It appears to be fashionable to specify LDAP as an all purpose Database Management System in the messaging world. Gordano products support LDAP for authentication (username & password records), but we have a number of reservations about its wider use. Several issues exist:
- LDAP is an acronym, the first letter of which represents the word ‘lightweight’. Many of the applications and deployments being talked about are far from lightweight.
- LDAP was never designed to store large volumes of changing data – and it is very poor at managing volatile data.
- LDAP imposes a mandatory hierarchy (tree) that is not necessarily appropriate for all organizations or schemas.
- LDAP was designed to store only strings. This demands considerable custom manipulation and conversion by users if it is to be used for other data types. This can lead to compatibility problems.
- There are a number of different LDAP versions (more than 3), with incompatibilities between each.
- Underlying LDAP protocols are under significant change and the availability of a standard is now more than two years late (at October 2001). Specific examples include replication (should have completed Dec-01) and extensions (target completion date of Mar-00).
- In order to add any parameters, a user is required to register them with a ‘World Central Authority’.
- LDAP has swollen and become complicated. This complexity not only makes configuration difficult and management burdensome but also creates security issues. A good example of the latter is the problem of access control for resource attributes.
In our view, LDAP can serve as an adequate DBMS for authentication purposes. For serious use, however, we advise customers to deploy suitable ‘Industrial Strength’ (not lightweight) Database Management Systems such as
Oracle, Ingres, SQL and others with similar characteristics.
Gordano’s software will authenticate against LDAP for all user accounts.
Keywords:Ldap directory database services support