Title: Directory Infrastructure Roadmap Overcoming Fragmented Identities - Roadmap to a Reliable Directory Infrastructure
1Directory Infrastructure RoadmapOvercoming
Fragmented Identities - Roadmap to a Reliable
Directory Infrastructure
- Thorsten Butschke Dr. Martin Dehn
- KOGIT Enterprise Identity Management GmbH
2Agenda
- History of Directory Services
- From X.500 to LDAP
- Meta-Directory Approach
- Virtual-Directory Approach
- Virtual Directory Use Cases
- Application Integration
- Simple Schema Mappings
- Building a Virtual Tree
- Virtualization of Multiple Identity Sources
- Adding Intelligence Using Business Logic
- Maximizing Directory Infrastructure Performance
- Enhancing Reliability
- Vendor Overview
3From X.500 to LDAP
A short introduction to directory services in IT
infrastructures Promises Reality
4Meta-Directory Approach
Administrator
User
5The Objectclass Issue
- there is no standard definition for at least
person/user objects in LDAP directories - there are implementation-specific classes like
inetOrgPerson (Netscape, Sun, OpenLDAP) ePerson
(IBM), User (MS ActiveDirectory) - how should LDAP clients be built to support these
variety? - what if you deploy a new application which needs
a type of object class not defined in your
enterprise directory?
6The Namespace Issue
- various namespaces are possible in directories
- there is no standard for the RDN (identifier) of
user objects - AGAIN
- how should LDAP clients be built to support these
variety? - what if you deploy a new application which needs
a distinct RDN not defined in your enterprise
directory?
7Overcome the Disadvantages of a Meta Directory
with a Virtual Directory
- Meta Directory
- same data stored twice
- synchronizations need a lot of time
- could take longer than 24 hours in large
environments - e. g. a HR synchronization
- access to a snapshot of the past instead of live
access to the data - Virtual Directory
- data stored only once
- live (real time) access to the data
- Prepare the object class and RDN you need!
8Virtual Directory Approach
Clients
Optional LDAP Directory
Virtual Directory
Connector
Connectors
J2EE CA
JDBC / ODBC / OLEDB
JNDI / ADSI
Applications
Databases
Directories
9Virtual Directory Workflow
10Agenda
- History of Directory Services
- Meta-Directory Approach
- Virtual-Directory Approach
- Virtual Directory Use Cases
- Application Integration
- Simple Schema Mappings
- Building a Virtual Tree
- Virtualization of Multiple Identity Sources
- Adding Intelligence Using Business Logic
- Maximizing Directory Infrastructure Performance
- Enhancing Reliability
- Vendor Overview
11Intranet Authentification (1)Task Definition
- the Intranet is a web portal
- authentification is done via an access manager
- the access manager stores the users in its own
LDAP repository with its own LDAP schema
12Intranet Authentification (2)
Portal
VDS
User
13Intranet Authentification (3)Problems
- the class name of the user object is different in
the access manager and the company directory - the access manager schema contains attributes,
that do not exist or have a different name in the
company directory - typical problems if you would like to change the
schema of the company directory - problems with existing installation and existing
client applications - a lot of organizational discussions
14Intranet Authentification (4)Implementation (1)
- configure the access manager to use VDS as
directory - create static content inside the directory
- extract company directory schema
- map user objects from the company directory to
the user object of the access manager directory
schema - map attribute names
- add
- static attributes that do not exist in the
company directory - dynamic attributes and values via scripts
- link objectclass in the virtual tree
15Intranet Authentification (5)Implementation (2)
16Intranet Authentification (6)Benefits
- no changes of organizational processes in the
company directory - no additional user management processes in the
access manager LDAP directory - fast implementation and configuration
- only basic scripting skills necessary
- reuse of existing user data
- no synchronization
17Intranet Authorization (1)Task Definition
- the intranet is a web portal
- the authorization is done via group memberships
in a directory - there are several user directories
- in different branches
- from different vendors
18Intranet Authorization (2)Problems
- the portal software could only be connected to a
single directory - each directory uses its own schema
- objects
- user (AD)
- inetOrgPerson (eDirectory, OpenLDAP)
- attributes
- memberOf (AD)
- groupOfNames (eDirectory)
- posixGroup (OpenLDAP)
19Intranet Authorization (3)Implementation
- decide which schema you want to configure to the
portal software (AD in our case) - map the objectnames of all directories to the AD
objectname - map the attributes
- use scripts for complex mappings
- in OpenLDAP the group membership is a name, in AD
