A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.
I used to work for a fairly large company that used Lotus Notes, Sametime, DSS, Oracle, SAP, you name it. Most servers could be reached remotely through a VPN. Almost every shared application had a different process for granting access, and they all used username and password as the authentication method. Authorization was usually a manual process, if ACL's were used with groups, I didn't see any evidence of it.
To my mind, LDAP would do wonders for such a system. It might eliminate all the sticky notes with passwords written on them, that were stuck on every second monitor. If everything is Microsoft-centric, you should be able to use Active Directory for the same reasons. LDAP can also be used to manage any kind of data attached to people in the directory, but I've never seen a real life example of it.
My question is, how far along is the adoption of LDAP/AD in the real world? Is there a net benefit from _not_ using widespread and consistent authentication?
If you are using several different applications, each with their own login screen, it is a real PITA to have different passwords for each one. If all these different applications could perform their password checking on a central LDAP server then the user need only have one password, and a change in password would be automatially effective for every application. This to me is a big bonus.
Another advantage to using an LDAP server is that it may be possible to introduce Two Token Authentication (TTA) which would allow One Time Passwords (OTP) for added security. As this would be handled automatically by the LDAP server it would not require any changes to any application.
I have developed a web-based ERP system which allows integration with an external RADIUS or LDAP server, which in turn allows TTA should the user desire it. It was simple to code, but gives the user more choices, so as far as I am concerned it is a Good Thing.
Saturday, September 27, 2008
Thanks for the response, One Time Password pointed me in a direction I hadn't considered before.
http://en.wikipedia.org/wiki/One-time_password Using SMS text messages is a great alternative to physical tokens, and opens up another can of possibilities. There is a Canadian airline that will accept SMS at the check-in counter, instead of you printing your boarding pass, if you use the Internet to check in for your flight.
To keep up to date with where LDAP is going, see:
OpenLDAP Engineering Team.
Community developed LDAP software.
Saturday, September 27, 2008
As Gavin Henry stated - kepe an eye on the LDAPbis and LDAPext lists to see where LDAP is going. After the finalization of the more recent LDAP v3 core specifications, things have been a little quiet. However, interest is stirring again, which you'll see in a recent discussion titled 'LDAP BOF Proposal'.
In regards to LDAP for Authentication & Authorization - we are resellers for a US organization called Centrify (we resell in the AUS/Asia Pac region).
Centrify are allowing organizations to leverage MS AD for user authentication and authorization beyond the domain and into non-ms platforms such as Mac and Unix.
Tony, Garvin, Andrew
Thanks for your responses, I'm trying to make some decisions on how to handle authentication and authorization for an application I've just started on, with the idea that it will work with any size of organization. LDAP doesn't seem that difficult on the surface, but it seems to be taking a long time to become commonplace. My impression so far is that there's almost nothing it can't do, but very few have actually implemented it. It's also really strange to browse mailing lists where threads span months, even years. Thanks again!
>>> LDAP doesn't seem that difficult on the surface, but it seems to be taking a long time to become commonplace.
Not if you're talking about Active Directory.
Tuesday, September 30, 2008
LDAP works in a large organization that is able to design it, support it and invest in its maintenance, and has the leadership to make it work.
Our solution provides password integration to LDAP and it is very difficult to maintain. The programming is quite simple (connect to a port and check a logon/password).
There are many problems that can occur when integrating. Your customer contacts have no access to the network admins. There's the variety of LDAP servers, versions and platforms, plus the Novell, Active Directory etc variations. The weird configurations by administrators still doing things the mainframe way 'for security'. The outlandish organization layouts because anything standard is too easy or 'that's the way we do it around here and rest of the world is wrong'
It usually takes a week or two to get it working. Then it all stops working but 'nothing has been changed'. Except for the LDAP upgrade or reconfiguration.
And that is only simple password checking, not using LDAP for single source user details or global roles/privileges administration like it really could be used.
Have done quite a few LDAP integrations large and small and it is never as easy as it should be. We still have to have our own authentication for customers not using LDAP.
If you know your market space requires it, you have the integrators that can do it, and the customer has the leadership and budget for it then it will be easier.
This topic is archived. No further replies will be accepted.Other recent topics
Powered by FogBugz