Based on experience, saying that you shouldn't store that kind of information in a directory isn't really real-world. It's done often. Also, if you look at Web Access Management (WAM) products, they almost come out-of-the-box looking for details like that in a directory service.
As an example, I may configure a WAM solution to route a user with a business account # to one service and a consumer account # to another. Another good example is having the HR# in a directory service. Many people would consider that private information at the organizational level (even though it's commonly throw around), and so that attribute is set to a need-to-know security level. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Peter Brooks Sent: Saturday, June 05, 2010 10:51 PM To: [email protected] Subject: [ldap] Re: Bank account information On 4 June 2010 17:44, Mark H. Wood <[email protected]> wrote: > > I imagine that some of the resistance to this idea rests on > assumptions. Of *course* your directory is exposed to the entire > universe: it's a *directory*. The idea of a hidden directory service > seems strange to me, while the idea of a private DBMS instance > doesn't. I would no more put my banking information in a directory > server than I would spray it on the walls of my house, in part simply > because of the way I think about directory services. But you can > probably make it secure, if that's what you want to do. > A hidden directory makes no sense, but a directory with hidden fields does. A company might have an LDAP directory of all employees - everybody in the company should be able to access name, extension and, maybe, department, but only HR should be able to access address and next of kin (for some reason only HR are deemed responsible enough not to become stalkers when they have access to people's addresses, but that's a different point). Different levels of access to a directory make a lot of sense. Similarly with banking details, you need other people to know your bank, branch and account number so they can pay money to you, but only you should have access to the statement details.
