Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question on LDAP

From: "Krassos, Michael" <mkrassos () MIAMI EDU>
Date: Wed, 5 Oct 2005 10:31:36 -0400
Thank you all for your input so far.  Does anyone else have any input
before I consider this topic closed?

 

________________________________

From: Scholz, Greg [mailto:gscholz () KEENE EDU] 
Sent: Tuesday, September 27, 2005 12:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Question on LDAP

 

There are a number of considerations to make with a decision such as
this.  Some areas of concern I have are the growth and management.  If
all authorization attributes live in a central location then the
administrators of the systems that control/need those attributes would
need to be able to modify this central repository (or assign someone to
manage authorization attributes from the group that "owns" that database
- that probably becomes a political question).  Also, the word
"extensible" needs to be considered.  LDAP is extensible, so who decides
what attributes get added to the schema so that they can be available in
this central repository?  What if there is an attribute name collision?
Etc?  How much benefit is gained by the complexity?

 

I am open minded to the idea of a central authorization database.
However, at this point I have not seen enough benefit to justify it in
most cases.  Given the state of technology, I prefer to let systems
continue to internally define authorization, but push off all
authentication to a central repository.  This also is a good stepping
stone.  First get all the username/passwords centralized, then consider
the authorization consolidation.

 

_________________________

Thank you,

Gregory R. Scholz

Lead Network Engineer

Information Technology Group

Keene State College

(603)358-2070

 

________________________________

From: Krassos, Michael [mailto:mkrassos () MIAMI EDU] 
Sent: Tuesday, September 27, 2005 11:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Question on LDAP

 

We are pondering whether or not to implement an LDAP architecture to
support authorization attributes.  This would be used to store
attributes for different applications for use upon successful
authentication against our Active Directory environment.  Does anyone
have any experience with this, or doing something similar?  Is this the
general direction people are taking or feel they should be taking?  Any
feedback appreciated.
Previous By Date Next
Previous By Thread Next

Current thread: