could be
forced from their stronghold. For some time, therefore, volley
succeeded volley, and the discharges from the artillery rolled in a
terrific manner along the vale, without producing any result beyond
that of winding up the spirits of our men to the highest pitch to
which the bravery of men can be screwed. One of the finest qualities
which British soldiers possess, is, that on all occasions their courage
invariably rises in proportion to the exertions required of them, a
quality which was never more nobly exhibited than on the plains of
Vittoria. On going into action, almost every soldier resolves to be in
possession of the laurel leaf, or a grave, before it is done. On this
occasion they were unanimous. Never was there a finer field offered
them to shew their unanimity than Vittoria, and never did they
exhibit it to greater advantage. Proud of his followers, and unwilling
to throw away any more of their precious lives than was absolutely
necessary, Lord Wellington gave orders to make use of a weapon, at
all times irresistible in the hands of British troops. The bayonet,
brought to its proper position, was therefore directed to bend its
course towards the hitherto immoveable columns of the enemy.
Firmly the latter awaited the coming storm, apparently resolved to
brave the furious onset. "Vive l'Empereur," ran along the line with
the rapidity of lightning; but in wishing long life to their sovereign,
the soldiers were not unmindful of their own, and consequently, as
soon as the hostile lines approached close enough to make use of
the steel, the enemy uniformly gave way.
From the first partial breaking of the French line in the centre, the
scene of active operation took a wider range. The enemy driven
from their vantage ground, and perceiving their principal
communication with France seriously endangered, at once resolved
to make every hedge a rampart, and every ditch or rivulet a river,
and to defend them to the last extremity, to give time to their
baggage and their artillery to draw off towards Pampeluna.
Arranging themselves, therefore, behind the various ditches and
hedges which intersected the fields in every direction, they
compelled the British troops to extend their lines also, in order to
oppose a front equal to that of the enemy. Interesting as were the
first operations when viewed from the heights of Puebla, those
which succeeded were much more so. The salvos of artillery indeed
were neither so frequent nor so appalling, but the vollies of
musketry were more numerous, and that beautiful mode of firing,
called "running fire," was practised on a scale of greater magnitude
than had ever before been witnessed by any British officer. How
often, during the awful struggle, did I witness the British soldiers
walk up to the brink of a ditch, behind which their opponents were
arrayed, and in the most cool and determined manner, cross their
pieces with the latter before they gave their fire. On those occasions
the conflict invariably assumed a sanguinary aspect, for the ditches
being generally too deep for our men to pass in face of an enemy,
the French always remained on the opposite side, and kept up a
smart fire of musketry, till our artillery or cavalry could be brought
forward to dislodge them. In this manner the battle raged in the
centre from one o'clock till four, by which time the French had been
pushed back almost to Vittoria, where all was confusion and dismay,
and from whence Joseph and Jourdan were flying to secure their
personal safety.
From Lord Wellington's mode of proceeding on the right and in the
centre, it was evident that he relied not a little on the faithful
execution of that part of the operations entrusted to Sir Thomas
Graham, for the success of his enterprise. When the hour passed at
which the latter was to attack, (one o'clock) Lord Wellington
appeared uneasy, and I believe despatched more than one courier to
ascertain the real cause of Sir Thomas Graham's non-appearance. Be
this as it may, it was not long after the hour when Sir Thomas
brought his men into action, and began that struggle, the issue of
which destroyed all the hopes of the enemy, and turned a simple
defeat into one of the most complete routes recorded in history.
The French infantry on the heights seeing that all was lost in the
centre and on the right, began to execute a retrograde movement
between four and five o'clock. On their intentions being discovered,
the first brigade, 50th, 71st and 92nd regiments, and two
Portuguese brigades, which had arrived on the hill sometime before,
gave chace to the fugitives, but so superior were the enemy at this
game, that in an hour and a-half we entirely lost sight of them,
although we ran almost all the way. On mentioning this circumstance
to a French officer one day, he said, "I will back my countrymen
against all the soldiers in the world in a race of that kind."
Continuing the pursuit, we passed Vittoria, and at eleven o'clock,
P.M., bivouacked in a field a league and a-half in front of it. By this
time the night was so dark, that it was with difficulty we could
discover the person immediately before us. Notwithstanding this,
however, the troops who had been opposed to each other in the
centre and on the left during the day, seemed unwilling to relinquish
the honourable avocation of killing and maiming one another, for the
deadly strife continued in those quarters till eleven o'clock in the
evening.
The price paid for this splendid victory was, from four to five
thousand British and Portuguese killed and wounded. The loss of the
French was never accurately ascertained, but was estimated at from
ten to fifteen thousand killed, wounded, and prisoners. All their
cannon, save two pieces, and all their baggage, money, ammunition,
and provisions fell into our hands.
 CHAPTER XIX.
The British General who pointed out the road to victory on the 21st
of June, has by many been denominated a military quack, who never
gained a battle but by sheer blundering. This assertion, no less
ridiculous than false, I shall not notice farther than to remark, that
the Emperor of the French must at one time have entertained a
similar opinion of our unrivalled General's military talents, otherwise
how can we account for him appointing a general to the chief
command in Spain who was totally unfit for the station he occupied
at Vittoria. On perusing the details of the battle what opinion will
military men of later times entertain of Marshal Jourdan's abilities as
a general when they discover that he posted a few light troops only
on the heights of Puebla, when they should have been crowned with
a force sufficiently numerous to have held them against all mortal
flesh? What opinion will they have of his military qualifications, when
they read, that he permitted his right wing to be driven from his
principal and direct line of communication into France, when to have
preserved which, next to beating his antagonist, should have been
his principal object. What will they think of the Hero of Gemappe,
when they perceive that he not only allowed his wings to be turned,
but thrown back upon his centre, and his whole army ultimately
forced back upon an outlet, not broader than was necessary to
secure the retreat of one of his divisions, on such an emergency?
