Just What is a Virtual Directory Anyway?
I often get asked what a virtual directory server is and how it can help. It's surprisingly hard to get a basic, all-encompassing description of virtual directory technology. So, I thought I would take a stab at offering up my version. The description comes from information accumulated from several sources, including Radiant Logic, Wikipedia and my own write-ups. A virtual directory or virtual directory server is a technology that provides a consolidated view of user identity and related information without having to migrate users into a single enterprise directory infrastructure. It serves as a lightweight service that operates between identity consumers and the various identity repositories across the environment. These identity repositories can be LDAP directories, databases or even web services and access to information can be either proxied through the virtual directory or correlated and cached through a complex set of rules. Think of it as a one-stop shop for everything you need to know about your users and their associated data and attributes. So, if you wanted to create a view of all your customers, what they have purchased and which sales rep sold them the product, the virtual directory allows you to pull together this data into a hierarchy that represents these relationships.
The following diagram shows how identity consumers leverage the virtual directory instead of being coded to talk directly to the back-ends:
Instead of building static representations of the information, a virtual directory receives queries and directs them to the appropriate backend identity repositories. The retrieved information appears to be coming from a single source and logic can then be applied such as re-mapping the information to make it compatible across applications without modifying the backend data or the applications. This ability to reach into native disparate repositories makes virtual directory technology ideal for consolidating data stored in a distributed environment.
The most commonly used protocol for virtual directory servers is LDAP. Some virtual directories like RadiantOne allow access through other mechanisms like ODBC/JDBC and through web services. Additionally, RadiantOne Virtual Directory Server is able to provide structure to unstructured information in order to understand the context of the identity and related information in the backend repositories.
The advantages of virtual directories include:
- Faster deployment by avoiding synchronization
- Leverage existing investments and high-availability for authoritative data stores
- Provide application specific views of identity data that can help avoid the need to develop a master enterprise schema
- Allow a single view of identity data without violating internal or external regulations governing identity data
- Act as identity firewalls - preventing denial of service attacks on the primary data-stores and providing further security on access to sensitive data
- Changes made in authoritative sources are reflected in real-time
Directory virtualization technologies are an alternative to other directory replication technologies such as Microsoft Identity Lifecycle Manager (ILM - formerly MIIS), IBM Tivoli Identity Manager (ITIM) and IBM Directory Integrator (IDI). Instead of replicating information from one directory or database to another, virtualization dynamically presents information from multiple sources as a single view. This concept is similar to a view in SQL Server, except that virtualized views support both read and write operations. This approach is extremely flexible as a large number of different views can be presented without impacting the underlying data stores.
There are many situations, though, where there is no common identifier to tie a user together across identity repositories:
Radiant Logic’s Identity Correlation and Synchronization (ICS) component further extends the reach of VDS by allowing complex joining of identities to build an identity hub of correlated user identities and allows organizations to build a global profile for their users. It enables aggregation and correlation of identity information, the ability to build unique global identifiers and identification and indexing of orphaned identities.
This allows me to now create a correlated identifier for the users and pull together a unified view of attributes:
This enables things like single sign-on (SSO) because without a common identifier there is no way to pass the correct identity information to the underlying application or web access control product (e.g. CA SiteMinder Web Access Manager).
ICS also allows synchronization through replication (e.g. directory to directory, database to database), point-to-point and/or subscriber-to-publisher and ESB/JMS messaging. So, you get the best of both worlds and can choose when to virtualize and when to synchronize information.
I hope this has been helpful. If you would like to see additional clarifications, please let me know.