Main Nav

Message from corey.pedersen@utah.edu

Our IAM program has promoted the use of a Virtual Directory Server (VDS) as a focal point for our Identity Services.  This would be utilized to virtualize data from our enterprise systems and aggregate access to our other directories and AD. 

 

I was hoping that some of you could comment on your successes or failures utilizing a VDS in this manor.  What kind of performance have you encountered?   Ease(or otherwise) of use, etc.  

 

If you wish to comment on particular vendors and do not feel comfortable doing so in this open forum, please send me your comments directly, with which I will be sensitive with their access.

 

Thanks in advance for your help,

                Corey

 

Corey D. Pedersen

Enterprise Systems Architect

 

University Information Technology

University of Utah

585 Komas Drive

Salt Lake City, UT 84108

Ph    801 581 3637

Fax  801 581 3613

 

 

Comments

Just curious, other than oracle, are there any other solutions out there.  Has anyone tried the open source Penrose, I can't tell from cursory searches how active the community is there?


There are many options. Just a few of the vendors I've encountered:

Radiant Logic

Optimal IdM

SymLabs

 

From: Identity Management Constituent Group Discussion list [mailto:IDM@LISTSERV.EDUCAUSE.EDU] On Behalf Of McDermott, Michael
Sent: Tuesday, April 24, 2012 10:37 AM
To: IDM@LISTSERV.EDUCAUSE.EDU
Subject: Re: [IDM] Use of VDS for IAM

 

Just curious, other than oracle, are there any other solutions out there.  Has anyone tried the open source Penrose, I can't tell from cursory searches how active the community is there?

KU attempted this a few years ago using Sun's Virtual Directory Services. Our primary repository for IdM data was an Oracle database for which the directory server was to provide virtual LDAP views for queries. Despite Sun's claims that this would work and their best efforts to implement it, performance was abysmal. We ended up going a different route. Perhaps now that Oracle owns it all things have improved.

--Wes Hubert <whubert@ku.edu>
Information Security Analyst
IT Security Office, KU Information Technology
The University of Kansas, Lawrence KS 66045

From: Corey Pedersen <corey.pedersen@UTAH.EDU>
Reply-To: Identity Management Constituent Group Discussion list <IDM@LISTSERV.EDUCAUSE.EDU>
Date: Tue, 24 Apr 2012 17:15:55 +0000
To: <IDM@LISTSERV.EDUCAUSE.EDU>
Subject: [IDM] Use of VDS for IAM

Our IAM program has promoted the use of a Virtual Directory Server (VDS) as a focal point for our Identity Services.  This would be utilized to virtualize data from our enterprise systems and aggregate access to our other directories and AD. 

 

I was hoping that some of you could comment on your successes or failures utilizing a VDS in this manor.  What kind of performance have you encountered?   Ease(or otherwise) of use, etc.  

 

If you wish to comment on particular vendors and do not feel comfortable doing so in this open forum, please send me your comments directly, with which I will be sensitive with their access.

 

Thanks in advance for your help,

                Corey

 

Corey D. Pedersen

Enterprise Systems Architect

 

University Information Technology

University of Utah

585 Komas Drive

Salt Lake City, UT 84108

Ph    801 581 3637

Fax  801 581 3613

 

 

FWIW, we went the non-virtual route because:
We did not have a single source for many attributes (primary affiliation determines a source (or two :-( )). Too much to do at each query. 

Our enterprise systems do not have the uptime our directory-service users require and vds adds all the outages into a disappointing sum. Directory servers are much easier to cluster. 




Symplified provides default directory virtualization within its product suite. Symplified connects to multiple user stores simultaneously and when a user logs into the SSO portal, Symplified searches for that user's best credentials and attributes throughout all the user stores it has at its disposal and then, finding the identity information it needs, gives the user access to the appropriate applications. None of this requires modifying or combining existing user stores.

Lauren Twele
Online Marketing Manager
Office: 303-318-4154
ltwele@symplified.com

Symplified The Cloud Identity Company
http://www.symplified.com

http://www.symplified.com/Symplified-In-Wall-St-Journal-Fortune-Surpasses-3p8-Million-Users

