I would love to hear everyone's thoughts on this topic. A problem that we see for application developers is how to maintain integrity for their reporting systems after a termination. This is a common situation, but to review: If a user is terminated and their account in a database for an application removed, then any auditing or other reports against that user will fail. The common solution is to maintain the user account in the database, but to mark it as inactive.
As we move toward LDAP, this tends to not work so well. In general, I usually see LDAP entries *removed* when a termination occurs, so we have a reporting issue. How are people solving this? Some possible solutions may include: * An application does not use LDAP at all and relies only on a database. * Scramble an LDAP entry's userPassword so that it is essentially locked-out. This is actually more secure (in a realistic sense) than hoping all of your applications across the entire enterprise use a filter such as (&(uid=%UID%)(orgIsActiveAccount=true)). * An application maintains its own "mini" user table. So authentication, authorization, and user information use LDAP. But, an application maintains a user table that stores key info such as: uid, HR#, and, potentially, is-active. In the third strategy, users are added to the application user table in one of two ways: 1. A provisioning system adds them to LDAP and the user table. 2. When a user logs into an app for the first time, it adds them to the user table. What are your experiences with this? How do you handle terminations and their affects on reporting, auditing, orphaned user information, etc. --- Puryear Information Technology, LLC Baton Rouge, LA * 225-706-8414 http://www.puryear-it.com Author: "Best Practices for Managing Linux and UNIX Servers" "Spam Fighting and Email Security in the 21st Century" Download your free copies: http://www.puryear-it.com/publications.htm --- You are currently subscribed to [email protected] as: [EMAIL PROTECTED] To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the SUBJECT of the message.
