Public service announcement : A LDAP directory won't do it all by itself

Recently I’ve been dealing with requests for LDAP directories configs which clearly demonstrates how little people understand about directories and what they are capable of doing. A significant amount of people I know seems to really get it wrong when it comes to what they want from a directory.

Actually, they somehow think that a LDAP directory will do whatever is needed for their application to store, retrieve, validate, authenticate and even take decisions based on no data provided at all. These people think that one should just deploy a directory using the minimum effort approach and suddenly everything will just work.

They don’t seem to realize that for their application to make use of a directory it should be prepared to do so. They can’t accept it when they are told that the directory won’t just work and by some unknow enchantment get their systems data stored, validated, authenticated and, shockingly for them, that it won’t make their credentials consolidated so lots of different services will out of the box just start working using the same username/password pair.

Also, some people don’t understand the difference between a LDAP directory and a single sign-on (SSO) system. They don’t realize that a directory won’t, by itself (i.e. without additional software and some respectable amount of tweaking), provide them the ability to authenticate against it only a single time and have their credentials shared among all their systems.

That’s it. Said. Don’t get me wrong. All that was metioned above is possible, but it isn’t done by LDAP alone. LDAP is just a bunch of protocols and a directory is only one nice place to store information. What will be done with this information, how it wll be treated and how it could be used to produce meaningful results are almost always up to the application and/or to some “middleware” or added plugin/overlay/connector/whatever.

Next time someone ask you to “install LDAP so I can get rid of all my different username/passwords and use only one instead”, be afraid. Be very afraid and present him/her some theorical knowledgment regarding the topic. Or, better said, insert some clue into his/her brain.

2 comentários sobre “Public service announcement : A LDAP directory won't do it all by itself

  1. @giskard

    You could research Kerberos. If it’s going to work for you it all depends on your specific demands and your specific scenario/setup/applications.

    And no, it won’t buy you a solution if you just go ahead and tell me your environment (please, don’t do it). The whole point of the post was exactly to tell people that it’s not an easy topic for which there’s no acceptable ready to use solution.

    You should better research for yourself rather than expect for a magic solution from some idiot writing crap on the Internet (that’s me). No one in the Interwebs is going to provide you a real solution.

    You’ll need to do a lot of homework and acquire a lot knowledgment for yourself. This or you’ll need to pay for some third-party consultancy which could do it all for you.

    Please, don’t get me wrong. I’m just telling you the truth. And yes, the truth isn’t what we would like to hear most of the times, but better to hear it now than to buy into wrong ideas and “solutions” from some sales representatives, which are going to sell you the solution as a drop-in, do it all by itself magic.

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do

Você está comentando utilizando sua conta Sair /  Alterar )

Foto do Google

Você está comentando utilizando sua conta Google. Sair /  Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair /  Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair /  Alterar )

Conectando a %s