Geoff Winkless <pgsqladmin@xxxxxxxx> writes: > On Wed, 6 May 2020 at 00:05, Tim Cross <theophilusx@xxxxxxxxx> wrote: >> Where Tom's solution fails is with smaller companies that cannot afford >> this level of infrastructure. > > Is there an objection to openldap? It's lightweight (so could > reasonably be run on the same hardware without significant impact), > BSD-ish and mature, and (with the password policy overlay) should > provide exactly the functionality the OP requested. > OpenLDAP is certainly the way I would go. However, for a number of reasons, smaller companies seem somewhat resistant to that level of integration. I suspect it is primarily because LDAP skills are less prevalent amongst admins in these areas. Often, these companies don't really have a planned architecture - things have grown organically and got to the point where existing resources are fully allocated just trying to keep all the bits running. It can be hard to sell the idea, especially as those making the decisions are not across the issues and from where they sit, it all looks to be working and your asking for more resources when it doesn't seem to be broken. The IT guys often fail to sell the benefits because they focus on the technical aspects rather than on the business aspects. One client I helped had admins who had been trying to move everything over to a centralised LDAP solution for ages and failing. They had presented great justification for why it was needed, but it focused on the technical benefits rather than the business continuity, process improvement and security benefits. Once we put together a new business case which focused on improved processes for managing access, reduced security audit costs and improved security controls, they were sold and made the project a priority. Based on additional info I saw from the OP and plans to roll out many databases, I think a centralised directory service approach is really their only saleable and maintainable solution. In fact, they probably need to look at their overall identity management architecture. Failure to get that basic service correct will result in major support issue blow out as they increase their customer base. -- Tim Cross
