![Page 1: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/1.jpg)
Directory Infrastructure Roadmap
Overcoming Fragmented Identities - Roadmap to a Reliable Directory
Infrastructure
Thorsten Butschke & Dr. Martin DehnKOGIT Enterprise Identity Management GmbH
![Page 2: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/2.jpg)
Agenda
History of Directory ServicesFrom X.500 to LDAPMeta-Directory ApproachVirtual-Directory Approach
Virtual Directory Use Cases Application Integration
Simple Schema MappingsBuilding a Virtual Tree
Virtualization of Multiple Identity SourcesAdding Intelligence Using Business Logic
Maximizing Directory Infrastructure Performance
Enhancing ReliabilityVendor Overview
![Page 3: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/3.jpg)
From X.500 to LDAP
A short introduction to directory servicesin IT infrastructures
Promises&
Reality
![Page 4: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/4.jpg)
Meta-Directory Approach
UNIXNIS
SAP/HR
LotusNotes
MicrosoftADS
UNIXAdministrator
SAP/HRAdministrator
NotesAdministrator
W2KAdministrator
Metadirectory Service
Administrator
User
![Page 5: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/5.jpg)
The Objectclass Issue
• there is no standard definition for at least person/user objects in LDAP directories
• there are implementation-specific classes like inetOrgPerson (Netscape, Sun, OpenLDAP) ePerson (IBM), User (MS ActiveDirectory)
• how should LDAP clients be built to support these variety?
• what if you deploy a new application which needs a type of object class not defined in your enterprise directory?
![Page 6: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/6.jpg)
The Namespace Issue
• various namespaces are possible in directories
• there is no standard for the RDN (identifier) of user objects
AGAIN• how should LDAP clients be built to support these variety?
• what if you deploy a new application which needs a distinct RDN not defined in your enterprise directory?
![Page 7: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/7.jpg)
Overcome the Disadvantages of a Meta Directory with a Virtual Directory
Meta Directory• same data stored twice• synchronizations need a lot of time
– could take longer than 24 hours in large environments• e. g. a HR synchronization
– access to a snapshot of the past instead of live access to the data
Virtual Directory• data stored only once• live (real time) access to the data• Prepare the object class and RDN you need!
![Page 8: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/8.jpg)
Virtual Directory Approach
Connector
Connectors
Virtual Directory
Optional LDAP Directory
JNDI / ADSIJDBC / ODBC / OLEDB
Directories
Databases
Applications
J2EE CA
Clients
![Page 9: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/9.jpg)
Virtual Directory Workflow
![Page 10: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/10.jpg)
Agenda
History of Directory ServicesMeta-Directory ApproachVirtual-Directory Approach
Virtual Directory Use Cases Application Integration
Simple Schema MappingsBuilding a Virtual Tree
Virtualization of Multiple Identity SourcesAdding Intelligence Using Business Logic
Maximizing Directory Infrastructure Performance
Enhancing ReliabilityVendor Overview
![Page 11: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/11.jpg)
Intranet Authentification (1)Task Definition
• the Intranet is a web portal• authentification is done via an access manager
• the access manager stores the users in its own LDAP repository with its own LDAP schema
![Page 12: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/12.jpg)
VDSUser
Create
Update
Delete
Intranet Authentification (2)
Company Directory
Create
Update
DeletePortal
RequestContent
Accessmanager
RequestAuthentification
Decision
Content
![Page 13: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/13.jpg)
Intranet Authentification (3)Problems
• the class name of the user object is different in the access manager and the company directory
• the access manager schema contains attributes, that do not exist or have a different name in the company directory
• typical problems if you would like to change the schema of the company directory– problems with existing installation and existing
client applications– a lot of organizational discussions
![Page 14: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/14.jpg)
Intranet Authentification (4)Implementation (1)
• configure the access manager to use VDS as directory
• create static content inside the directory
• extract company directory schema
• map user objects from the company directory to the user object of the access manager directory schema
