Educause Security Discussion mailing list archives

Re: Question on LDAP

From: Tom Barton <tbarton () UCHICAGO EDU>
Date: Fri, 7 Oct 2005 11:03:49 -0500

Those seriously contemplating central authentication and authorization
infrastructure services can enrich their research by consulting some of
the information, practices, standards, and tools produced by the
Internet2 Middleware Initiative and by the NSF Middleware Initiative. A
 comprehensive starting point for this material is
<http://middleware.internet2.edu/>.

A selection more focused on issues raised in this thread is found at the
Internet2/MACE Directories Working Group website,
<http://middleware.internet2.edu/dir>. Of special interest, that website
has the Local Domain Person survey, which reveals the approaches taken
by many US higher eds in using their LDAP directories for authoritzation
and other purposes.

Finally, a very good treatment of what is involved with designing,
building, and operating a central directory service is the Enterprise
Directory Roadmap, the latest version of which is
<http://www.nmi-edit.org/roadmap/directories.html>.

Hope this helps,
Tom
--
Tom Barton
Senior Director for Integration
Networking Services and Information Technologies
University of Chicago


Greg Scholz wrote:

There are a number of considerations to make with a decision such as
this.  Some areas of concern I have are the growth and management.  If
all authorization attributes live in a central location then the
administrators of the systems that control/need those attributes would
need to be able to modify this central repository (or assign someone to
manage authorization attributes from the group that "owns" that database
- that probably becomes a political question).  Also, the word
"extensible" needs to be considered.  LDAP is extensible, so who decides
what attributes get added to the schema so that they can be available in
this central repository?  What if there is an attribute name collision?
Etc?  How much benefit is gained by the complexity?



I am open minded to the idea of a central authorization database.
However, at this point I have not seen enough benefit to justify it in
most cases.  Given the state of technology, I prefer to let systems
continue to internally define authorization, but push off all
authentication to a central repository.  This also is a good stepping
stone.  First get all the username/passwords centralized, then consider
the authorization consolidation.

Current thread:

Re: Question on LDAP Krassos, Michael (Oct 05)
- <Possible follow-ups>
- Re: Question on LDAP Gary Flynn (Oct 05)
- Re: Question on LDAP Drews, Jane E (Oct 05)
- Re: Question on LDAP Tom Barton (Oct 07)