Slashdot Mirror

← Back to Stories (view on slashdot.org)

Best Practices for Writing LDAP Aware Apps?

Posted by Cliff on from the seking-proper-coding-suggestions dept.

Saqib Ali asks: "I am in a process of writing a web application, that makes quite a lot of transactions with the LDAP server. I would like to find out, what are the best practices in encrypting the traffic from the web application server to the LDAP server. I understand, I have few choices: SSL, TLS/SASL (supported by SunOne/OpenLDAP), and the traditional STUNNEL. Any ideas, on the best way to provide encryption? . What is the value of 'encrypting everything' and cost of encryption (encryption is process intensive)? I would also like to locally cache the data I receive from the LDAP directory. Are there any solutions for doing that? Or should I just cache the data in a SQL database running locally on the WebApp server?"

3 of 33 comments (clear)

  1. Re:Crossover connections? by KDan · · Score: 3, Insightful

    Well, If they manage to break into the computer systems rooms and install taps on the wires unnoticed, then you can't trust your machines either, so encrypting is useless (they could replace your programs on the hard drives with trojaned copies that send a copy to them!!! omg!).

    Good dose of paranoia = good...

    Mental illness paranoia = not so good...

    :-P

    Daniel

    --
    Carpe Diem
  2. Caching by abulafia · · Score: 4, Insightful
    Other folks are giving good answers on the encryption side of things. I'll address this one:



    I would also like to locally cache the data I receive from the LDAP directory. Are there any solutions for doing that? Or should I just cache the data in a SQL database running locally on the WebApp server?"



    Caching locally in an SQL database is not going to be very efficient - as a general rule, LDAP reads are going to be faster than SQL reads. Caches are for speed, not reliability. If time on wire is your concern, run a local LDAP slave. For raw speed, use MLDBM or similar for your cache - you really can't get much faster without writing an application specific cache that sits in memory.

    --
    I forget what 8 was for.
  3. Re:Crossover connections? by Colitis · · Score: 2, Insightful

    Quote:
    Unless you could secure the entire crowssover cable someone could still tap in the middle. My suggestion is to use encryption when the line is not physically contained.
    End quote

    In the case I was talking about, the machines are less than a metre apart and in a locked room. If somebody can get in there, there are worse things they can do than tap a cable.