« June 2006 | Main | August 2006 »

July 2006 Archives

July 5, 2006

Another Myth - Only "Large" Organizations Have LDAP

By mark.wilcox on July 5, 2006 8:44 AM

From time to time - I see posts on places like Javalobby or
The Serverside where people talk about how they want user identity in a
database because "only large organizations have LDAP".



Nothing could be further from the truth. I would argue that
the vast majority of organizations have an LDAP server of some type
available to them. If nothing else, they have Microsoft Active
Directory though many organizations have other servers such as Oracle
Internet Directory, OpenLDAP or Sun (or cousins like Netscape/Red Hat)
Directory Server.



What I suspect is that this thought (and now myth) started back in the early days of 
LDAP-client-based application deployment, where people were deploying applications faster
than directory services were actualy available.



And while this has changed, many developers have very little contact
with directory services while they have almost constant contact with
daabases.



Thus the myth is easy to persist because LDAP is often "hidden" from
developer's or perhaps not as easy to access as a traditional database.
Also it's very easy, tempting and (unfortunately) considered an
acceptable practice to store identity data in the application database.
Never mind that every time you copy this data - you create another
attack vector. Or at the very least - run the risk of having to
maintain user's passwords & develop a user management system.



However, if you want to be a smart developer - you should be leveraging
LDAP directly (that is without synchronizing LDAP into your application
database)  for any type of user related information. Not because
LDAP is just
so much better than a relational database but because it gives you more
flexibility (and if your an ISV -- a larger potential market). 



By sticking to LDAP for user identity and profile data you can have a
single programming API to point to and you can make your application
easier (and potentially more secure when dealing with user identity
data) while being able to scale from the small to the very large
organizations.


And of course if you decide that you realize that you want to make
it easier to integrate your application into any organization by
leveraging LDAP you might want to check out what Oracle has to offer:





 

 


| Comments (0) AddThis Social Bookmark Button

July 10, 2006

Deploying Large-Scale LDAP Directories

By mark.wilcox on July 10, 2006 5:27 PM

Many organizations, in particular those that deal with external
customer data such as telcos, insurance, medical and retail
organizations can often have large amounts of entries in their
directories that can number in the millions.



If you are using one of the
Netscape-variant LDAP servers which includes Sun, IPlanet, Netscape and
Red
Hat directory servers - scaling to large numbers is limited by their
design. It's also harder to manage fail-over systems when you have
large number of users because they force you to replicate your data -
which is time consuming and can be error-prone.



Oracle Internet Directory doesn't suffer from the limitations of these
early directory server designs and can often provide better
scalability/high-availability more easily because it leverages the
capabilities of the Oracle RDBMs.



We have just written a paper
where you can see for yourself how well this
design works and decide for youserlf if maybe it's time to move to industrial-strength directory services from Oracle.

| Comments (2) AddThis Social Bookmark Button

Search All Blogs

Google Search


Only search this blog

About July 2006

This page contains all entries posted to Virtual Identity Dialogue in July 2006. They are listed from oldest to newest.

June 2006 is the previous archive.

August 2006 is the next archive.

Many more can be found on the main index page or by looking through the archives.

RSS

Subscribe to this blog's feed
Powered by
Movable Type and Oracle