Why, that he was a person perfectly incompetent to command an
army of sixty or seventy thousand Frenchmen against such an
adversary: for by the first error he placed the key of his position in
our hands,—by the second, he barred the door of the principal outlet
from the field against himself,—and by the effects produced by
these, his army was huddled together, and in a short time became
such an ungovernable mass, that he had latterly no other alternative
than to abandon his artillery, stores, &c. in order to preserve his
cavalry and infantry from entire destruction.
In the company which I had the honour to command in 1813, there
was a man named Walsh, whose character was so tainted, that not a
soldier in the company would associate with him. Whether
designedly, or through neglect, I will not pretend to determine, but
on inspecting his arms at Puebla, I found his bayonet bent like a
sickle. Enraged at his conduct, I reprimanded him sharply; but
instead of expressing regret for the offence, Walsh turned his head
as I was moving off, and most unfeelingly said, "What am I to do
with the bayonet, Sir? if we charge to-day I will not be able to thrust
it into any Frenchman's guts." This ruffianly speech caused a thrill of
horror to run through the company like a shock of electricity. On our
march from Puebla towards the scene of action, Walsh's whole
conversation was nothing but a connected chain of blasphemous
sentences. Oath succeeded oath, with such frightful rapidity, that his
companions at length became horror-struck. In this state of mind he
went into action on the lower part of the position, where the shot
and the shell plunged around him without producing any visible
amendment. The regiment proceeded to the heights, Walsh all the
way pursuing a similar course, venting curses on all and every thing
around, above, and below. When we had arrived within about two
hundred yards of the 50th, and before any one had heard the sound
of a ball at that point, the unfortunate wretch, in the very act of
uttering a dreadful torrent of blasphemy, fell a lifeless corpse, his
head having been perforated by a musket ball. Walsh's sudden and
striking exit from this to another world, furnished conversation to his
companions during the remainder of the day. His death was viewed
by them as a striking manifestation of the divine wrath for his
numerous and heinous offences against the Author of his being.
Between the second and third attacks on the heights of Puebla, the
pay-sergeant of the company, accompanied by a corporal and
private, requested my permission to bring Walsh's knapsack from the
rear, and dispose of its contents by auction, for behoof of his family.
Highly approving of this admirable display of feeling on the part of
the company, I waited on Colonel Cameron, and solicited permission
for the sergeant to go and take the necessaries from the dead man's
back. Quite delighted with the idea, the Colonel readily gave his
sanction. In a few minutes the auction began; the biddings went on
with life, till the whole was disposed of. By this praise-worthy act
thirty-one shillings were added to the balance due to the deceased,
and remitted to the widow. Two officers of the 50th, who were
standing beside me during the sale, declared, with tears in their
eyes, that it was one of the most singular and beautiful exhibitions
they had ever witnessed. Singular it undoubtedly was; for in the
annals of warfare it was perhaps the only public auction ever
attempted amidst the roaring of artillery and vollies of musketry.
A young lad belonging to the sixth company committed a singular
act of cowardice at Vittoria. On ascending the heights, he, under
some frivolous pretence, fell out, but forgot to rejoin his comrades.
In a few days thereafter, notice arrived from an hospital in the rear,
that he had received such a bad wound in the hand that amputation
had been performed at the wrist. On investigating into the matter, it
turned out, that in order to avoid the chance of being hit in action,
he had actually inflicted a wound on himself which might have
proved mortal. Thus, to avoid the possibility of dying the death of
the brave, he imprinted the stamp of the coward on his person, and
suspended round his neck a load of ignominy and dishonour which
can only be hid in the grave.
When inspecting the arms of the first company, a young lad who had
never been in action before, stepped up to the captain of it, and
informed him he was so unwell that he would be obliged to fall out.
On inquiring the nature of the complaint, Captain C. received for
answer, "A sair wame, Sir." Conceiving that all was not right, Captain
C. was induced to walk with him to Colonel Cameron, who, on taking
the sick man by the shoulder, and causing him to face the heights of
Puebla, pointed to some French sentries on their summit, and then
inquired if he saw them. Replying in the affirmative, the Colonel then
said, "Well, my man, those fellows you see on the top of the hill are
the best doctors in the world for complaints like your's," and raising
his voice he continued, "and by —— if I live you shall consult them
this day!" Covered with shame, poor B. rejoined his companions,
moved forward with them in very depressed spirits, but during the
action was one of the keenest spirits in the fray, and ever after his
Captain had more difficulty in restraining his courage than he had in
rousing it into action at Vittoria. This little incident shews most
unequivocally, that in going into action for a first time, young
soldiers should invariably be incorporated with old ones. For had this
youth been allowed to retire, under the feigned plea of sickness, he
would have remained a coward ever after.
A French colonel, commanding a portion of their light troops on the
heights of Puebla, finding the ground unfavourable for equestrian
exercise, sent his charger to the rear a little before the action began.
Being a very corpulent man, his running pace was that of a duck,
which of all others is the worst calculated to carry a person out of
the clutches of a light bob. Seeing there was no possibility of making
his escape, the Colonel wheeled round, and surrendered himself a
prisoner. Perceiving him covered with a profuse perspiration, our lads
were ill-mannered enough to indulge in a hearty laugh at his
expense. Seeing he was the butt of the group, the worthy
representative of Sir John Falstaff very good humouredly remarked
to an officer of the 92d regiment on surrendering his sword, "O God!
O God! what a fool was I to part with my horse. For the want of it
now I have become your merryman."
Colonel Cadogan, of the 71st, who fell on the heights of Puebla, was
leading a charge of his light troops when he was hit. The Colonel
had turned round to cheer on his followers, and had just repeated,
"Well done, well done, brave Highlanders!" when the intrepid leader,
mortally wounded, fell from his horse into the arms of a kindred
spirit, Captain Seton, commanding the light company 92d
Highlanders, son of the late Sir William Seton of Pitmidden,
Aberdeenshire.
