Educause Security Discussion mailing list archives
Re: Question on LDAP
From: "Scholz, Greg" <gscholz () KEENE EDU>
Date: Tue, 27 Sep 2005 12:41:25 -0400
There are a number of considerations to make with a decision such as this. Some areas of concern I have are the growth and management. If all authorization attributes live in a central location then the administrators of the systems that control/need those attributes would need to be able to modify this central repository (or assign someone to manage authorization attributes from the group that "owns" that database - that probably becomes a political question). Also, the word "extensible" needs to be considered. LDAP is extensible, so who decides what attributes get added to the schema so that they can be available in this central repository? What if there is an attribute name collision? Etc? How much benefit is gained by the complexity? I am open minded to the idea of a central authorization database. However, at this point I have not seen enough benefit to justify it in most cases. Given the state of technology, I prefer to let systems continue to internally define authorization, but push off all authentication to a central repository. This also is a good stepping stone. First get all the username/passwords centralized, then consider the authorization consolidation. _________________________ Thank you, Gregory R. Scholz Lead Network Engineer Information Technology Group Keene State College (603)358-2070 _____ From: Krassos, Michael [mailto:mkrassos () MIAMI EDU] Sent: Tuesday, September 27, 2005 11:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Question on LDAP We are pondering whether or not to implement an LDAP architecture to support authorization attributes. This would be used to store attributes for different applications for use upon successful authentication against our Active Directory environment. Does anyone have any experience with this, or doing something similar? Is this the general direction people are taking or feel they should be taking? Any feedback appreciated.
Current thread:
- Question on LDAP Krassos, Michael (Sep 27)
- <Possible follow-ups>
- Re: Question on LDAP Scholz, Greg (Sep 27)
- Re: Question on LDAP Graham Toal (Sep 27)