As an ops guy, want to +1 the ssl and tls requirements for LDAP, especially to a domain controller, if you want to see adoption of this in enterprise windows domains. We won't let anything connection, even read-only to our domain with LDAP, we only allow LDAPS. And this is pretty much standard.
I agree. Getting into LDAP will open a can of worms, especially if the plan is to support Active Directory. There are a lot of RFCs on the subject of LDAP and Active Directory doesn't support them all.
If LDAP is the plan, though, there needs to be support for ssl and tls, at a minimum.
From: Jonathan Ellis [mailto:firstname.lastname@example.org]
Sent: November 12, 2009 11:11 AM
Subject: Re: Cassandra access control (was: bandwidth limiting Cassandra's replication and access control)
2009/11/12 Ted Zlatanov <email@example.com>:
> It sounds like JAAS is a bad idea. I'll use a modular auth system then,
> with two simple implementations (XML file and LDAP) at first. The XML
> file will hold account passwords (one-way hashed) and authorizations.
wouldn't it be simpler to just put the password hash in the keyspace definition?
it's less enterprise but if you need something sophisticated you're
probably going to use ldap anyway...