Yes, tho' too soon attaining glory's goal,
To us his bright career too short was given;
Yet, in a glorious cause, his phœnix soul
Rose on the flames of victory to heaven.
 CHAPTER XX.
In the afternoon of the 22d, the second division moved from its
bivouac in front of Vittoria, passed through Salvateira, and towards
the "wee short hour ayont the twal," encamped in a wood a few
miles in front of it. During the march we were every moment
presented with numerous evidences, animate and inanimate, of the
total wreck of King Joseph's royal fortunes. Around, and on every
side of us, lay men and horses, dead and dying, waggons of all
descriptions, some overturned and emptied of their contents, others
on their wheels, and filled with letters unopened and unheeded,
although written to please the taste of every one in the army, being
addressed to officers and soldiers of all ranks, from Jourdan down to
the youngest drum-boy, on subjects grave, gay, and voluptuous. On
passing a tremendous pile of letters, I presented a handful of them
for acceptance to the Marquis of Almeida; but after a long tirade
against Bonaparte, he politely declared that he would not soil his
fingers with them. The Marquis' hatred to the French was only
equalled by that of Prince Blucher.
On passing Salvateira, our men were repeatedly invited by a
dragoon, dressed in the uniform of a hussar, to join him in a full-
flowing can, and he would "pay the piper." Our lads having
expressed some doubts as to their new friend's ability to perform his
promise, the latter instantly pulled from his boot a doubloon, and
holding it up, told the sceptics that his boots were filled with similar
pieces. How the cash came into the possession of the hussar it is for
him to say; but I think we may infer that he obtained it without
running any great hazard of losing a life, which, as a soldier, was
worth nothing.
From the earliest period to the present, the armies of every nation
have contained men who, unless narrowly looked after in action, are
more apt to make war against the effects than the persons of their
enemies. To people of this stamp no leniency should at any time be
shown, for in whatever light we may view a military plunderer, he
must invariably appear to us dressed in the despicable garb of a
traitor to his friends, his sovereign, and his country.
If soldiers would reflect on the ignominy which attaches to the name
of a plunderer, and permit themselves to contrast his character with
that of a soldier who retires from the service covered with honour,
no man, possessing the feelings of a real soldier, would for a
moment hesitate what course to pursue. The soldier who has
discharged his duties faithfully and honourably, plods his way
towards home with a breast swelling high with native pride, and
when relating to a group of admiring relations and friends around
the domestic hearth, his hair-breadth 'scapes by flood and field,
receives their congratulations on his safe return, and hears their
murmurs of applause, without the smallest blush on his cheek, being
conscious that he has done his duty, and that none can upbraid him
with one dishonourable act. Widely different indeed must the
situation of the military plunderer be on arriving at his native place.
There the bitter cup of self-conviction will invariably rise to his lips,
and choak his utterance as often as he attempts to impose upon his
friends with tales of war, in which he wishes them to believe he
acted an honourable part. There he will spend a life of unceasing
misery and extreme wretchedness; for although he may be removed
far from any of those companions whose evidence could rise up in
public against him, still the never-dying conscience will hourly
remind him of the humiliating fact, that he had forfeited all
pretensions to the designation of a soldier. Soldiers, therefore, would
do well to bear these facts in constant remembrance, and unmindful
of every thing save their honour, conduct themselves at all times,
and under all circumstances, in such a manner, that, on retiring from
the busy scenes of a military life, they may have it in their power to
say,
"The wars are o'er, and I'm returned,
My hands unstained with plunder."
Sir Thomas Graham having been ordered to advance towards the
French frontier, by the high road leading from Vittoria to Irun, came
up with a French corps at Tolosa, which he attacked and defeated
with considerable loss. After this rencounter, he continued his route,
drove the enemy across the Bidassoa, and invested San Sebastian.
It being nearly four o'clock in the morning of the 23rd before our
baggage arrived in camp, we had just thrown aside our wet clothes,
and gone to rest, when those pests of every soldier's nocturnal
repose—the bugles—again called us to arms. Although our sleep was
short, yet a rather comfortable, but hurried repast, enabled us to
strut away as gay as larks. But our gaiety unfortunately was short-
lived, for in half-an-hour the rain again descended in torrents, and
for five hours pelted us severely. Had we been moving, the rain
would have given us little trouble. But by some unexplained mistake
we were kept nearly five hours under arms, half-a-mile from where
we started, when we ought to have been under cover of our
canvass. Such mistakes should never escape censure, for the health
of an army is of paramount importance to a general, and it must be
injured by a few hours unnecessary exposure to a deluge of rain.
Resuming our march, we drew two leagues nearer to Pampluna and
encamped.
The Marquis of Wellington having pushed forward with the third,
fourth, and light divisions towards Pampluna, the second and sixth
divisions, and General Hamilton's division of Portuguese followed
their friends at an early hour on the 24th. In the afternoon we were
visited by a tremendous thunder storm. The lightning appeared
before, behind, and on every side of us, in every shape which the
electric fluid can be exhibited to the eye of man. The lightning
flashed, and the thunder in terrific peals rolled over our heads in a
manner so grand, yet appalling, that language is insufficient to
convey to those who did not witness it, even a faint idea of the
awfully sublime spectacle. At times the thunder growled for a few
moments in a threatening manner, and then burst so suddenly upon
our ears, that it was no uncommon thing to see numbers bending
their heads, while the artillery of heaven was expending its wrath.
About the time that the storm was at its height, Lieutenant
Masterman of the 34th regiment was killed by the lightning, as was
the mule on which he was mounted. Nine men of the same corps
were also knocked down, but the most of them were but slightly
injured. His watch was melted, and his sword belt was cut into as
neat little square pieces, as the most expert tradesman could have
performed a similar operation with a knife or scissors.
We continued our movement upon Pampluna on the 25th, 26th, and
27th, without meeting with any thing worthy of notice, save the
smoking ruins of a few houses which the enemy had burned in their
retreat, and one of the two pieces of artillery which Joseph
Bonaparte carried with him from the fatal field of Vittoria, and which
had been dismounted by some of the artillery brigades attached to
the leading divisions two days before. In the evening of the 27th, we
encamped in the vicinity of Pampluna.
