tags:

views:

307

answers:

4

I have read about LDAP on wikipedia and I kind of understand what it is. However what I did not get what why so many organizations are using LDAP authentication server over having a simple table with userid and hashed password.

LDAP server surely brings more complexity to the infrastructure. What gains justify this added complexity?

+1  A: 

At an application level..
In a Windows domain environment it can make sense to use LDAP as a means to use existing Active Directory information instead of duplicating all of your authentication.

Quintin Robinson
+4  A: 

LDAP is complex, but it brings a lot more to the table than just centralized authentication. For example, many email clients can be hooked in to do LDAP searches to find other users - i.e. look up an employee by name, find their email address and phone number right from your email client.

Also, it is extensible - you can define your own types of objects and store them in the directory, so it can be used to store even data that the original implementers did not have in mind when designing it.

For example, OpenSolaris (and therefore I presume Solaris) machines can grab significant amounts of their own configuration over LDAP.

While setting up LDAP is not for the faint of heart and it makes little sense for the home user / small smattering of machines, the aggregate savings over thousands or tens of thousands of computers can make it worth it if administered properly.

Steven Schlansker
+3  A: 

Using a simple table seems like a good start until you need to use that same username and password in other locations. When your other systems (email, code, server login, bug tracking/ticket systems, etc.) start getting into the mix and you need to maintain all of them the table approach will be unmanageable fast because you would have to write an adapter for all of them to connect to your table for auth. Using ldap which is a standard and used by many projects will make it easier for you to maintain

Bob.T.Terminal
+1  A: 

Table with name and hash does not define an authentication scheme, it just defines a storage for the credentials. Authentication involves a protocol for the user to proove it's identity, like Kerberos or HTTP Digest. Organizations that deploy ldap don't, t deploy it for auth per se, they use Kerberos for that. Ldap is used for things like user organisatinal structure management (OU) or asset inventory. Once you deployed Kerberos for authentication and autheization it makes sense to use LDAP as your organization structure store, since most kern implementation will create an ldap anyway, eg. NT domain controllers.

Remus Rusanu