Educause Security Discussion mailing list archives
Re: Question on LDAP
From: "Krassos, Michael" <mkrassos () MIAMI EDU>
Date: Wed, 5 Oct 2005 10:31:36 -0400
Thank you all for your input so far. Does anyone else have any input before I consider this topic closed? ________________________________ From: Scholz, Greg [mailto:gscholz () KEENE EDU] Sent: Tuesday, September 27, 2005 12:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Question on LDAP There are a number of considerations to make with a decision such as this. Some areas of concern I have are the growth and management. If all authorization attributes live in a central location then the administrators of the systems that control/need those attributes would need to be able to modify this central repository (or assign someone to manage authorization attributes from the group that "owns" that database - that probably becomes a political question). Also, the word "extensible" needs to be considered. LDAP is extensible, so who decides what attributes get added to the schema so that they can be available in this central repository? What if there is an attribute name collision? Etc? How much benefit is gained by the complexity? I am open minded to the idea of a central authorization database. However, at this point I have not seen enough benefit to justify it in most cases. Given the state of technology, I prefer to let systems continue to internally define authorization, but push off all authentication to a central repository. This also is a good stepping stone. First get all the username/passwords centralized, then consider the authorization consolidation. _________________________ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 ________________________________ From: Krassos, Michael [mailto:mkrassos () MIAMI EDU] Sent: Tuesday, September 27, 2005 11:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Question on LDAP We are pondering whether or not to implement an LDAP architecture to support authorization attributes. This would be used to store attributes for different applications for use upon successful authentication against our Active Directory environment. Does anyone have any experience with this, or doing something similar? Is this the general direction people are taking or feel they should be taking? Any feedback appreciated.
Current thread:
- Re: Question on LDAP Krassos, Michael (Oct 05)
- <Possible follow-ups>
- Re: Question on LDAP Gary Flynn (Oct 05)
- Re: Question on LDAP Drews, Jane E (Oct 05)
- Re: Question on LDAP Tom Barton (Oct 07)