As Sir Rowland Hill approached Pampluna, the Marquis of Wellington
gradually withdrew a portion of the other divisions from before that
fortress, and with the Spanish corps of General Mina, proceeded on
the 27th to attempt the capture of General Clausel, who being too
late to take part in the battle of Vittoria, was endeavouring to effect
his escape into France, by a road to the eastward of Pampluna.
Informed of the Marquis' intentions, Clausel wheeled to the right,
and directed his march upon Saragosa. There being no visible
prospect of bringing the enemy to action, the Marquis returned to
Pampluna, and resigned the pursuit of the fugitives into the hands of
the indefatigable Guerilla chief.
The French army was so much in want of provisions when it arrived
under the walls of Pampluna, that Joseph was compelled to draw
largely on the stores of the garrison to satisfy the cravings of his
half-starved followers. This was a most egregious blunder on
Jourdan's part, for it deprived the Governor of the means of
prolonging the defence of the place beyond a very limited period.
On quitting Pampluna, the French army retired towards their own
country in two columns, the principal part of it by the pass of
Roncesvalles, the other by that of Maya. Conceiving that Jourdan
would attempt to fortify the heights at both of those places, Lord
Wellington pushed forward the third and fourth divisions, second
brigade of the second division, and some Spanish and Portuguese
troops towards the former; and the remaining brigades of the
second division, and a brigade of General Hamilton's Portuguese
division were ordered to proceed against the enemy at Maya.
Accordingly, about seven o'clock in the morning of the 2nd of July,
the first, third, and fourth brigades of the second division, one
brigade Portuguese infantry, a few pieces of artillery and some
cavalry, moved from their encampment in front of Pampluna, and in
the afternoon encamped near La-Zarza. Next morning we plodded
our way under torrents of rain, to a bleak mountain a little in front of
the village of Lanz and encamped. Early on the 4th we again moved
forward, and about one o'clock arrived at Almandos, after a
disagreeable tramp across the dreary pass of Lanz. A little in rear of
the village, our columns closed up preparatory to an attack upon the
enemy's position at Barrueta, three miles farther in advance.
About two o'clock, the first brigade led by General Steuart in person,
entered Almandos, and on arriving at the centre of it, made a sharp
turn to the right, filed through several fields by a narrow foot-path,
descended the left bank of a deep ravine, crossed a small stream,
and then scrambled up the right bank, for as the whole face of it
was covered with round trundling stones, the operation was rather a
difficult one. We at length, however, gained the summit, and on
taking a view of the obstacles we had surmounted, we were not a
little surprised that the enemy should have permitted us to obtain a
footing in that quarter, without making an attempt to confine our
operations within a more limited sphere. A few hundred men
judiciously posted, might have accomplished this, at least, for some
little time. On perceiving us fairly established on the left of the
enemy's chain of advanced posts, Sir Rowland Hill gave orders for
the other brigades to move through Almandos, thence along the
high road towards Barrueta, and attack the French posts in front of
that town. On being attacked, the latter retired across a ravine which
runs in front of the village, and joined their main body, the left of
which rested on the summit of a high and very steep mountain, the
centre occupied the village of Barrueta, and the right extended to
the Bidassoa, the right bank of which they occupied with a few light
troops. On retiring behind the ravine, the enemy lined the right
bank, the Portuguese the left. Between them a smart fire of
musketry was kept up with considerable animation for some time,
during which the 50th regiment made an effort to carry the village.
The latter went up to their antagonists in their usual gallant style,
but the French brought forward a very superior force, and drove
them back. To support the 50th in this operation, the left wing of the
92nd was pushed towards the village, and the right wing and 71st
regiment kept in reserve. The services of the 92nd left wing,
however, were not required, for before they reached the scene of
action, the 50th had received orders to retire, Sir Rowland Hill not
deeming it prudent to bring on a more general affair that evening.
The enemy being in the same position, the troops cooked early next
morning, and on the arrival of the Marquis of Wellington about noon,
resumed their arms, and moved against the enemy. Forming the
right of our little army, the first brigade was ordered to ascend a
high, steep, and extremely slippery mountain on our right, in order
to throw itself in rear of the enemy's left wing. The operation was a
fatiguing one; but on arriving at the summit of the hill, a peep of the
French territory, and of the ocean, which the soldiers aptly enough
called the high road to England, banished in an instant every trace of
fatigue, as the spontaneous and deafening cheers of our poor
fellows sufficiently testified. Previous to this, the left column of the
enemy paid but little attention to our demonstration against their
extreme left, but the boisterous expression of feeling just alluded to,
which the enemy had attributed to a cause very different from the
real one, made them bestir themselves. Conceiving it to be General
Gazan's intention to give us battle, we detached our light companies
towards his left flank, and supported the movement with the rest of
the brigade. The enemy's centre and right wing were attacked about
the same time by our friends in the centre, and in a short time
forced to retire from Barrueta. Gazan seeing his left wing turned,
and his right wing and centre about to be driven from their
stronghold behind the village, gave orders to those immediately
opposed to us, to follow the example of their friends, and retire
towards Elizonda.
There being but one road by which the enemy could retire, and that
one too narrow for the rapid retreat of 7000 men, part of the French
troops moved through corn fields between the road and the
Bidassoa, and two or three battalions were thrown across the river,
whither they were pursued by some Portuguese infantry. From the
time Gazan began to retreat, he never attempted to make a stand,
but occasionally turned round, and after peppering us for a few
minutes from behind a wall, hedge, or from the windows of a house,
again took to his heels. Some of our light troops on those occasions
conceiving it imprudent to attack the enemy in their strongholds,
flanked them by moving into the fields, so that the former were
always ready to pour a few vollies of musketry on the latter, the
moment they retired from their temporary forts. In this manner the
retreat and pursuit were conducted till both parties arrived at
Elizonda. To prevent a surprise, the enemy had previously run a wall
round the town, from behind which, they annoyed our light troops
as they closed upon them. The French being forced at length to yield
possession of the southern entrance, we walked on, pursued the
fugitives through the various streets amidst the loud acclamations of
the inhabitants, who, before the enemy had finally relinquished their
hold of the northern gate, were ringing a merry peal in honour of
their deliverance. This spontaneous effusion of loyalty was so grating
to the ears of the French soldiers, that, on taking leave of the town,
they swore to be revenged on it the first time they returned.
