NYCPHP Meetup

NYPHP.org

[nycphp-talk] LDAP for web authorization?

charlie derr cderr at simons-rock.edu
Tue Nov 21 15:07:11 EST 2006


Randal Rust wrote:
> On 11/21/06, edward potter <edwardpotter at gmail.com> wrote:
> 
>> my understanding of LDAP (I was immersed in it for a bit back in the
>> boom), is it's really optimized for name/address lookup applications
>> (colleges, hospital directories, etc).
> 
> That's my understanding as well.
> 
>>  I know some people have tried
>> to use it for securing directories at various levels, not sure how
>> that worked out.
> 
> Security, although not for directories, is also a part of this
> project. A lof of the parent organizations have child records and we
> need to secure them based on the user login. I think we'll have to
> verify everything based on the user's DN or something. I don't even
> want to begin to think about that yet.

This may be where the "higher-ups" thought that LDAP lends value (in controlling access in a granular fashion).  It's not an easy 
problem to solve, but the infrastructure is available in LDAP.  I know there's basic authentication available in MySQL (I'm more 
of a postgresql person myself), but I think that complex access requirements will probably be easier to implement in LDAP.

> 
>> Anything beyond that (as described in your post), is for sure a
>> mysql/db type application. The syntax always drove me crazy, I noticed
>> the coding pros were all english majors, who hacked LDAP on the side.
> 
> I tried, unsuccessfully, to convince the client to ditch LDAP as the
> data store and move to MySQL. If he had done that, I would probably be
> done with this project by now.
> 
> But, at least someone else thinks this is probably not the best
> approach. If it comes up again, I can always say that I got some other
> opinions:)
> 

I'm not a big fan of the syntax either (though I've been doing it long enough now, that I no longer notice how rough around the 
edges it is).   One thing that I would point out is that it's not a "pure speed" thing (accessing a local flat file to perform a 
lookup will almost always be faster than querying a network resource, no matter how much you've optimised the latter).  The 
benefit of LDAP isn't that it's faster than everything else.  The benefit is that it gives you a robust extensible structure 
that's relatively well-documented, and there are lots of tools and code snippets out there which can be leveraged.

	good luck,
		~c




More information about the talk mailing list