In order to better understand when to use an LDAP proxy, here're two stories made successfull thanks to an LDAP proxy deployment:
In the first scenario, an organization operates a partially public LDAP repository : on the intranet side, LDAP client requests are very limited (to a few technical users and administrators), they can bypass the LDAP proxy. On the internet side, users need access to the repository from an LDAP browser, and their access rights depend on credentials they have to provide. Here, the LDAP proxy enforces filtering and access control, like a reverse HTTP proxy would in the Web world: The LDAP proxy requires the clients to present an X509 certificate, and based on its content, different rules apply. So, it offloads the LDAP back-ends from this task, and make them more secure by filtering the unwanted requests. Moreover, managing the access control ruleset on the LDAP back-end, while possible, would have been painful, and less flexible:
since LDAP access control rules lack any standard specification, it makes them harder to move from one directory vendor to another and they don't often replicate from one server to another, making them harder to maintain consistent.
In the second scenario, the LDAP proxy 's been deployed in an intranet, for two main reasons:
- To hide the data repositories complexity (user data are spread accross different SQL, LDIF, CSV or LDAP repositories and the LDAP proxy stands between them and some client applications). This way, the applications only see the LDAP proxy, and they only need to talk LDAP.The proxy is in charge of dispatching the requests to the right data source and eliminates the need for synchronization between the back-end information systems.
- To ease data migrations and organizational changes: LDAP schemas sometimes change, organizations merge and information system needs reshaping. Modifying each application to take new requirements into account would require lots of work and planification. Here, the LDAP proxy can act as a transformation and dispatch engine, to hide from the applications the data organization changes across repositories, thus making them almost seamless.