On being driven from his position in the valley of Bastan, General
Gazan retired with the main body of his corps to a high ridge at the
head of the valley, and with his left foot in France, and his right foot
in Spain, prepared to give us another meeting before he relinquished
his hold of the last position he could now lay claim to in Spain. This
position was reconnoitred by the Marquis of Wellington on the 6th,
and again on the morning of the 7th. At the close of the last
reconnoissance, preparations were made for an immediate attack,
with the view of ridding this part of the Peninsula of the presence of
the invaders.
The right of General Gazan's corps occupied a high and very steep
mountain, called the Rock of Maya. His centre columns were posted
on two heights considerably lower than the other, and about a mile,
and mile and half distant; and the left rested on another height still
farther to the left. In front of the left centre there was a ridge which
ran all the way to the village of Maya,—nearly two miles. On this
ridge the enemy had placed some light troops, and again, a mile in
front of Maya, another body to watch our motions.
The second brigade of the second division being encamped on the
right bank of the Bidassoa, was pitched upon to attack the rock,
while the other brigades should endeavour to drive the enemy from
the other points of their position. Accordingly, the former got under
arms about 11 o'clock, a.m. on the 7th of July, and ascended a
mountain on their left, over which a narrow foot-path led to the
rock, five miles distant. When the second brigade marched from its
ground the sky was clear, but fortunately for our friends, a dense fog
crowned the conical summit of the rock, just as they were about to
cross an adjoining eminence, so much lower than the other, that but
for this the enemy would have been able to form a correct estimate
of the numerical strength of the attacking column. With the able
assistance of this potent ally, the second brigade approached the
enemy undiscovered, till they had arrived within a very short
distance of the summit of the rock. They were no sooner perceived,
however, than their opponents poured down on them showers of
bullets; but the action, though severe, was very short, for, making
use of the bayonet, the second brigade soon rid the summit of the
mountain of the presence of the enemy.
In order to deceive the French General in regard to our real
intentions, the other brigades remained quiet in their camp for
nearly two hours after their companions had quitted theirs. By this
little manœuvre the French were lulled into a fatal security, for, until
they saw us fairly under arms, they fancied themselves reposing in
perfect safety. On moving from our camp a little in front of Elizonda,
we directed our steps towards Errazu, behind which the most
advanced of the enemy's troops were stationed. As we approached
them, they retired towards the village of Maya. At first they retired
slowly, but the firing on the rock caused them latterly to accelerate
their motion. The same cause made us imitate them, in order that
we might be at hand to render our friends assistance should Gazan
attempt to regain by force his lost possession.
The first brigade, followed by Colonel Ashworth's Portuguese,
advanced rapidly up the valley, passed Maya at a trot, and then, with
the 6th Caçadores on our left, moved towards the enemy, with
whom our light companies soon came in contact. The firing at this
point was kept up with considerable vivacity for some time, but with
little loss to either party. Pending these operations of the light
troops, the 6th Caçadores had advanced close to the enemy
scattered over the northern slope of the rock, with the intention of
preventing us communicating directly with the second brigade. A
smart running fire was the consequence of this collision, which
lasted with little intermission till night. Having succeeded in driving
back the enemy, and establishing themselves in this post, the 50th
regiment was ordered to a height upon their right, close and
immediately opposite to the enemy's right columns. These various
movements at length brought a considerable number of the
combatants into close quarters. The shots at first were as usual
rather long, but as the afternoon advanced they became shorter, till
the 50th and the enemy were more than once on the point of
crossing bayonets. Being rather hard pressed, the 92d regiment
moved to their assistance, but the "old half-hundred" had in its usual
off-hand manner repelled the assault previous to the arrival of their
Highland brethren.
General Gazan heartily ashamed of having so gamely yielded up the
possession of a post which he should have held while he had a man
remaining, made many desperate attempts to regain it, but in all of
them he was beat back with considerable loss. During the whole of
the operations on the rock, nothing could exceed the conduct of the
second brigade, 28th, 34th, and 39th regiments, all of whom had
made up their minds to give their bodies to the eagles that hovered
over their heads, rather than permit the enemy to lodge on the
summit of the mountain that night. The 71st light infantry rendered
us good and efficient service on our right, till night's sable mantle
wrapt every earthly object in impenetrable darkness.
The fog being extremely dense, the night dark, and the French little
more than two hundred yards from our advanced posts, we lay
under arms the whole of the night. So very dark was it indeed, that
on the skirmishers being called in, many of them did not really know
which way to move to rejoin their battalions. In front, and on our left
rank, numbers were, for hours after the action had ceased, bawling,
some Français, others Portuguese. So completely were the poor
devils at fault regarding the situations of their respective friends,
that two French soldiers actually passed one of our piquets, and
were made prisoners before they discovered their mistake.
At day-break on the following day, General Gazan made another
attempt to regain the key of his position, but failing as before, he
kept up a loose irregular firing till about seven o'clock, when, seeing
he could make no impression in that quarter, he took advantage of
the fog to retire with his corps into his own territory. Colonel
Ashworth followed him some distance, and skirmished with his rear-
guard till evening.
