Page 209 - Building Digital Libraries
P. 209
CHAPTER 8
the term “LDAP” is often used to refer to directory services that can be
queried with LDAP. Directory services are used to manage a wide array of
objects, but for repository purposes, they can be thought of as specialized
databases that are used for authentication and storing information about
users and groups.
LDAP can be relatively convenient and secure because it can maintain
credentials centrally outside of the repository. LDAP is commonly used for
authentication—particularly for e-mail services and address books, and it is
particularly useful as an authentication mechanism because it often reveals
information about the user or the structure of the organization, thus allow-
ing the assignment of role- or group-based permissions. Having said this,
LDAP authentication often faces the following challenges:
• LDAP requires users to log in for each service separately,
so they may be prompted for the same credentials multiple
times for each additional service they access.
• Repository software often cannot leverage user attributes or
organizational units in LDAP records for access control.
• If the library does not control the LDAP server:
Organizational units or attributes are defined
differently than needed by the library
Getting all necessary users included can become a
political as well as a technical complication
The LDAP server may contain individuals who
should not have permissions, and these cannot
be distinguished from those who should
• If the repository is hosted, campus or organizational regula-
tions may prohibit outside connections to the LDAP server.
Single Sign-On (SSO)
Many institutions support single sign-on (SSO) authentication—so named
because the user only needs to log in once to access multiple systems. SSO
is like “cloud computing” in that the term has no specific technical mean-
ing. Rather, SSO refers to a property of how authentication systems can be
used. A few of the most common SSO implementations are discussed in this
section, but dozens are available as of this writing and can be found listed
at https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations.
For example, a Shibboleth SSO might query Microsoft Active Directory
services using the LDAP protocol to allow users to authenticate once in
order to access multiple systems without being prompted for new creden-
tials. Theoretically, SSO can be used to authenticate virtually anything, and
Shibboleth can consult multiple authentication systems. In this example,
SSO can only authenticate users in Active Directory. This means you still
have to figure out how to authenticate users who are not in Active Directory,
194