its a DN - link all directories into the virtual tree
20Intranet Authorization (4)
- OpenLDAP
- posixGroupMarketing
- AD
- groupcnMarketing,ougroups,dcmycompany
- Script
- OpenLDAP-gtgroup
- cn Possixgroup ,ougroups,dcmycompany
21Intranet Authorization (5)
22Intranet Authorization (5)Benefits
- no changes of organizational processes in the
company directory - fast implementation and configuration
- only basic scripting skills necessary
- reuse of existing user data
- no synchronization, no organizational changes
- products of different vendors can coexist
- no migration necessary
23Global Directory (1)Task Definition
- a global directory should be established
- data already available in various directories
- databases
- directories
- flat file is also a possible form of directory
- e. g. HR export
24Global Directory (2)
Oracle
MySql
LDAP
25Global Directory (3)Problems
- access to the data via different technologies
(LDAP, CSV, SQL) using the LDAP protocol - consolidation of user data in one object could be
done easily in the VDS if UIDs are the same in
each source - a synchronization tool is necessary if the UIDs
have a different syntax in each source
26Global Directory (4)Implementation (1)
- virtualization of flat files and databases
- link objects based on one attribute
27Global Directory (5)Link Based on Attribute
LDAP View
Oracle View
LDAPmail Oraclemail
MySQL View
LDAPmail MySQLmail
Linked based on attribute mail
28Global Directory (6)Identity View
29Global Directory (7)Implementation (2)
- virtualization of flat files and databases
- create a database with an entry for each user
- unique id
- links to each record of the person in the
various sources - create an attribute or transform an existing
attribute to match the unique id from the
database in the virtual views of the sources
30Global Directory (8)Creating a Unique ID
31Global Directory (9)Links to Sources
32Global Directory (10)Synchronization
33Global Directory (11)Identity View
34Global Directory (12)Benefits
- access via one single protocol
- consolidation of user data in one object
- synchronization only needs to synchronize the
link, not the data
35Agenda
- History of Directory Services
- Meta-Directory Approach
- Virtual-Directory Approach
- Virtual Directory Use Cases
- Application Integration
- Simple Schema Mappings
- Building a Virtual Tree
- Virtualization of Multiple Identity Sources
- Adding Intelligence Using Business Logic
- Maximizing Directory Infrastructure Performance
- Enhancing Reliability
- Vendor Overview
36Maximizing Directory Infrastructure Performance
- use connection pools
- connections to the sources (back-end)
- connections form the client to the server
(front-end) - use caches
- query entry caches
- memory cache
- persistent cache (save data on the hard disk)
- cache refresh
- triggered by a scheduler
- triggered by a message bus
37Enhancing Reliability Through LDAP Routers
- provide failover functionality
- provide load balancing functionality
- available as
- software
- hardware
38LDAP Routing and Caching
39Agenda
- History of Directory Services
- Meta-Directory Approach
- Virtual-Directory Approach
- Virtual Directory Use Cases
- Application Integration
- Simple Schema Mappings
- Building a Virtual Tree
- Virtualization of Multiple Identity Sources
- Adding Intelligence Using Business Logic
- Maximizing Directory Infrastructure Performance
- Enhancing Reliability
- Vendor Overview
40MaXware Virtual Directory
- supported protocols
- LDAP, DSMLv2, SPML, transformation API for
inbound protocols - supported back-ends
- JNDI, JDBC, Java Adapter API
- caches
- in memory cache
- scripting languages
- Java (adapter), XML (configuration)
- supported platforms
- Java application
- other features
- software load balancing
- GUI oriented
41Oracle Virtual Directory(Former Octet String)
- supported protocols
- LDAP, SQL, DSML, XSLT
- supported back-ends
- LDAP, NT, database, local store, Java API for
adapters - persistence
- local data store
- caches
- in memory cache
- scripting languages
- Python (transformations) and Java (adapter,
routing) - supported platforms
- Java Application
- Other features
42Symlabs
- supported protocols
- LDAP, SOAP, Radius, SNMP, SIP
- supported back-ends
- LDAP, SQL, Radius, SNMP, SIP, SOAP
- persistent
- memory
- database
- scripting languages
- proprietary scripting language (DirectoryScript)
- supported platforms
- AIX, HP/UX, Linux, Solaris gt8 (Sparc Intel
x86), Windows - other features
- written in C
43Radiant Logic
- supported protocols
- LDAP, DSML 2.0, HTTP/ SOAP, SAML 1.1, and SPML
1.1 - supported back-ends
- LDAP, ADSI, and JDBC. Java API for custom
connectors - persistent
- memory
- local store
- caches
- query entry cache
- persistence cache
- memory cache
- scripting languages
- Dynamic Java (scripts), Java (adapter)
- supported platforms
44Penrose (Open Source)
- reuses the Apache Directory Server
- worth a look
- excellent use cases documentation
- reuse of ECLIPSE
45Questions ?