When General Gazan retired from the heights of Maya, General
Stewart proceeded to look out for suitable ground for our brigade. In
doing so, he spent fully two hours, there being no convenient spot
but what had previously been occupied by the enemy. Before the
General returned from his tour of inspection, a number had begun to
grumble at the delay in placing us in camp. In this number was
Captain H——s, of the 92d regiment, who would not give credit to
the stories in circulation, relative to the not very praise-worthy habits
of the French soldiery. Seeing that the Captain was not to be
convinced, one of his brother-officers said to him in mere jest, "H
——s, perhaps at this moment some of the gallopers may have
already taken a fancy to you;" and then bending forward as if to
examine whether such was not the case, he, to his own surprise,
was able to convince the Captain of the fact by ocular
demonstration. The Captain instantly sprung from the ground, and
bounded along the heath like a deer for several hundred yards,
stopping only twice to try whether an extraordinary shake of his
polluted ankle would not assist him in getting rid of such vile
intruders.
In the action of the 7th July, three Spanish peasants, inhabitants of
Maya, joined our light troops, advanced into the very heat of the
conflict, and fought with the most determined bravery, till one of
them being killed, and another wounded, the third reluctantly
quitted the scene of action to convey his friend back to his native
village. Had the armies of Spain been composed of such men as
these, the Peninsular contest would have been short indeed.
During the early French revolutionary wars, an opinion prevailed in
the British army, that the French used poisoned balls. That this
opinion still prevailed at the time of which I write, is evidenced by
the fact, that on the evening of the 7th, I heard one of the 50th call
out, as he passed us on his way to the rear, "I know I am a dead
man, I have been wounded by a poisoned ball."
Conceiving it to be the duty of every officer in charge of a company
to record every little anecdote, which can tend to illustrate the
character or the men under their command, I cannot forbear to
notice an act of coolness on the part of a young lad named M'Ewen,
which cannot be too much admired. In the action of the 7th, a
musket ball grazed his bonnet a little above the ear. Instead of
alarming him, however, M'Ewen very coolly turned round his head to
mark the progress of the bullet, and on seeing it bury itself in the
earth a few yards in his rear, shook his head, and said, "O ye
coaxing rascal."
Until we took possession of the heights of Maya, we really knew but
little of the real discomforts of a camp. We had occasionally suffered
severely from sleet, rain, and cold stiff gales, but such a thing as a
hurricane was a total stranger to us. At Maya, however, our position
was so exposed to the four wind's of heaven, that blow from
whatever quarter it might, the wind always found us at its mercy.
One evening, after we had retired to rest, our encampment was
visited by a tremendous storm of wind and rain. The former howled,
and the latter battered the slender sides of our tents with such fury,
that many of them were blown down. Every precaution was instantly
taken to keep the tent-poles and cords from snapping, but in many
cases our efforts proved fruitless, for the wind continuing to increase
for some time after, down came one tent, then another, and another,
till more than a half of the whole were level with the ground. I had
just fallen asleep, and was enjoying a very comfortable nap, when
"Cast away, cast away!" from a well-known voice, rung in my ears,
and roused me from my slumbers. I instantly started up, and
fancying what had happened, pulled the strings of my tent, and
gave the cast-away wanderer a hearty welcome. But scarcely had
my friend recited his hair-breadth 'scape from suffocation, when
appearances boded nothing favourable to the little vessel in which
we were. Our servants did all in their power to keep the pole
upright, but seeing that to be impossible, I ordered them to haul it
down, and then, in company with my brother-sufferer, proceeded on
a voyage of discovery.
We proceeded, in the first instance, to the tent of three friends,
which being more favourably situated than ours, we hoped would
afford us shelter. On arriving there, however, all was desolation. We
made two or three other unsuccessful attempts to obtain a
temporary shelter from the surly blast; but despairing of finding it,
and the night being extremely dark, we finally resolved to seek
protection under the brow of the hill, and wait with patience the
coming of the morning light. Pursuing our way, without a light or a
guide, we had considerable difficulty in reaching a spot, where,
protected, we might sit and hear the storm expend its fury over our
heads. At length we got under cover, but had not been half-an-hour
in our new berth, when our feet became so benumbed with cold,
that we found it necessary to move about to bring them again to
their natural heat. Wrapt in our cloaks, and with the rain battering in
our faces, we were jogging along towards our arms, when all at
once we came upon a tent which had withstood the fury of the
storm. We were desired to walk in, and accept of what
accommodation the inmates had to spare. We did so, but finding the
tent pretty well filled with others similarly situated with ourselves, I
left my friend Captain H—— under cover, and after a little more
trouble I found out the residence of an old friend, where I remained
during the remainder of the storm.
When day dawned, nothing but desolation was to be seen in our
camp. Out of fifty tents, few were standing, more than the half of
them were complete wrecks, and a number of the others were
seriously injured. The men's arms and accoutrements were greatly
damaged, and a considerable portion of our ammunition was
destroyed.
 CHAPTER XXII.
The disastrous issue of the battle of Vittoria, and subsequent retreat
of the French army into their own country, having convinced
Napoleon that neither his brother Joseph, nor Marshal Jourdan, were
qualified to lead the armies of France to victory, he instantly
dispatched Marshal Soult from Germany, with unlimited powers, to
take the command of the French army on the lower Pyrenees, and
oppose the farther progress of the British General in that direction.
From the first moment of Soult's appointment being known to us, we
anticipated warm work; and he seemed determined that we should
not be disappointed. On the 23d of July he issued an order of the
day, intimating that his instructions were "to drive the English from
the lofty heights which enabled them proudly to survey their fertile
vallies, and chase them across the Ebro." "Let the accounts of our
success," continued Soult, in the true Napoleon style, "be dated from
Vittoria, and the birth-day of the Emperor celebrated in that city."
This, although sheer bombast, was not a little ominous of what was
to follow,—broken heads and mutilated limbs.
On the 25th of July, the day which developed to us the mighty plans
by which Soult intended to carry the orders of the Emperor into
execution, the allied army occupied the following positions,
extending from Roncesvalles on the right, to St Sebastian on the left.
The third brigade, second division, commanded by General Byng,
formed the extreme right, and occupied a strong post, three
hundred yards into the French territory, which commanded the high
road from St Jean-Pied-de-Port to Roncesvalles, five miles in rear.
