Creating a well defined LDAP directory query interface for email clients

Introduction

As part of my job running Stanford's Directory service, I've had to look at many email clients LDAP directory interface for gathering addressbook related information. What I've found is that there is no unified concept on how to do this, and the method used is often so poorly done as to be unusable in any real sense. This document is to present a guideline on writing a well written LDAP directory interface for an email client, in the hopes that various email client developers will read it and make use of it.

Basic concepts to consider

  1. Filter string
    The first part of an LDAP query is the search filter used to define what attributes are checked against. Few email clients actually allow you to define this filter string, which greatly limits the capabilities of the client. Even worse, most email clients assume particular attributes will be used for the search filters, when that may not be the case. The fact that search filters should be customizable is ignored by nearly all email clients.
  2. Attributes
    Many organizations have created, or will create, their own attributes to hold various pieces of information, as many default schemas simply do not have the requesite attributes necessary for their purposes. Few email clients allow you to specify how custom attributes will map into the addressbook. Even worse, most email clients enforce their own concepts of how the directory information is stored on the user, which is often unworkable. Email clients also tend to limit what data is returned from the server, cutting out information of potential use to the user.
  3. Authentication mechanisms
    Starting with LDAP Protocol v3, there are a variety of authentication mechanisms available to use to query directory services. However, as far as I have found, there is not a single email client that implements these alternative mechanisms. Most rely on the LDAP Protocol version 2 simple bind using username/password either in the clear or over SSL. None of them appear to implement the required LDAP Protocol version 3 mechanism, SASL/External. There also is no support for other SASL mechanisms, like DIGEST-MD5 or GSSAPI. It is critical that the email clients be RFC compliant, and implement multiple methods for authenticating to the LDAP Directory service.

Example of a decently written email client interface: Eudora

Eudora is the only email client software I've found that understands the first two concepts required to write a well written client interface to an LDAP server.

My subjective Email client grades

Email Client Grade Suggestions for improvment
Eudora B Support multiple authentication mechanisms
Evolution F Support multiple authentication mechansims
Support a customizable filter string
Support attribute mapping
Macintosh Address Book on OS X F Support multiple authentication mechansims
Support a customizable filter string
Support attribute mapping
Mulberry D- Support multiple authentication mechansims
Support a customizable filter string
Outlook F Support multiple authentication mechansims
Support a customizable filter string
Support attribute mapping
Thunderbird C- Support multiple authentication mechansims
Support a customizable filter string