Hey there,
Important Notes
- Experimental - Early-stage project, APIs may change
- Read-only - No write operations yet
I think we should never allow write operations. LLM's are statistically plausible sentence generators, not intelligent beings with context and understanding.
There are already far too many cases where "LLM Agents" have destroyed peoples data and systems when given write access.
Given the critical nature of LDAP in many environments, I would be extremely against any kind of write functionality in this given the high risks associated.
If write access is to be developed, it should be feature gated behind a safety switch, and default to "false" (aka read-only by default).
- Privacy mode - Set LDAP_MCP_EXPOSE_SENSITIVE_DATA=false to anonymize output
Privacy should be the default IMO, especially given how LLMs may harvest data.
- Plain text passwords - Use restrictive file permissions on config files
Feedback
I'd love to hear your thoughts:
- What diagnostics would be most useful?
- What operations would you want AI assistance with?
Honestly? I don't think we should have MCP anywhere near 389-ds. I know that you will have worked a lot on this, and I'm sure there was a "business reason" your employer probably wanted you to implement this for.
But as I have said - LDAP is a high value, important, and critical piece of infrastructure in many environments. If LDAP stops - the business stops.
To have an MCP/LLM trying to "summarise and advise" about how one of the most critical pieces of software in an environment works seems like a recipe for disaster.
As a former sysadmin, I would not want MCP anywhere near systems. Systems require insight, understanding, and thought to manage. Systems do not need "statistically plausible sentence generators".
There are many ways we can make LDAP and 389-ds easier and more accessible to administrators, to assist them with understanding the state of their systems. But MCP/LLMs are not it.
GitHub: https://github.com/droideck/ldap-assistant-mcp
Issues: https://github.com/droideck/ldap-assistant-mcp/issues
References:
- Model Context Protocol: https://modelcontextprotocol.io/introduction
- FastMCP: https://gofastmcp.com- lib389: https://pypi.org/project/lib389/
--
Sincerely,
William Brown
Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
Sincerely,
William Brown
Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
No comments:
Post a Comment