Educause Security Discussion mailing list archives

Re: Question on LDAP

From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 27 Sep 2005 14:00:20 -0500

Scholz, Greg wrote:

There are a number of considerations to make with a decision such as
this.  Some areas of concern I have are the growth and management.  If
all authorization attributes live in a central location then the
administrators of the systems that control/need those attributes would
need to be able to modify this central repository (or assign someone
to manage authorization attributes from the group that "owns" that
database - that probably becomes a political question).  Also, the
word "extensible" needs to be considered.  LDAP is extensible, so who
decides what attributes get added to the schema so that they can be
available in this central repository?  What if there is an attribute
name collision? Etc?  How much benefit is gained by the complexity?

Extending with a local schema is not such a big deal.  Not big enough to let
it hold you back anyway.

I am open minded to the idea of a central authorization database.
However, at this point I have not seen enough benefit to justify it in
most cases.  Given the state of technology, I prefer to let systems
continue to internally define authorization, but push off all
authentication to a central repository.  This also is a good stepping
stone.  First get all the username/passwords centralized, then
consider the authorization consolidation.


If you do decide to centralise passwords first then slowly extend the
reach of
the project, using an LDAP from the start will offer a clear upgrade path.

We're dabbling in that area at the moment too.  It *looks* like it should
all work, though there is a hellacious learning curve.  (Which is another
good justification for going with LDAP from the start...)

My worry is that the LDAP server becomes the 'crown jewels' and although
vendors like Oracle trust their LDAP implementation's security enough to
store all sorts of things in it (such as PKI secret keys :-/ ) I
personally am
not so sure I like the idea of all the high value data being in one place.

The only thing I like less is the high-value data being in more than one
place :-)

G

Current thread:

Question on LDAP Krassos, Michael (Sep 27)
- <Possible follow-ups>
- Re: Question on LDAP Scholz, Greg (Sep 27)
- Re: Question on LDAP Graham Toal (Sep 27)