This brigade was supported by the fifth Spanish army, under General
Morillo. The fourth division was encamped on the heights in front of
Roncesvalles, a few miles in rear of the others;—and the third
division were in position at Olaque, in readiness to move to
wherever their services might be most required. A few miles to the
left of the fourth, Brigadier-General Campbell's brigade of
Portuguese infantry occupied Los Alduides, a French village, to keep
open the line of communication between the right wing and centre,
under Sir Rowland Hill, in the valley of Bastan.
The left wing, under Sir Thomas Graham, consisting of the first and
fifth divisions, was engaged in the siege of St Sebastian. On their
right, the Spanish corps of Generals Longa and Giron extended from
the vicinity of the latter towards the heights of Santa-Barbara,
where, and at Puerto-de-Eschelar and Vera, the seventh and light
divisions were posted.
The troops entrusted with the defence of the heights of Maya, and
valley of Bastan, were stationed as follows:—The fourth brigade,
second division, occupied the village of Errazu; and a Portuguese
brigade, under the Conde de Amarante, a position in the mountains
in front of that place. On the summit of the ridge, over which runs
the high road from the valley of Bastan into France, the 71st and
92d regiments were encamped,—the latter two hundred yards to the
left of the road, and the former three hundred yards still farther to
the left. The 50th regiment were detached about half-a-mile from
the right of the 92d, and lay encamped half-way down the ridge on
the Spanish side. Three pieces of Portuguese artillery occupied the
space between the road and the 92d; and the 82d regiment, from
General Barnes' brigade, seventh division, were posted about a mile
from the left of the 71st. The second brigade, second division, were
encamped in the valley, a little in front of the town of Maya, having
the 34th regiment advanced towards the summit of the heights on
the right of the position, on which that brigade had strong piquets
posted; and the Spanish General O'Donnel, the Conde-del-Abisbal,
formed the blockade of Pampluna, with a force of from ten to fifteen
thousand Spaniards.
A little after 11 o'clock, a.m. on the 25th of July, the enemy,
ascending the heights by a mountainous path which leads from the
French village of Espalete to the Spanish village of Maya, attacked
our piquets on the right with great fury. The latter, on the first
appearance of the enemy, were reinforced by the light companies of
the second brigade, and subsequently by the 34th, 39th, 50th, and
right wing of the 92d regiment. The first assault of our old friend
Druet, the Count D'Erlon, was sustained by the piquets and light
troops with much spirit, but the overwhelming numbers of the
enemy rendered all their efforts to retain their ground unavailing.
The 34th regiment being the nearest corps to the point attacked,
were soon on the spot, and attempted to arrest the torrent; but,
from a similar cause, were nearly cut off. The 50th arrived at the
scene of action at this ticklish period—charged the advanced
columns of the enemy, and in conjunction with the 34th and 39th,
which had followed the 50th, gave a temporary check to their career.
But the Count D'Erlon, availing himself of his great numerical
superiority, charged these corps in front, and detached strong
columns round their flanks, in order to surround them. At this critical
period the right wing of the 92d regiment, nearly 400 strong,
entered the field, and took part in the fray. On their arrival, the
Highlanders were a good deal blown, having advanced from the pass
about a mile and a-half, at a hurried pace. The situation of their
friends, however, was such, that they formed line on coming in sight
of the enemy, and were ordered forward by Colonel Cameron, who
commanded on the heights at the time, without a moment's repose.
The enemy perceiving our intention was to charge them, halted, and
thereby afforded the 34th and 50th regiments an opportunity of
retiring, and re-forming their ranks. Enraged at the failure of his
attempt to capture those two battalions, the French General turned
his fury against the Highlanders, with an intention of annihilating
them with showers of musketry. They, however, nothing intimidated,
returned the fire of their opponents with admirable effect. Perceiving
that D'Erlon was acting cautiously, Colonel Cameron withdrew the
right wing of the 92d, in order to draw the enemy to a piece of
ground where he could charge them. In this he partly succeeded; for
the French General, mistaking our voluntary retreat for a constrained
one, pushed forward from three to four thousand of his troops, who
on advancing towards us, made the air ring with their shouts of Vive
l'Empereur. Conceiving that the enemy had made up his mind to
prove the point of our bayonets, Cameron retired about thirty paces,
and then ordered his men to halt—front—and prepare to charge. On
seeing us halt, the enemy did the same, and instantly opened on us
one of the most terrific fires of musketry which we had ever
witnessed. At this time the space between the combatants was not
more than one hundred and twenty paces, while the numerical force
of the enemy was nearly eight to one against us. From the 92d, to
the French front line, the ground was almost level, but immediately
behind the enemy's advanced body, and from the opposite bank of a
narrow ravine, rose rather abruptly a considerable eminence, from
the face of which the French musketry told with fatal effect on their
opponents. This, however, the Highlanders did not return, for
conceiving that the French General wished to get quit of them by a
general charge, the 92d directed the whole of their fire against that
part of the French force stationed on the brow of the ravine nearest
themselves, and which was so coolly and admirably given, that in
ten minutes the enemy's dead lay literally in heaps. The slaughter
was so appalling indeed, that the utmost efforts of the French
officers to make their men advance in front of their slain, failed. At
times they prevailed upon a section or two to follow them,—but
whenever they obtained a glimpse of the mangled corpses of their
comrades, which every where surrounded them, they invariably gave
way, and retired from the scene of blood. For more than twenty
minutes the Highlanders sustained the unequal conflict, at the expiry
of which more than one half of the men had been killed and
wounded; and all the officers wounded, and borne from the field,
but two lieutenants.
