Educause Security Discussion mailing list archives
Re: Question on LDAP
From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 27 Sep 2005 14:00:20 -0500
Scholz, Greg wrote:
There are a number of considerations to make with a decision such as this. Some areas of concern I have are the growth and management. If all authorization attributes live in a central location then the administrators of the systems that control/need those attributes would need to be able to modify this central repository (or assign someone to manage authorization attributes from the group that "owns" that database - that probably becomes a political question). Also, the word "extensible" needs to be considered. LDAP is extensible, so who decides what attributes get added to the schema so that they can be available in this central repository? What if there is an attribute name collision? Etc? How much benefit is gained by the complexity?
Extending with a local schema is not such a big deal. Not big enough to let it hold you back anyway.
I am open minded to the idea of a central authorization database. However, at this point I have not seen enough benefit to justify it in most cases. Given the state of technology, I prefer to let systems continue to internally define authorization, but push off all authentication to a central repository. This also is a good stepping stone. First get all the username/passwords centralized, then consider the authorization consolidation.
If you do decide to centralise passwords first then slowly extend the reach of the project, using an LDAP from the start will offer a clear upgrade path. We're dabbling in that area at the moment too. It *looks* like it should all work, though there is a hellacious learning curve. (Which is another good justification for going with LDAP from the start...) My worry is that the LDAP server becomes the 'crown jewels' and although vendors like Oracle trust their LDAP implementation's security enough to store all sorts of things in it (such as PKI secret keys :-/ ) I personally am not so sure I like the idea of all the high value data being in one place. The only thing I like less is the high-value data being in more than one place :-) G
Current thread:
- Question on LDAP Krassos, Michael (Sep 27)
- <Possible follow-ups>
- Re: Question on LDAP Scholz, Greg (Sep 27)
- Re: Question on LDAP Graham Toal (Sep 27)