Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure

1
Directory Infrastructure RoadmapOvercoming
Fragmented Identities - Roadmap to a Reliable
Directory Infrastructure

• Thorsten Butschke Dr. Martin Dehn
• KOGIT Enterprise Identity Management GmbH

2
Agenda

• History of Directory Services
• From X.500 to LDAP
• Meta-Directory Approach
• Virtual-Directory Approach
• Virtual Directory Use Cases
• Application Integration
• Simple Schema Mappings
• Building a Virtual Tree
• Virtualization of Multiple Identity Sources
• Adding Intelligence Using Business Logic
• Maximizing Directory Infrastructure Performance
• Enhancing Reliability
• Vendor Overview

3
From X.500 to LDAP
A short introduction to directory services in IT
infrastructures Promises Reality
4
Meta-Directory Approach
Administrator
User
5
The Objectclass Issue

• there is no standard definition for at least
  person/user objects in LDAP directories
• there are implementation-specific classes like
  inetOrgPerson (Netscape, Sun, OpenLDAP) ePerson
  (IBM), User (MS ActiveDirectory)
• how should LDAP clients be built to support these
  variety?
• what if you deploy a new application which needs
  a type of object class not defined in your
  enterprise directory?

6
The Namespace Issue

• various namespaces are possible in directories
• there is no standard for the RDN (identifier) of
  user objects
• AGAIN
• how should LDAP clients be built to support these
  variety?
• what if you deploy a new application which needs
  a distinct RDN not defined in your enterprise
  directory?

7
Overcome the Disadvantages of a Meta Directory
with a Virtual Directory

• Meta Directory
• same data stored twice
• synchronizations need a lot of time
• could take longer than 24 hours in large
  environments
• e. g. a HR synchronization
• access to a snapshot of the past instead of live
  access to the data
• Virtual Directory
• data stored only once
• live (real time) access to the data
• Prepare the object class and RDN you need!

8
Virtual Directory Approach
Clients
Optional LDAP Directory
Virtual Directory
Connector
Connectors
J2EE CA
JDBC / ODBC / OLEDB
JNDI / ADSI
Applications
Databases
Directories
9
Virtual Directory Workflow
10
Agenda

• History of Directory Services
• Meta-Directory Approach
• Virtual-Directory Approach
• Virtual Directory Use Cases
• Application Integration
• Simple Schema Mappings
• Building a Virtual Tree
• Virtualization of Multiple Identity Sources
• Adding Intelligence Using Business Logic
• Maximizing Directory Infrastructure Performance
• Enhancing Reliability
• Vendor Overview

11
Intranet Authentification (1)Task Definition

• the Intranet is a web portal
• authentification is done via an access manager
• the access manager stores the users in its own
  LDAP repository with its own LDAP schema

12
Intranet Authentification (2)
Portal
VDS
User
13
Intranet Authentification (3)Problems

• the class name of the user object is different in
  the access manager and the company directory
• the access manager schema contains attributes,
  that do not exist or have a different name in the
  company directory
• typical problems if you would like to change the
  schema of the company directory
• problems with existing installation and existing
  client applications
• a lot of organizational discussions

14
Intranet Authentification (4)Implementation (1)

• configure the access manager to use VDS as
  directory
• create static content inside the directory
• extract company directory schema
• map user objects from the company directory to
  the user object of the access manager directory
  schema
• map attribute names
• add
• static attributes that do not exist in the
  company directory
• dynamic attributes and values via scripts
• link objectclass in the virtual tree

15
Intranet Authentification (5)Implementation (2)
16
Intranet Authentification (6)Benefits

• no changes of organizational processes in the
  company directory
• no additional user management processes in the
  access manager LDAP directory
• fast implementation and configuration
• only basic scripting skills necessary
• reuse of existing user data
• no synchronization

17
Intranet Authorization (1)Task Definition

• the intranet is a web portal
• the authorization is done via group memberships
  in a directory
• there are several user directories
• in different branches
• from different vendors

18
Intranet Authorization (2)Problems

• the portal software could only be connected to a
  single directory
• each directory uses its own schema
• objects
• user (AD)
• inetOrgPerson (eDirectory, OpenLDAP)
• attributes
• memberOf (AD)
• groupOfNames (eDirectory)
• posixGroup (OpenLDAP)

19
Intranet Authorization (3)Implementation

• decide which schema you want to configure to the
  portal software (AD in our case)
• map the objectnames of all directories to the AD
  objectname
• map the attributes
• use scripts for complex mappings
• in OpenLDAP the group membership is a name, in AD
  its a DN
• link all directories into the virtual tree

20
Intranet Authorization (4)

• OpenLDAP
• posixGroupMarketing
• AD
• groupcnMarketing,ougroups,dcmycompany
• Script
• OpenLDAP-gtgroup
• cn Possixgroup ,ougroups,dcmycompany
  