Being one of the two, and the senior in rank, I found myself at once
placed in a situation of considerable importance, surrounded with
difficulties, and beset with dangers on every hand. The enemy
immediately opposed to us was certainly not fewer than 3000,—our
numbers had by this time been reduced to something under 200,
and a great part of them had no ammunition. Thus situated, and
with no friends in sight to render us assistance, it appeared to me
that the most prudent course I could adopt, under all the
circumstances, would be to retire, particularly as it became every
moment more and more evident that the French General's object
was either to annihilate us with his fire, or surround us with his
endless masses. We retired accordingly, pursued slowly by the
enemy, and without the loss of a man, but such as fell by the terrific
showers of musketry which they poured on us during the retreat.
On our arrival behind the height on which we had been engaged, we
found the 28th in close column, and the right wing of the 71st
hastening forward to our relief. The former attacked the enemy's
leading columns, but soon after moving down the hill to the right,
the Bragge Slashers joined the 34th and 39th regiments in the
valley, and left our rear completely uncovered. Under these
circumstances, the 50th and shattered remains of the 92d right wing
retired towards the pass, where General Stewart, who had now
arrived from Elizonda, was making the necessary preparations to
retard the progress of his opponent.
Detaching the right wing of the 71st, and part of the 50th, to a
position in rear, General Stewart, at the head of the left wings of the
71st and 92d, awaited the enemy. The latter, after a little
skirmishing, brought forward a strong body of infantry to overpower
all opposition. Seeing that a general affair would be attended with
no favourable result at this point, General Stewart, after a few
rounds, withdrew the advanced wings, and marching them through
the intervals between the 50th and 71st right wing, placed them
again in position about two hundred yards in rear of the latter. The
enemy followed, and were warmly received by the 50th and 71st. A
smart firing took place, which, as before, ended in the retreat of our
friends through the intervals between the left wings of the 71st and
92d. In this manner, each half of the troops alternately retiring, we
retrograded fully a mile, when, being reinforced by the 82d
regiment, we halted.
At the commencement of the action, Colonel Cameron adopted the
necessary precaution of detaching Captain Campbell of his own
corps, with 150 men, to the summit of the rock of Maya, it being the
key to the whole position. From this formidable post the little
garrison rendered us considerable service; for the face of the
mountain being every where covered with whinstone blocks, Captain
Campbell, in imitation of Andrew Hoffer in the Tyrol, hurled them
down on the pursuers, and frequently with great effect.
But neither stones, bullets, nor bayonets, checked the progress of
the enemy, for the second brigade having deviated from the natural
and prescribed route, retired across the valley of Bastan, some miles
to our right, and left us in numbers from 2000 to 2500 to contend
against eight or nine thousand. The consequence of this false
movement was such as might have been expected. The enemy
seeing the two bodies completely separated, followed up the
advantages they had gained over our column, and at length pressed
us so warmly, that General Stewart, in order to stop the farther
effusion of blood in a hopeless cause, dispatched an order to the
troops on the rock to retire. It was then about seven o'clock in the
evening. Fortunately, however, the cheers of the troops at the base
of the hill, reached the summit of it before the bearer of the order.
These cheers were occasioned by the arrival of General Barnes with
the 6th regiment, and some Brunswick infantry, being the remainder
of his brigade. A more seasonable reinforcement no troops ever
received. On the first appearance of it, our lads were perfectly frantic
with joy. Being seated at the time, they, although greatly fatigued,
sprung upon their feet, and then, without either asking or obtaining
permission to advance, rushed down upon the enemy with
irresistible force, and drove back his numerous hordes in the finest
style imaginable. Taking it for granted that we had been reinforced,
D'Erlon retired about a mile. In order to strengthen our line we had
received a great addition to our numbers, General Stewart caused
the covering sergeants to take ground in the usual regular manner,
by which operation he intended to convey to his opponent an idea
that he only waited for the light of a new day to renew the combat.
Marshal Soult having attacked at day-break the same morning the
right of our army at Roncesvalles, with an overwhelming force,
Generals Cole, Picton, and Byng, after doing every thing in their
power to repel the attack, were ultimately compelled to yield up
their position to the enemy, and draw off towards Pampluna—the
relief, or re-provisioning of that strong fortress being the enemy's
principal object. To frustrate his designs, it became necessary for
Lord Wellington to concentrate a considerable portion of his army in
a position in front of Pampluna. For that purpose we retired from
Maya the same night, and after a fatiguing night's march, halted
next morning at seven o'clock, on a height in front of Barrueta.
 CHAPTER XXIII.
I believe one of the best judges now in Britain has pronounced the
action of the 25th July to be one of the most brilliant achievements
performed during the late Peninsular war. Will posterity credit the
fact, that 2600 British troops not only retained the key of their
position, in despite of the utmost efforts of 11,000 of Bonaparte's
best infantry for nine hours, to wrest it from them,—but on receiving
a reinforcement of 1000 men only, actually re-captured about a mile
of the ground which the enemy had acquired in the early part of the
day? Will posterity believe that 400 British soldiers stretched 1000
Frenchmen dead or maimed on the bed of honour, in less than half-
an-hour? I fear not, without something more than a bare assertion;
and therefore I take the liberty of relating the substance of a
conversation which passed a few days afterwards, between the
French General who commanded on that occasion, and a British
Colonel, who was wounded on the 25th, and from the severity of his
wound was obliged to be left behind when we quitted the valley of
Bastan.
The Count D'Erlon, whether from a humane or an interested feeling,
I know not, waited upon Colonel H——, in passing through the
village where the latter was confined to bed, and after condoling
with him on the consequences of the action of the 25th of July, said,
"Pray, Colonel, how many Sans Culottes (Highlanders) have you in
your division?" "One battalion," answered the Colonel. "One
regiment of several battalions, I presume, Colonel," retorted D'Erlon.
"No, General, only one battalion I assure you," replied Colonel H——.
The Count then in a playful manner, and with a smile of incredulity in
his countenance, said, "Come now, Colonel, don't quiz me, do tell
me candidly, how many Highlanders you had in action on the right of
your position on the 25th?" On this query being put, Colonel H——
said, with great earnestness, "I give you my honour, General, there
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebooknice.com