将用户数据存储在 LDAP 而不是 RDBMS 中的原因 [英] Reasons to store users' data in LDAP instead of RDBMS

问题描述

人们常说，使用 LDAP 是存储用户数据的好方法.这是因为用户的目录"是分层的，并且很少更改.但在我看来，这并不排除使用 RDBMS.使用 LDAP 的原因可能是什么?我想在 LDAP 中存储多值字段或添加自定义字段可能更容易，但也可以在数据库中完成(除非你有很多记录)

It is often said that using LDAP is a good way to store data about users. That's beacause users' "directory" is hierarchical and it changes rarely. But in my opinion that doesn't exclude using RDBMS. What might be reasons to use LDAP? I guess that storing multi-valued fields or adding custom fields in LDAP might be easier but it can be done in database too (unless you have many records)

推荐答案

正如已经提到的，互操作性非常有利于 LDAP 与某些类型的服务器软件，尽管与 LDAP 集成的许多软件都需要特定的架构，因此它不一定像安装和配置 LDAP 服务那样简单，然后离开 - 您可能需要为要与之交互的每个应用程序在架构中添加新元素，并且每个应用程序在身份验证方面可能有不同的限制(例如纯文本密码字段、MD5 或 SHA 哈希等密码字段).

Interoperability, as has already been mentioned, is very much in LDAP's favour with some types of server software, although much of the software that integrate with LDAP require a specific schema so it's not necessarily as simple as just installing and configuring an LDAP service and off you go - you might need to add new elements in the schema for each app you want to interact with, and each application might have different limitations with regard to authentication (for example plain text password fields, password fields as MD5 or SHA hashes, etc).

一个好的 LDAP 服务需要相当多的配置知识，而不是在关系数据库中创建一个简单的模式.SQL DB 仍然是一个相当可互操作的选项，并且 LDAP 支持不再像以前那样占主导地位.LDAP 在几年前曾经是唯一的选择，但是许多应用程序(如 Apache)和操作系统(如 Linux 的 PAM)可以像 LDAP 服务器一样容易地对 SQL DB 进行身份验证，因为它全部由抽象接口的驱动程序处理.

A good LDAP service requires a fair bit of configuration knowledge, more so than creating a simple schema in a relational database. SQL DB's are still a fairly interoperable option and LDAP support is not as dominant as it once was. LDAP used to be the only option years ago, but many applications (like Apache) and operating systems (like Linux's PAM) can authenticate against SQL DB's like MySQL just as easily as LDAP servers as it's all handled by drivers that abstract the interface.

LDAP 真正的亮点在于可扩展性.如果您特别想要一个地方来保存用户帐户以进行身份​​验证，并希望扩展到多个复制服务器 - 并且每秒处理数以千计的身份验证请求，那么 LDAP 是一个不错的选择.

Where LDAP really shines is scalability. If you specifically want a place to hold user accounts for authentication and want to scale to multiple replicated servers - and handle tends of thousands of authentication requests a second, LDAP is an great option.

并不是现代 RDBMS 无法扩展，而是 LDAP(通常)在这方面做得更好，因为它通过不同层级联复制的方式；特别是假设您有一个典型的身份验证数据库设置，其中它大部分是只读的，写入操作相对较少，因此您只需要一种方式复制，所有写入都来自单一事实来源.

It's not that modern RDBMS's don't scale it's just that LDAP is (typically) even better at this because of the way it cascades replication through different tiers; particularly assuming you have a typical authentication database setup where it's mostly read-only with relatively few write operations, so you only need one way replication with all writes coming from a single source of truth.

确实，如果您有特定的需要，可以考虑使用 LDAP 服务器，例如 特定的应用程序，您希望能够与仅与 LDAP 集成的特定应用程序进行互操作，或者 如果您正在构建一个高度可扩展的身份验证系统(例如，对于一个 ISP 或一个超级可扩展的 Web 应用程序 - 您计划有多个服务器专门用于身份验证只是，以及它们可能分布在全国甚至全球的哪个地方).

Really though, an LDAP server is something to consider if you have a specific need to do so, like a specific application you want to be able to interoperate with that only integrates with LDAP, or if you are building a highly scalable authentication system (e.g. for an ISP or for a super-scalable web application - where you plan on having more than a couple servers dedicated just to authentication, and where they may be spread across the country or even across the globe).

有人已经提出在 RDBMS 上安装 LDAP 前端的观点非常好.一些公司——包括甲骨文(当然，他们对 RDBMS 有既得利益)——有专门做这件事的产品.如果您不想管理 LDAP 服务的开销，或者如果您只想管理数据库中的所有用户，您可以创建视图/加入，但认为您可能需要 LDAP 服务后来，比这是一个不错的选择.OpenLDAP 还支持 shell 后端，它可以从任何来源(包括 RDBMS)接收数据；我已经将它与 MySQL 一起使用，它运行良好，但如果您需要支持特定的 LDAP 架构，第一次设置可能有点繁琐.

The point someone has already made about having an LDAP front end on an RDBMS is very good one. A few companies - including Oracle (who have a vested interest in RDBMSs, of course) - have products that do specifically that. If you don't want the overhead of managing an LDAP service, or if you just want to manage all your users in a DB you can create views/joins with, but think you might need an LDAP service later, than it's a good option. OpenLDAP also supports a shell back end which can take in data from any source, including an RDBMS; I've used it with MySQL and it works well, although can be a little fiddly to set up the first time if you need to support a specific LDAP schema.

总而言之，LDAP 很棒，但它是特定于互操作性和极端可扩展性的情况.如果您管理和支持的资源有限，则可能不值得麻烦，但如果您正在计划诸如 UNIX 托管 POP/IMAP/SMTP 或其他第三方软件集成之类的服务，那么它当然值得做(甚至可能成为您唯一可行的选择).

In summary, LDAP is great, but it's situation specific to interoperability and extreme scalability. If you have limited resources to manage and support one, it might not be worth the hassle of supporting, but if you are planning services like UNIX hosted POP/IMAP/SMTP or other third party software integration then it's certainly worth doing (and may even be your only viable option).

哦，最后，如果您决定实施一个 LDAP 服务器，请注意您使用的 LDAP 服务器！它们并非都是平等的，它们之间的差异(在性能和易于管理和配置方面)可能非常明显.

Oh and lastly be wary of what LDAP server you use if you do decide to implement one! They are not all created equal and the differences between them (in terms of performance and ease of management & configuration) can be quite stark.

OpenLDAP 是一个相当安全的选择，可以很好地扩展并且相当容易使用.某些应用程序运行得最好/带有特定 LDAP 服务器的特定配置文件(例如，Solaris 上的许多软件假定您使用的是 Sun ONE 目录服务器)，否则您可能不想使用这些文件 - 要么是因为它的性能不佳，或者是配置的猪，没有得到很好的支持，等等.

OpenLDAP is a pretty safe bet, scales well and is fairly easy to use. Some applications work best / come with specific configuration files for a specific LDAP server (e.g. a lot of software on Solaris assumes you are using Sun ONE directory server) which you might not otherwise want to use - either because it doesn't perform as well, or is a pig to configure, isn't well supported, etc.

这篇关于将用户数据存储在 LDAP 而不是 RDBMS 中的原因的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！