21
Intranet Authorization (5)
22
Intranet Authorization (5)Benefits

• no changes of organizational processes in the
  company directory
• fast implementation and configuration
• only basic scripting skills necessary
• reuse of existing user data
• no synchronization, no organizational changes
• products of different vendors can coexist
• no migration necessary

23
Global Directory (1)Task Definition

• a global directory should be established
• data already available in various directories
• databases
• directories
• flat file is also a possible form of directory
• e. g. HR export

24
Global Directory (2)
Oracle
MySql
LDAP
25
Global Directory (3)Problems

• access to the data via different technologies
  (LDAP, CSV, SQL) using the LDAP protocol
• consolidation of user data in one object could be
  done easily in the VDS if UIDs are the same in
  each source
• a synchronization tool is necessary if the UIDs
  have a different syntax in each source

26
Global Directory (4)Implementation (1)

• virtualization of flat files and databases
• link objects based on one attribute

27
Global Directory (5)Link Based on Attribute
LDAP View

• VDS View

Oracle View
LDAPmail Oraclemail
MySQL View
LDAPmail MySQLmail
Linked based on attribute mail
28
Global Directory (6)Identity View
29
Global Directory (7)Implementation (2)

• virtualization of flat files and databases
• create a database with an entry for each user
• unique id
• links to each record of the person in the
  various sources
• create an attribute or transform an existing
  attribute to match the unique id from the
  database in the virtual views of the sources

30
Global Directory (8)Creating a Unique ID
31
Global Directory (9)Links to Sources
32
Global Directory (10)Synchronization
33
Global Directory (11)Identity View
34
Global Directory (12)Benefits

• access via one single protocol
• consolidation of user data in one object
• synchronization only needs to synchronize the
  link, not the data

35
Agenda

• History of Directory Services
• Meta-Directory Approach
• Virtual-Directory Approach
• Virtual Directory Use Cases
• Application Integration
• Simple Schema Mappings
• Building a Virtual Tree
• Virtualization of Multiple Identity Sources
• Adding Intelligence Using Business Logic
• Maximizing Directory Infrastructure Performance
• Enhancing Reliability
• Vendor Overview

36
Maximizing Directory Infrastructure Performance

• use connection pools
• connections to the sources (back-end)
• connections form the client to the server
  (front-end)
• use caches
• query entry caches
• memory cache
• persistent cache (save data on the hard disk)
• cache refresh
• triggered by a scheduler
• triggered by a message bus

37
Enhancing Reliability Through LDAP Routers

• provide failover functionality
• provide load balancing functionality
• available as
• software
• hardware

38
LDAP Routing and Caching
39
Agenda

• History of Directory Services
• Meta-Directory Approach
• Virtual-Directory Approach
• Virtual Directory Use Cases
• Application Integration
• Simple Schema Mappings
• Building a Virtual Tree
• Virtualization of Multiple Identity Sources
• Adding Intelligence Using Business Logic
• Maximizing Directory Infrastructure Performance
• Enhancing Reliability
• Vendor Overview

40
MaXware Virtual Directory

• supported protocols
• LDAP, DSMLv2, SPML, transformation API for
  inbound protocols
• supported back-ends
• JNDI, JDBC, Java Adapter API
• caches
• in memory cache
• scripting languages
• Java (adapter), XML (configuration)
• supported platforms
• Java application
• other features
• software load balancing
• GUI oriented

41
Oracle Virtual Directory(Former Octet String)

• supported protocols
• LDAP, SQL, DSML, XSLT
• supported back-ends
• LDAP, NT, database, local store, Java API for
  adapters
• persistence
• local data store
• caches
• in memory cache
• scripting languages
• Python (transformations) and Java (adapter,
  routing)
• supported platforms
• Java Application
• Other features

42
Symlabs

• supported protocols
• LDAP, SOAP, Radius, SNMP, SIP
• supported back-ends
• LDAP, SQL, Radius, SNMP, SIP, SOAP
• persistent
• memory
• database
• scripting languages
• proprietary scripting language (DirectoryScript)
• supported platforms
• AIX, HP/UX, Linux, Solaris gt8 (Sparc Intel
  x86), Windows
• other features
• written in C

43
Radiant Logic

• supported protocols
• LDAP, DSML 2.0, HTTP/ SOAP, SAML 1.1, and SPML
  1.1
• supported back-ends
• LDAP, ADSI, and JDBC. Java API for custom
  connectors
• persistent
• memory
• local store
• caches
• query entry cache
• persistence cache
• memory cache
• scripting languages
• Dynamic Java (scripts), Java (adapter)
• supported platforms

44
Penrose (Open Source)

• reuses the Apache Directory Server
• worth a look
• excellent use cases documentation
• reuse of ECLIPSE

45
Questions ?