In terms of comparing a directory service and a RDBMS, well, yes, you're right. No real difference other than how the data is accessed. Also, if you take into account virtual directory and metadirectory products, well, is there really any line between the two anymore?
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Ströder Sent: Sunday, June 06, 2010 6:56 AM To: [email protected] Subject: [ldap] Re: Bank account information Peter Brooks wrote: > On 4 June 2010 17:44, Mark H. Wood <[email protected]> wrote: >> >> I imagine that some of the resistance to this idea rests on >> assumptions. Of *course* your directory is exposed to the entire >> universe: it's a *directory*. The idea of a hidden directory service >> seems strange to me, while the idea of a private DBMS instance >> doesn't. I would no more put my banking information in a directory >> server than I would spray it on the walls of my house, in part simply >> because of the way I think about directory services. But you can >> probably make it secure, if that's what you want to do. >> > A hidden directory makes no sense, but a directory with hidden fields does. Come on! Off course there are "hidden" directory services out there. On a very small scale my private address book is stored in a LDAP directory together with few bank account numbers. And off course this isn't reachable by any outside component (bound to 127.0.0.1 and Unix domain socket, firewalling in place). On larger scale there are various software products which use LDAP-based directory services for storing proprietary user profile data. Regarding security there's simply no difference with RDBMS and directory service deployments. For each directory service you *must* also carefully think about which data to serve to which clients. I can't take anyone serious who doesn't and who's arguing that there is a general difference in security considerations. > A company might have an LDAP directory of all employees - everybody in > the company should be able to access name, extension and, maybe, > department, but only HR should be able to access address and next of > kin (for some reason only HR are deemed responsible enough not to > become stalkers when they have access to people's addresses, but > that's a different point). In the companies for whom I did consulting HR data (partially used as source for syncing) was usually kept in physically separate databases behind firewalls. Whether these are technically directory services or RDBMs is completely irrelevant regarding security aspects. It's a matter of what the HR software supports. Ciao, Michael.