• map attribute names • add
– static attributes that do not exist in the company directory
– dynamic attributes and values via scripts
• link objectclass in the virtual tree
![Page 15: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/15.jpg)
Intranet Authentification (5)Implementation (2)
![Page 16: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/16.jpg)
Intranet Authentification (6)Benefits
• no changes of organizational processes in the company directory
• no additional user management processes in the access manager LDAP directory
• fast implementation and configuration– only basic scripting skills necessary
• reuse of existing user data– no synchronization
![Page 17: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/17.jpg)
Intranet Authorization (1)Task Definition
• the intranet is a web portal• the authorization is done via group memberships in a directory
• there are several user directories – in different branches – from different vendors
![Page 18: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/18.jpg)
Intranet Authorization (2)Problems
• the portal software could only be connected to a single directory
• each directory uses its own schema– objects
• user (AD)• inetOrgPerson (eDirectory, OpenLDAP)
– attributes• memberOf (AD) • groupOfNames (eDirectory)• posixGroup (OpenLDAP)
![Page 19: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/19.jpg)
Intranet Authorization (3)Implementation
• decide which schema you want to configure to the portal software (AD in our case)
• map the objectnames of all directories to the AD objectname
• map the attributes
• use scripts for complex mappings– in OpenLDAP the group membership is a name, in AD
its a DN
• link all directories into the virtual tree
![Page 20: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/20.jpg)
Intranet Authorization (4)
• OpenLDAP – posixGroup=Marketing
• AD:– group=cn=Marketing,ou=groups,dc=mycompany
• Script:OpenLDAP->group=
„cn= “ + [Possixgroup] + „,ou=groups,dc=mycompany“
![Page 21: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/21.jpg)
Intranet Authorization (5)
AD
NL
AD
UK
Open LDAP
SK
eDirectory
CZ
AD
DK
AD
DE
inetOrgPersonrenamed in
user
groupOfNamesrenamed in
group
inetOrgPersonrenamed in
user
possixGrouprenamed in
group
ou=de- user
- group
ou=dk- user
- group
ou=cz- user
- group
ou=sk- user
- group
ou=uk- user
- group
ou=nl- user
- group
dc=extern,dc=mycompany
Schemamappings
Virtualviews
Backends
IS
IS
IS
IS
IS
IS
IS
IS
IS
IS
IS
IS
IS Interception Script
![Page 22: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/22.jpg)
Intranet Authorization (5)Benefits
• no changes of organizational processes in the company directory
• fast implementation and configuration– only basic scripting skills necessary
• reuse of existing user data– no synchronization, no organizational changes
• products of different vendors can coexist– no migration necessary
![Page 23: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/23.jpg)
Global Directory (1)Task Definition
• a global directory should be established
• data already available in various directories– databases – directories
• flat file is also a possible form of directory– e. g. HR export
![Page 24: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/24.jpg)
Global Directory (2)
LDAP Oracle MySql
![Page 25: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/25.jpg)
Global Directory (3)Problems
• access to the data via different technologies (LDAP, CSV, SQL) using the LDAP protocol
• consolidation of user data in one object could be done easily in the VDS if UID‘s are the same in each source
• a synchronization tool is necessary if the UID‘s have a different syntax in each source
![Page 26: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/26.jpg)
Global Directory (4)Implementation (1)
• virtualization of flat files and databases
• link objects based on one attribute
![Page 27: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/27.jpg)
Global Directory (5)Link Based on Attribute
VDS ViewLDAP View
MySQL View
Oracle View
Linked based on attribute „mail“
LDAP:mail = Oracle:mail
LDAP:mail = MySQL:mail
![Page 28: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/28.jpg)
Global Directory (6)Identity View
![Page 29: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/29.jpg)
Global Directory (7)Implementation (2)
• virtualization of flat files and databases
• create a database with an entry for each user– unique id – links to each record of the person in the various sources
• create an attribute or transform an existing attribute to match the unique id from the database in the virtual views of the sources
