Virtual directory
Encyclopedia
In computing
, a virtual directory or virtual directory server is a software layer that delivers a single access point for identity management
applications and service platforms. A virtual directory operates as a high-performance, lightweight abstraction layer that resides between client applications and disparate types of identity-data repositories, such as proprietary and standard directories, databases, web services, and applications.
A virtual directory receives queries and directs them to the appropriate data sources by abstracting and virtualizing data. The virtual directory integrates identity data from multiple heterogeneous data stores and presents it as though it were coming from one source. This ability to reach into disparate repositories makes virtual directory technology ideal for consolidating data stored in a distributed environment.
, virtual directory servers most commonly use the LDAP
protocol, but more sophisticated virtual directories can also support SQL
as well as DSML and SPML.
Industry experts have heralded the importance of the virtual directory in modernizing the identity infrastructure. According to Dave Kearns of Network World, “Virtualization is hot and a virtual directory is the building block, or foundation, you should be looking at for your next identity management project." In addition, Gartner analyst, Bob Blakley said that virtual directories are playing an increasingly vital role. In his report, “The Emerging Architecture of Identity Management,” Blakley wrote: “In the first phase, production of identities will be separated from consumption of identities through the introduction of a virtual directory interface.”
Some advanced identity virtualization platforms can also:
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
, a virtual directory or virtual directory server is a software layer that delivers a single access point for identity management
Identity management
Identity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
applications and service platforms. A virtual directory operates as a high-performance, lightweight abstraction layer that resides between client applications and disparate types of identity-data repositories, such as proprietary and standard directories, databases, web services, and applications.
A virtual directory receives queries and directs them to the appropriate data sources by abstracting and virtualizing data. The virtual directory integrates identity data from multiple heterogeneous data stores and presents it as though it were coming from one source. This ability to reach into disparate repositories makes virtual directory technology ideal for consolidating data stored in a distributed environment.
, virtual directory servers most commonly use the LDAP
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
protocol, but more sophisticated virtual directories can also support SQL
SQL
SQL is a programming language designed for managing data in relational database management systems ....
as well as DSML and SPML.
Industry experts have heralded the importance of the virtual directory in modernizing the identity infrastructure. According to Dave Kearns of Network World, “Virtualization is hot and a virtual directory is the building block, or foundation, you should be looking at for your next identity management project." In addition, Gartner analyst, Bob Blakley said that virtual directories are playing an increasingly vital role. In his report, “The Emerging Architecture of Identity Management,” Blakley wrote: “In the first phase, production of identities will be separated from consumption of identities through the introduction of a virtual directory interface.”
Capabilities of Virtual Directories
Virtual directories can have some or all of the following capabilities:- Aggregate identity data across sources to create a single point of access.
- Create high-availability for authoritative data stores.
- Act as identity firewall by preventing denial-of-service attacksDenial-of-service attackA denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
on the primary data stores through an additional virtual layer. - Support a common searchable namespace for centralized authentication.
- Present a unified virtual view of user information stored across multiple systems.
- Delegate authentication to backend sources through source-specific security means.
- Virtualize data sources to support migration from legacy data stores without modifying the applications that rely on them.
- Enrich identities with attributes pulled from multiple data stores, based on a link between user entries.
Some advanced identity virtualization platforms can also:
- Enable application-specific, customized views of identity data without violating internal or external regulations governing identity data.Reveal contextual relationships between objects through hierarchical directory structures.
- Develop advanced correlation across diverse sources using correlation rules.
- Build a global user identity by correlating unique user accounts across various data stores, and enrich identities with attributes pulled from multiple data stores, based on a link between user entries.
- Enable constant data refresh for real-time updates through a persistent cache.
Advantages of virtual directories
Virtual Directories:- Enable faster deployment because users do not need to add and sync additional application-specific data sources
- Leverage existing identity infrastructure and security investments to deploy new services
- Deliver high availability of data sources
- Provide application-specific views of identity data which can help avoid the need to develop a master enterprise schema
- Allow a single view of identity data without violating internal or external regulations governing identity data
- Act as identity firewalls by preventing denial-of-service attacks on the primary data-stores and providing further security on access to sensitive data
- Can reflect changes made to authoritative sources in real-time
- Present a unified virtual view of user information from multiple systems so that it appears to reside in a single system
- Can secure all backend storage locations with a single security policy
Disadvantages
An original disadvantage is public perception of "push & pull technologies" which is the general classification of "virtual directories" depending on the nature of their deployment. Virtual directories were initially designed and later deployed with "Push technologies" in mind, which also contravened with "Privacy laws" in the USA. This is no longer the case. There are, however, other disadvantages in the current technologies.- The classical virtual directory based on proxy cannot modify underlying data structures or create new views based on the relationships of data from across multiple systems. So if an application requires a different structure, such as a flattened list of identities, or a deeper hierarchy for delegated administration, a virtual directory is limited.
- Many virtual directories cannot to correlate same-users across multiple diverse sources in the case of duplicate users
- Virtual directories without advanced caching technologies cannot scale to heterogeneous, high-volume environments.
Sample terminology
- Unify metadata: Extract schemas from the local data source, map them to a common format, and link the same identities from different data silos based on a unique identifier.
- Namespace joining: Create a single large directory by bringing multiple directories together at the namespace level. For instance, if one directory has the namespace "ou=internal,dc=domain,dc=com" and a second directory has the namespace "ou=external,dc=domain,dc=com," then creating a virtual directory with both namespaces is an example of namespace joining.
- Identity joining: Enrich identities with attributes pulled from multiple data stores, based on a link between user entries. For instance if the user joeuser exists in a directory as "cn=joeuser,ou=users" and in a database with a username of "joeuser" then the "joeuser" identity can be constructed from both the directory and the database.
- Data remapping: The translation of data inside of the virtual directory. For instance, mapping “uid” to “samaccountname,” so a client application that only supports a standard LDAP-compliant data source is able to search an Active Directory namespace, as well.
- Query routing: Route requests based on certain criteria, such as “write operations going to a master, while read operations are forwarded to replicas.”
- Identity routing: Virtual directories may support the routing of requests based on certain criteria (such as write operations going to a master while read operations being forwarded to replicas).
- Authoritative source: A "virtualized" data repository, such as a directory or database, that the virtual directory can trust for user data.
- Server groups: Group one or more servers containing the same data and functionality. A typical implementation is the multi-master, multi-replica environment in which replicas process "read" requests and are in one server group, while masters process "write" requests and are in another, so that servers are grouped by their response to external stimuli, even though all share the same data.
Sample Virtual Directory Use Cases
- Integrating multiple directory namespaces to create a central enterprise directory..
- Supporting infrastructure integrations after mergers and acquisitions.
- Centralizing identity storage across the infrastructure, making identity information available to applications through various protocols (including LDAP, JDBC, and web services).
- Creating a single access point for web access managementWeb Access ManagementWeb Access Management is a subcategory of the broader Identity management space. Web Access Management controls access to Web resources, providing:* Authentication Management* Policy-based Authorizations* Audit & Reporting Services...
(WAM) tools. - Enabling web single sign-onSingle sign-onSingle sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO) across varied sources or domains. - Supporting role-based, fine-grained authorization policies
- Enabling authentication across different security domains using each domain’s specific credential checking method.
- Improving secure access to information both inside and outside of the firewall.
- When to Synchronize, Virtualize and Federate data in the enterprise.