Pros and cons of various Consent storage methods

Peter Schober peter.schober at
Fri Apr 26 10:45:56 EDT 2019

* Mark McCoy <Mark.McCoy at> [2019-04-26 16:34]:
> Have there been any thoughts around adding a write-back capability
> to the LDAP attribute store so that the consent records could be
> stored in an LDAP in a single multivalued attribute?

In some (or all configurations) more than the mere evidence that
person A consented to attributes being released to service X will be
stored, usually also involving the attribute names (or internal
replacement ids) but sometimes also involving (hashes) of the values,
That may all still fit into an ordinaly LDAP attribute value but data
size is something to keep in mind. (And of course no other service has
any use for that data, lessening the benefits of storing that
particular application-specific data within the directory service.)

Other than that many deployers of proprietary LDAP directory services
are not willing or able to extend their schemas for their own data
(though some misuse unused default attributes for completely other
data, e.g. the infamous "Favorite Drink" attribute in MS-AD).

And many deployers of LDAP directory services do not provide write
access to their LDAP clients. Which makes LDAP server clustering easy
because you only deal with read-only requests, I guess.


More information about the users mailing list