[thelist] LDAP v. Database

Aredridel aredridel at nbtsc.org
Tue Jul 22 09:15:04 CDT 2003

On Tue, 2003-07-22 at 07:07, RUST Randal wrote:
> LDA is something that I've known about, read a little about, but rarely
> have I heard it discussed here or in other forums. Everyone seems to
> stick with using the database for user authentication. This is what I've
> always done too, but LDAP seems like it might be a more secure solution.

Hardly any more secure.  It's just a database after all -- in fact, you
can set LDAP up to store /it's/ data in SQL. By default with OpenLDAP,
it's in a DB file, so not /much/ harder to read than /etc/passwd, and
slightly easier to read than the data, say in MySQL, which is in a
Berkely DB file too if you use BDB tables.

The advantage is in the protocol, and mostly for a large organization --
not large in numbers of users, but large in numbers of servers/services
offered from multiple locations.

LDAP databases are easy to synchronize in a master-slave relationship,
so they can be distributed.  They also support "referrals", where part
of the namespace is handled by someone(s) else.

LDAP is also the "standard" replacement for systems line NIS+/YP, so
even your local UNIX auth is handled by it. It's also cross-platform:
Windows' "Active Directory" is LDAP.  If you want to authenticate off of
a windows domain, you're doing LDAP.  


More information about the thelist mailing list