Educause Security Discussion mailing list archives
Re: Question on LDAP
From: Tom Barton <tbarton () UCHICAGO EDU>
Date: Fri, 7 Oct 2005 11:03:49 -0500
Those seriously contemplating central authentication and authorization infrastructure services can enrich their research by consulting some of the information, practices, standards, and tools produced by the Internet2 Middleware Initiative and by the NSF Middleware Initiative. A comprehensive starting point for this material is <http://middleware.internet2.edu/>. A selection more focused on issues raised in this thread is found at the Internet2/MACE Directories Working Group website, <http://middleware.internet2.edu/dir>. Of special interest, that website has the Local Domain Person survey, which reveals the approaches taken by many US higher eds in using their LDAP directories for authoritzation and other purposes. Finally, a very good treatment of what is involved with designing, building, and operating a central directory service is the Enterprise Directory Roadmap, the latest version of which is <http://www.nmi-edit.org/roadmap/directories.html>. Hope this helps, Tom -- Tom Barton Senior Director for Integration Networking Services and Information Technologies University of Chicago Greg Scholz wrote:
There are a number of considerations to make with a decision such as this. Some areas of concern I have are the growth and management. If all authorization attributes live in a central location then the administrators of the systems that control/need those attributes would need to be able to modify this central repository (or assign someone to manage authorization attributes from the group that "owns" that database - that probably becomes a political question). Also, the word "extensible" needs to be considered. LDAP is extensible, so who decides what attributes get added to the schema so that they can be available in this central repository? What if there is an attribute name collision? Etc? How much benefit is gained by the complexity? I am open minded to the idea of a central authorization database. However, at this point I have not seen enough benefit to justify it in most cases. Given the state of technology, I prefer to let systems continue to internally define authorization, but push off all authentication to a central repository. This also is a good stepping stone. First get all the username/passwords centralized, then consider the authorization consolidation.
Current thread:
- Re: Question on LDAP Krassos, Michael (Oct 05)
- <Possible follow-ups>
- Re: Question on LDAP Gary Flynn (Oct 05)
- Re: Question on LDAP Drews, Jane E (Oct 05)
- Re: Question on LDAP Tom Barton (Oct 07)