![Page 30: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/30.jpg)
Global Directory (8)Creating a Unique ID
![Page 31: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/31.jpg)
Global Directory (9)Links to Sources
![Page 32: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/32.jpg)
Global Directory (10)Synchronization
![Page 33: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/33.jpg)
Global Directory (11)Identity View
![Page 34: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/34.jpg)
Global Directory (12)Benefits
• access via one single protocol• consolidation of user data in one object
• synchronization only needs to synchronize the link, not the data
![Page 35: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/35.jpg)
Agenda
History of Directory ServicesMeta-Directory ApproachVirtual-Directory Approach
Virtual Directory Use Cases Application Integration
Simple Schema MappingsBuilding a Virtual Tree
Virtualization of Multiple Identity SourcesAdding Intelligence Using Business Logic
Maximizing Directory Infrastructure Performance
Enhancing ReliabilityVendor Overview
![Page 36: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/36.jpg)
Maximizing Directory Infrastructure Performance
• use connection pools – connections to the sources (back-end)– connections form the client to the server (front-
end)
• use caches– query & entry caches– memory cache– persistent cache (save data on the hard disk)
– cache refresh• triggered by a scheduler• triggered by a message bus
![Page 37: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/37.jpg)
Enhancing Reliability Through LDAP Routers
• provide failover functionality• provide load balancing functionality• available as
– software– hardware
![Page 38: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/38.jpg)
LDAP Routing and CachingVDS VM Ware Image
Router
User
Access Manager
Poral
VDS
AD1 AD2
AD
NDS
OpenLDAP
RouterInstance
RouterInstance
RouterInstance
RouterInstance
Cache
JMS
4
10
5
11
1 9
2
7
3
6
8
3
8
3
8
3
8
![Page 39: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/39.jpg)
Agenda
History of Directory ServicesMeta-Directory ApproachVirtual-Directory Approach
Virtual Directory Use Cases Application Integration
Simple Schema MappingsBuilding a Virtual Tree
Virtualization of Multiple Identity SourcesAdding Intelligence Using Business Logic
Maximizing Directory Infrastructure Performance
Enhancing ReliabilityVendor Overview
![Page 40: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/40.jpg)
MaXware Virtual Directory
supported protocols:• LDAP, DSMLv2, SPML, transformation API for inbound protocols
supported back-ends:• JNDI, JDBC, Java Adapter API
caches:• in memory cache
scripting languages: • Java (adapter), XML (configuration)
supported platforms:• Java application
other features• software load balancing• GUI oriented
![Page 41: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/41.jpg)
Oracle Virtual Directory(Former „Octet String“)
supported protocols:• LDAP, SQL, DSML, XSLT
supported back-ends:• LDAP, NT, database, local store, Java API for adapters
persistence:• local data store
caches:• in memory cache
scripting languages: • Python (transformations) and Java (adapter, routing)
supported platforms:• Java Application
Other features:• routing rules• load balancing• code oriented (embedded in ECLIPSE)
![Page 42: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/42.jpg)
Symlabs
supported protocols:• LDAP, SOAP, Radius, SNMP, SIP
supported back-ends:• LDAP, SQL, Radius, SNMP, SIP, SOAP
persistent:• memory• database
scripting languages: • proprietary scripting language (DirectoryScript)
supported platforms:• AIX, HP/UX, Linux, Solaris >8 (Sparc & Intel x86), Windows
other features• written in C
![Page 43: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/43.jpg)
Radiant Logic
supported protocols: • LDAP, DSML 2.0, HTTP/ SOAP, SAML 1.1, and SPML 1.1
supported back-ends: • LDAP, ADSI, and JDBC. Java API for custom connectors
persistent:• memory• local store
caches:• query & entry cache• persistence cache• memory cache
scripting languages: • Dynamic Java (scripts), Java (adapter)
supported platforms:Java application
other features:• optional Synchronization Services• software LDAP router and load balancer• GUI oriented
![Page 44: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/44.jpg)
Penrose (Open Source)
• reuses the Apache Directory Server• worth a look• excellent use cases documentation • reuse of ECLIPSE
![Page 45: Thorsten Butschke & Dr. Martin Dehn KOGIT Enterprise Identity Management GmbH](https://reader035.vdocuments.us/reader035/viewer/2022062314/5681454f550346895db22103/html5/thumbnails/45.jpg)
Questions ?