5
votes

I work for a company with multiple public-facing web sites.

Some of these sites are built using third party products (Moveable Type, myBB, Trac and others). We also have a couple of bespoke sites built on the Microsoft stack.

Currently, we have no unified authentication/authorisation solution; each site implements its own user store.

I'm keen to implement unified user authentication across all sites. I don't expect to achieve single sign-on (it won't be terrible if users are prompted for credentials when switching sites), but I do need each user to have a single username & password.

It seems to me that the most likely solution will be to implement an LDAP server. LDAP is supported by some of the third-party products we use, and I can amend our bespoke sites to use LDAP.

However, I've never used an LDAP store to manage external users (I've always built my own user store).

What are the pros and cons of using LDAP? Have I overlooked other options?

Thanks

Sandy

2

2 Answers

2
votes

I don't have experience with OpenLDAP but as pros and cons for the ActiveDirectory-based LDAP:

Pros:

  • It standardised so quite often there are some binding plug-ins already;
  • A lot of development frameworks have support for communication with LDAP; (I've done it from PHP some time ago; .NET have a dedicated namespace for that.)
  • There are all necessary authentication methods and security mechanisms implemented -- passwords are stored securely, authentication with the server can be performed in a secured way if necessary;
  • Account lockout policy/Password history features can be enabled if needed;
  • AD have convenient tools for user management, also it can be scripted or accessed via API;
  • Users can have complex group membership;
  • Permissions to any object/attribute can be customized;
  • Directory can be distributed/replicated by adding more domain controllers.

Cons:

  • Deployment requires some planning;
  • ActiveDirectory should be regularly back-upped.
  • If you authenticate against Active-Directory you need a Microsoft licenses.
  • The license is quite expensive.
2
votes

LDAP is a great way to store user information in a structured tree. The LDAP protocol also makes it readily available across the web. There are several different LDAP solutions out there but the one you choose will of course be based on your server's operating system. If you have any Microsoft sites your best bet is to go with an Active Directory or ADAM (MS). It is easier to slave a unix machine to an Active Directory than the other way around. If all of your queries will be web-based though and handled through code, then you could use any LDAP source you choose (they're all fairly complicated but with the right tools easy to administer).

LDAP by its nature is lightweight (hence the L) and fast. It's structured for heirarchical access to user information and easy to search based on all of this information. It also has support for an SSL protocol (LDAPS) which I highly recommend.

The cons are the basic heirarchical structure and the differences within the LDAP structures themselves. Active Directory is not a pure LDAP with respect to the RFC but it's close enough that it can be figured out easily.