> On second thought, I should answer with a little less snark, though I > think this one attribute sums it up pretty well. > > I enjoyed the first response but thanks for the follow-up.
> First, some committee sat around and tried to come up with all the > things needed to describe a person, like license plates and pager > numbers and who your secretary is. It's like it's custom built for > handling the personnel records of IBM management. They made all this > nonsense optional thankfully, but who's to say there aren't other > attributes you need to store in your organization? Now you're off > making your own schema. Adios interop! > I've found LDAP useful in simple situations and barely tolerable in big organizations for reasons you highlighted. A lot of people have to justify their existence and some can do it by managing a directory server. On the flip side, I recently used LDAP for a guest wireless application and saved us from having to rely on Active Directory (definitely not something I like but for some organizations they think they need a directory system). I've tried to ponder how one might lobby managers in an organization to not go the "single sign on route" or use Active Directory (and AD "like" solutions) but I'm always faced with the ... "it's easy and it works with everything" counterpoints (and no it doesn't work with everything). I was hoping maybe some of you could shed light on approaches to solving the "how do I manage users across multiple operating systems and application domains" problem that faces a lot of organizations but I imagine that's a question better asked on a different mailing list. That question is why I asked you about your decision earlier. > Second, the file formats seem purpose designed to be incomprehensible. > > Third, just doing something as simple as putting a single user record > into the db using ldapadd involved an insane amount of typing of magic > incantations. This is not entirely the tool's fault, there's just so > much "stuff" involved it bubbles up to the user whether they like it > or not. > > Yup, it's a bit of a mess and nearly impossible to create good and powerful abstractions for admins when faced with so many permutations. > On the whole, "infinite flexibility" is pretty much synonymous with > "infinite complexity". > This is where I led myself to on the whole discussion of identify management in an enterprise.
