[dsml-comment] Considerations re SOAP/DSML vs LDAP inauthentication/identity context

[Larry Talley <larry_talley@admin.state.ak.us>]

My organization is developing a new extranet identity service based on our
LDAP directory.  We have internal client agencies who will write web
applications that use our identity service to verify the identity of
incoming customers and access a customer "object" with additional
attributes.

We understand how to do that using LDAP and have a number of client agencies
who already use LDAP in this way against our intranet directory; it won't be
much of a leap for them to use the same methodology for our new extranet
identity service.  But we believe that there are some client agencies
without expertise in LDAP protocols and APIs that may be interested in using
our extranet identity service if they could "consume" the service through a
simpler API, or perhaps more accurately, through an API that was
sufficiently "packaged" in their favorite integrated development
environment.

I see that there is not a DSML equivalent of the Bind operation, and that
authentication is proposed via HTTP 1.1 authentication mechanisms.  Is it
reasonable to expect that a .NET developer will find it easier to "consume"
a SOAP service that uses HTTP authentication, and SOAP/DSML to get an
identify "object", than for that same .NET developer to use ADSI or some
other API to do the same thing via LDAP?  Of course the same question
applies to a Cold Fusion developer, etc.

My underlying question is, should we invest in training our web developers
in LDAP APIs, or, since most web developers just want authentication and a
customer "object", is SOAP/DSML going to make it enough easier that we
should hold off on LDAP API training and invest in implementing those easier
mechanisms?

Thanks in advance for any advice!

Larry Talley
Information Technology Group
State of Alaska