Pros and cons of using LDAP for external users

authentication active-directory ldap forms-authentication openldap
sandy picture sandy · Feb 2, 2010 · Viewed 9.3k times · Source

I work for a company with multiple public-facing web sites.

Some of these sites are built using third party products (Moveable Type, myBB, Trac and others). We also have a couple of bespoke sites built on the Microsoft stack.

Currently, we have no unified authentication/authorisation solution; each site implements its own user store.

I'm keen to implement unified user authentication across all sites. I don't expect to achieve single sign-on (it won't be terrible if users are prompted for credentials when switching sites), but I do need each user to have a single username & password.

It seems to me that the most likely solution will be to implement an LDAP server. LDAP is supported by some of the third-party products we use, and I can amend our bespoke sites to use LDAP.

However, I've never used an LDAP store to manage external users (I've always built my own user store).

What are the pros and cons of using LDAP? Have I overlooked other options?

Thanks

Sandy

Answer

Regent picture Regent · Feb 2, 2010

I don't have experience with OpenLDAP but as pros and cons for the ActiveDirectory-based LDAP:

Pros:

  • It standardised so quite often there are some binding plug-ins already;
  • A lot of development frameworks have support for communication with LDAP; (I've done it from PHP some time ago; .NET have a dedicated namespace for that.)
  • There are all necessary authentication methods and security mechanisms implemented -- passwords are stored securely, authentication with the server can be performed in a secured way if necessary;
  • Account lockout policy/Password history features can be enabled if needed;
  • AD have convenient tools for user management, also it can be scripted or accessed via API;
  • Users can have complex group membership;
  • Permissions to any object/attribute can be customized;
  • Directory can be distributed/replicated by adding more domain controllers.

Cons:

  • Deployment requires some planning;
  • ActiveDirectory should be regularly back-upped.
  • If you authenticate against Active-Directory you need a Microsoft licenses.
  • The license is quite expensive.

Related questions

Authenticating in PHP using LDAP through Active Directory

I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success? Edit: …

Read More
Authenticating against Active Directory with Java on Linux

I have a simple task of authenticating against Active Directory using Java. Just verifying credentials and nothing else. Let's say my domain is "fun.xyz.tld", OU path is unknown, and username/password is testu/testp. I know there's a …

Read More
Authenticating against active directory using python + ldap

How do I authenticate against AD using Python + LDAP. I'm currently using the python-ldap library and all it is producing is tears. I can't even bind to perform a simple query: import sys import ldap Server = "ldap://my-ldap-server" DN, Secret, …

Read More