Thoughts on LDAP for web-based apps? 4

[rycamor]

Is it just me, or is LDAP one of the most under-appreciated resources available right now?

From looking at the LDAP specs, it seems that it is a *tremendous* way to handle distributed data in an WAN situation. Anyone here spent any time working on LDAP apps, with PHP or Perl? Can you give a good list of pros and cons for LDAP with, say... a decentralized corporate document management system, or some such? Any good examples out there?

 

[sophisticate]

Ry,

You are definitely correct in the lacking appreciation of LDAP. I don't understand it.

I do quite a bit of development around LDAP, using it for mail authentication as well as for a web server management tool. It works well for mail because it's friggin' fast and as for the management tool, well, that needs a new paragraph.

First off, LDAP offers a multiplatform solution for webserver management because it's trivial to access LDAP through custom modules for Apache, and Microsoft's ADSI gives access to the entire IIS Metabase and can replicate off an LDAP server. LDAP is built to be decentralized, so failsafe mechanisms are also easy to implement. And most importantly, it's a good place to store user information... The information can be rapidly accessed with very little overhead -- much less than SQL -- if the indexes are set correctly, and the tree structure fits a user data scheme much better than a relational database ever could.

There's a lot more to the utilities that I'm writing, but I imagine I've already violated portions of my NDA. ;-)

LDAP's a wonderful thing -- I just wish there was more documentation. What a pain that is!

brendanc@icehouse.net

http://www.witheredpipedream.com

 

[rycamor]

Verrry interesting. Yes, I have some similar thoughts in mind. My main interest is in a decentralized user and document management system. Tell me if I am thinking along the right lines:

I want to be able to manage a gazillion users as if they are all part of one unified web-based system. This includes dynamic data (database), and static documents on a filesystem, using the database to point to the document locations. Such a system would be a headache to make truly scaleable, or clustered. Is LDAP able to handle data queries as if multiple machines are one? I ask because I am a complete newbie to LDAP. It seems from what I have read that this would be the case, but I have also seen some requests in newsgroups by people looking for a clustering solution to LDAP. Is this a red herring? Are they barking up the wrong tree?

TIA

 

[johnhoke]

Hmmm...
Remember, LDAP is not a Relational DB... it is purely heirarctical...

that said, using a metadirectory solution, you could easily keep data in an oracle DB in sych with your LDAP data, etc.

If you are looking for a clustering solution, check out iPlanet iDAR, as well as iPlanet Directory 5.0 which (finally) allows mulimaster replication

I have built webbased security systems (with SiteMinder for example... as well as custom coded ones) that have worked for 100's of thousands of users. LDAP *IS* the best solution for this IMO.

Another caveat, keep NOS and Enterprise directories seperate (ie: M$ Active Directory should NOT be used as an enterprise LDAP directory...)

just my 2 cents...
-John


---
John Hoke<br>

 

[nalfeshnee]

Just my 2 cents' worth: I've been pleasantly surprised by how easy LDAP is to configure and use, we're using it here for mail (Postfix/Courier user accounts in LDAP), LDAP-based authentication (non-Apache, using LDAP calls from PHP/Perl) and I have more planned. I've also used it for one medium-sized web app using mod_ldap and plan to do the same with a much larger user group (50,000+ users) in conjunction with Oracle.

Easy to setup, powerful, replication's a synch. Just make sure that you have the fantastic Java-based &quot;LDAP Browser&quot; tool to make things a WHOLE lot easier on the admin side: &quot;

http://www.iit.edu/~gaworjar/ldap&quot;.