A, LDAP

LDAP (Lightweight Directory Access Protocol) is an open and widely used industrial standard (IEFT, RFC), which was proposed in 1993. Enterprise software usually has “LDAP support” function, such as JIRA, Confluence, OpenVPN, etc., and enterprises often use LDAP server as enterprise authentication source and data source. But a common misconception is that you can use LDAP to implement SSO. We can first analyze its main function points or scenarios:

When LDAP is used as the data source, data synchronization is carried out through LDAP Search and LDAP Modify protocol. When used as an authentication source, authentication is performed through the LDAP Bind protocol.

However, the definition of SSO is that you can access multiple applications with a single login (or only enter your account and password once), which is essentially B/S architecture, that is to say, you need to use a browser to realize SSO function, while LDAP is more suitable for C/S architecture login, but SSO can’t be achieved through LDAP. The user must also enter the password again, LDAP only provides the ability to manage the user/password uniformly (i.e. the source of authentication).

So, LDAP may seem universal, but is it really suitable for every enterprise? Companies need to consider several questions first:

Is the application or system being used based on C/S architecture?

Using LDAP or another SSO system depends on whether the application you are connecting to is B/S or C/S. For example, the C/S architecture like OpenVPN has no browser for login, so it cannot be connected through the SSO protocol (LDAP extension is what Yu Fu uses for VPN, SSH, WiFi, etc.). Because LDAP is the product of the previous era, for the typical C/S software architecture, the original invention did not have the concept of SSO, but for the storage of hierarchical directory structure, basically does not support the popular B/S architecture, which requires the user to enter the password repeatedly.

What directory are you going to use to implement LDAP? Open source versus commercial

Servers that implement the LDAP protocol have a variety of options, such as Active Directory, OpenLDAP, Apache Directory Studio, or other commercial versions of the service. If the amount of information stored is large or the availability and performance requirements are higher, then the commercial version is recommended.

Are you going to put your R&D effort into developing new features?

After the number of enterprise staff exceeds 50, many new requirements will appear, such as self-service Password service, etc. Many LDAP servers do not have these functions, so IT is necessary for IT staff to find corresponding solutions and implementations.

Is there someone to maintain it?

Rapid enterprise growth and organizational structure changes will bring a lot of maintenance work, not to mention the long-term maintenance and upgrading of these servers.

Need for security, encryption?

When LDAP was invented, there was no concept of Token. In the protocol, the client needs to send the plaintext password to the server for authentication, which is very insecure for modern enterprise deployment environment.

In addition, new enterprise requirements such as compliance, data visualization, etc. are difficult for LDAP to meet. If you just need a database-like multi-level storage service, LDAP is good enough.

How does LDAP authorize

LDAP holds user and role information and maintains relationships between users and roles.

I do not know the specific design of your authorization module. What we are doing is that LDAP holds user and role information and maintains the relationship between the user and role. Authorization is done in the application system, that is, the application obtains the user and the user’s corresponding role from LDAP, and then the application system authorizes the user according to the user’s role, such as the menu that the user can access, etc. Authorization is nothing more than a collection of resources, you can get these resources through the user or the user’s role, as for how you use these permissions to control the user’s operations and so on is a specific problem specific analysis.


Related article: LDAP does not equal SSO