Public service announcement : A LDAP directory won't do it all by itself

Recently I’ve been dealing with requests for LDAP directories configs which clearly demonstrates how little people understand about directories and what they are capable of doing. A significant amount of people I know seems to really get it wrong when it comes to what they want from a directory.

Actually, they somehow think that a LDAP directory will do whatever is needed for their application to store, retrieve, validate, authenticate and even take decisions based on no data provided at all. These people think that one should just deploy a directory using the minimum effort approach and suddenly everything will just work.

They don’t seem to realize that for their application to make use of a directory it should be prepared to do so. They can’t accept it when they are told that the directory won’t just work and by some unknow enchantment get their systems data stored, validated, authenticated and, shockingly for them, that it won’t make their credentials consolidated so lots of different services will out of the box just start working using the same username/password pair.

Also, some people don’t understand the difference between a LDAP directory and a single sign-on (SSO) system. They don’t realize that a directory won’t, by itself (i.e. without additional software and some respectable amount of tweaking), provide them the ability to authenticate against it only a single time and have their credentials shared among all their systems.

That’s it. Said. Don’t get me wrong. All that was metioned above is possible, but it isn’t done by LDAP alone. LDAP is just a bunch of protocols and a directory is only one nice place to store information. What will be done with this information, how it wll be treated and how it could be used to produce meaningful results are almost always up to the application and/or to some “middleware” or added plugin/overlay/connector/whatever.

Next time someone ask you to “install LDAP so I can get rid of all my different username/passwords and use only one instead”, be afraid. Be very afraid and present him/her some theorical knowledgment regarding the topic. Or, better said, insert some clue into his/her brain.