Best Practices for Writing LDAP Aware Apps?

Saqib Ali asks: "I am in a process of writing a web application, that makes quite a lot of transactions with the LDAP server. I would like to find out, what are the best practices in encrypting the traffic from the web application server to the LDAP server. I understand, I have few choices: SSL, TLS/SASL (supported by SunOne/OpenLDAP), and the traditional STUNNEL. Any ideas, on the best way to provide encryption? . What is the value of 'encrypting everything' and cost of encryption (encryption is process intensive)? I would also like to locally cache the data I receive from the LDAP directory. Are there any solutions for doing that? Or should I just cache the data in a SQL database running locally on the WebApp server?"

Crossover connections?

[Colitis]

Where I work we avoided a lot of software complexity (and freed all but one machine from the CPU overhead of encryption) by putting extra NICs in the machines and running unencrypted over crossover cables.

This obviously doesn't scale to large numbers of servers, but it's something to think about for a small implementation.

Re:SSH tunnel, local replica

[Kunta+Kinte]

Fortunately, anything anyone is planning to do over LDAP (and particularly OpenLDAP) is extremely unlikely to be performance-critical.

That is simply not true.

I can give you tons of examples of OpenLDAP as *the* mission critical service. It takes care of all the virtual users on all services. IMAP, POP, PAM, HTTP auth, they all access the LDAP system for user authentication.

OpenLDAP is one of the fastest and most reliable LDAP servers ( or services, period ) out there. I have replicas that sit there and do nothing because the masters *never* go down.

In on our campus OpenLDAP was much more reliable than Netscape/iPlanet/SunOne server. We know this because we ran iPlanet for 2 years before making the upgrade.