ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Article:
  Demystifying LDAP
Subject:   LDAP is harder to program than using an ORM like Hibernate
Date:   2006-08-08 21:21:33
From:   ozgwei
I had to use LDAP in a Java project.


I found it pretty difficult to program with LDAP for the following reasons:
1) Not many tutorials, including this one, explains core concepts in depth, such as dn, cn, dc, etc... And I don't have the time to read the LDAP specification. So I tried by making mistakes. The project worked but the LDAP part of it was the most unsure bit I felt about it.


2) Not many good examples could be found showing how to program using LDAP for user management. I had to use the raw LDAP API.


3) From the object-oriented point of view, there is no abstraction layer, provided either by Sun or open source for user management using LDAP. Instead of working with a User object conforming to Java Bean specification, I had to work with Context, ModificationItem, SearchControls, Attribute, Attributes, BasicAttributes, NameParser, NamingEnumeration and many Exceptions. And, the javadoc from Sun expects the reader to be an LDAP expert. On the other hand, using an Object-Relationa Mapping (ORM) packages, such as Hibernate or the new Java Persistence API (JPA) is much more easier. Combining Hibernate and Spring, many DB access codes are just one-liners. (The application is likely to use Hibernate and/or Spring for data access anyway...)


4) The Java JNDI API has no rollback. It gave me a lot of headaches when a transaction failed, the database rolled back except JNDI.


5) About the security, LDAP can protect data stored in the LDAP server. However, it cannot protect data in your applications. Developers need to consult LDAP before granting access in the applications. Acegi Security, on the other hand, can handle complex access control, even over domain objects or enquiry results, without writing a line of programs.


So in short, if the user management is pretty standard, with limited number of users and manually managed by a sysadmin, it's OK to use LDAP for user management.


However, if you have tens of thousands of users, and you want fine management over users, allowing help desks to manage users instead of asking sysadmin, you should use the database solution, preferrably with an ORM package.


Above is my personal experience and feeling towards LDAP with my limited knowledge about LDAP.


Perhaps, more efforts should be made for developers to understand LDAP more easily and program with LDAP more efficiently... I'd like to see an abstraction over LDAP for user management that suffices most user management needs with extension points to customise to each organisation's needs...


Just my 2 cents.


1 to 1 of 1
  1. LDAP made easier
    2006-08-09 07:40:30  mentata [View]

1 to 1 of 1