[thelist] LDAP v. Database

Kelly Hallman khallman at wrack.org
Tue Jul 22 13:07:27 CDT 2003 

On 22 Jul 2003, Aredridel wrote:
> On Tue, 2003-07-22 at 07:07, RUST Randal wrote:
> > LDAP is something that I've known about, read a little about, but
> > rarely have I heard it discussed here or in other forums. Everyone
> > seems to stick with using the database for user authentication.

I run a fairly large-scale corporate LDAP directory, and have had a few
years of experience with LDAP.  When I started the project, good LDAP info
was scarce, and I imagine that it still is.  If you're used to thinking in
terms of relational databases, LDAP will come as something of a shock.

> > LDAP seems like it might be a more secure solution.
> Hardly any more secure.  

Possibly less secure, if the LDAP connection was made across a network.  
LDAP on port 389 is unencrypted (so it's about as much of a risk as POP3,
FTP, IMAP, telnet, etc).  There are provisions for doing secure LDAP...

> It's just a database after all -- in fact, you
> can set LDAP up to store /it's/ data in SQL.

Actually, LDAP is a protocol, not a database.  You could have any type of
database backing it, as long as the server can talk LDAP.  In general,
since LDAP data is hierarchical rather than relational, using a relational
database to answer LDAP queries could get inefficient on a large scale.

Incidentally, on the semantics: SQL is a language, not a database :)

> The advantage is in the protocol, and mostly for a large organization --

The more data that you need to put into a directory context, the more
useful LDAP becomes.  The whole idea of a directory service is to cut down
on redundant data stored in many different places throughout an
organization.  In other words, if HR already has a database of employees,
and IT has a database of those employee's email accounts, and you need to
create a web authentication scheme for those same employees... in that
case, LDAP could be leveraged as a repository for all this information.

I would recommend against considering LDAP for web authentication, unless
you already have an LDAP service in production, or plan to deploy one for
other purposes.  It would be too much learning curve, and too much effort
to create and maintain an LDAP service for the sole purpose of doing web
authentication (unless the scale was grand enough, there are always
exceptional circumstances).

> It's also cross-platform: Windows' "Active Directory" is LDAP.  If you
> want to authenticate off of a windows domain, you're doing LDAP.

Try getting it to play nicely with other LDAP servers.
It's called FUD.  I got yer MS 'standards compliance' RIGHT here!

-- 
Kelly Hallman
http://wrack.org/

More information about the thelist mailing list