On 04/24/2012 10:15 AM, Corey Pedersen wrote: > Our IAM program has promoted the use of a Virtual Directory Server (VDS) as a focal point for our Identity Services. This would be utilized to virtualize data from our enterprise systems and aggregate access to our other directories and AD. > > I was hoping that some of you could comment on your successes or failures utilizing a VDS in this manor. What kind of performance have you encountered? Ease(or otherwise) of use, etc. Our IAM initiative architecturally promoted the use of a virtual directory, as well. After 2+ years of IAM analysis and development, we have yet to find a business case to support the recommendation. So, we compose/push data from various sources into the directory as business needs dictate, then attempt to meet complementary demand from a combination of web services, direct database interfaces and, if pushed, flat files. :-) For what it's worth, we use Oracle (nee Sun) DSEE directory server back ends with LDAP proxy front ends. Tom. -- Tom Poage IET Enterprise Application & Development Services University of California, Davis
There seems to be a couple different variations/definitions of a virtual directory being used in this conversation. One variation seems to be based on what I might describe as a single consolidated directory service (what I'll now call an enterprise directory service), i.e. multiple existing directory services are either consolidated or data from each of these is sync'd to a single directory service. Another variation involves a software service endpoint with logic that proxies requests to existing directories, databases, and possibly other things. In other words, it is a layer of abstraction which enables you to have a single point of contact, but gives you flexibility for things like: -virtual structural re-organizations of data (to the point of it looking different to each identity) -operational/performance improvements (e.g. pre-processing that filters out greedy/wasteful requests, and some products have data caching) -operational changes (e.g. if all your clients point at the virtual directory, it gives you more control when you go to make larger changes to the underlying directories/databases/etc) -gives you the ability to have an LDAP gateway to non-LDAP data sources -gives you preferential data capabilities, i.e. first look here, then look here -allow you to combine data from multiple data sources in a single query/response -in general, apply business logic/rules to data based on specific conditions that existing directory products don't provide Obviously, there is a big difference between these two. And I believe there is a variation in the capabilities of any given virtual directory solution. One example use case (which goes beyond the general ones I've noted above) that one of the vdir vendors has used quite a bit is the example of a single sharepoint farm being shared by multiple Windows forests. The Vdir turns the multiple different credential sources into what appears to sharepoint to be a single unified namespace of creds. This isn't unlike the benefit of claim-based authentication to applications, but via a different vehicle. That use case is now dated since sharepoint 2010 is claim-based, but it's one which I think shows some of the potential. http://en.wikipedia.org/wiki/Virtual_directory is a decent entry that is relevant virtual directories. I wrote something similar about two years ago here: https://sharepoint.washington.edu/windows/Lists/Posts/Post.aspx?ID=121. >
Brian et al., * Brian Arkills [2012-04-25 20:31]: > Another variation involves a software service endpoint with logic > that proxies requests to existing directories, databases, and > possibly other things. In other words, it is a layer of abstraction > which enables you to have a single point of contact, but gives you > flexibility for things like: > -virtual structural re-organizations of data (to the point of it > looking different to each identity) > -operational/performance improvements (e.g. pre-processing that > filters out greedy/wasteful requests, and some products have data > caching) > -operational changes (e.g. if all your clients point at the virtual > directory, it gives you more control when you go to make larger > changes to the underlying directories/databases/etc) > -gives you the ability to have an LDAP gateway to non-LDAP data sources > -gives you preferential data capabilities, i.e. first look here, then look here > -allow you to combine data from multiple data sources in a single query/response > -in general, apply business logic/rules to data based on specific > conditions that existing directory products don't provide Very helpfup, thanks. But seeing in more detail what this class of software can be used for makes me wonder if all a VDS does then, is performing these lookups, decisions, transformations and applications of business logic *during* a directory transaction (in-band, on-access). All these things can and will happen just the same with an enterprise directory (and/or registry), they just don't need to happen at the time of the request but rather when setting up the rules for consolidation. Which makes me very sceptical especially about performance claims (you simply can't beat the performance of a well tuned directory server with a properly indexed local data store) and availability (the sources your VDS proxies to might not be as highly available as your consolidated enterprise directory, or it might cost to much to attain), as has been mentioned before. The main difference to me then seems to lie in the "late" processing/mangling of requests and data with a VDS, which might give you more flexibility and/or allow for quicker changes since you're not actually changing the data, you're transforming the request to match the data. That in itself might then lead to a whole new set of problems, with more and more rewriting and business logic going on (as more restrucuring and renaming happends elsewhere), possibly impeding performance and maintainability of the rewriting proxy (aka VDS)? -peter
Symplified provides default directory virtualization within its product suite. Symplified connects to multiple user stores simultaneously and when a user logs into the SSO portal, Symplified searches for that user's best credentials and attributes throughout all the user stores it has at its disposal and then, finding the identity information it needs, gives the user access to the appropriate applications. None of this requires modifying or combining existing user stores.

http://www.symplified.com

Lauren Twele
Online Marketing Manager
Office: 303-318-4154
ltwele@symplified.com

Symplified The Cloud Identity Company
http://www.symplified.com

http://www.symplified.com/Symplified-In-Wall-St-Journal-Fortune-Surpasses-3p8-Million-Users



Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.