Unifying User Directories Across AD and LDAP

As more applications are ported to the web, the dichotomy between “internal” and “external” becomes a big challenge for authenticating and authorizing users. Many enterprises have both an internally focused user directory based on Active Directory (AD) and an external user directory based on Sun or other LDAP directories.

For most business processes exposed on the web, you need a mix of both populations to secure your environment. So how do you gain a single logical view of all users for authentication and authorization?

The Challenge: Getting One View of Users out of Two Directory Infrastructures

Most Web Access Management (WAM) packages claim to support different user directories, including standard LDAP (Sun, Netscape/ RedHat, Open LDAP, Novell) and proprietary implementations (Active Directory). In practice, however, they tend to be fine-tuned for standard LDAP, with limited support for specialized directories such as AD. Such WAM solutions are only able to “search” for a user across multiple directories if the mix is homogeneous and not overly complex, using standard “inetOrgPerson” terminology.

Dealing with multiple user directories is a challenge for core security processes. For WAM and portal authentication, companies grapple with these issues:

• Disparate user representation and naming conventions in the identification phase (Searching a user based on logon).
• Disparate security means in the credential-checking phase (Checking password or other credentials against different security sources).

Authorization, on the other hand, requires a complete identity profile, with attributes pulled from multiple sources—and not always stored within the user entry itself. Given disparate directory structures, you need to:

• Provide a complete identity profile containing all attributes needed to enable authorization and policy enforcement.
• Create this complete identity profile without risking impact to existing policies and the performance of your AD infrastructure.

The Solution: Directory Integration through Virtualization

RadiantOne Virtual Directory Server (VDS) provides a fast, cost-effective, and easy to deploy solution to accommodate new initiatives while leveraging existing directory investments. VDS solves the challenges of disparate directories by:

• Mapping objects and attributes for successful identification: VDS provides a single access point for your WAM solution, aggregating and mapping both directory structures into a common namespace and object representation. So your AD resources appear as if they are part of the existing LDAP infrastructure, making them easily consumed by applications.
• Aggregating disparate AD domains and forests: VDS can make multiple AD instances appear as a single LDAP source, eliminating security challenges that could not be solved by enabling a blind “trust” across AD forests/domains.
• Extending schemas, remapping, and joining objects and attributes for authorization: VDS joins user profiles and attributes from multiple different sources to create a complete user profile, enabling proper entitlement and authorization policies.

By creating a unified infrastructure that integrates both AD and Sun Directory, RadiantOne provides an improved and seamless user experience for customers, partners, and employees through your enterprise portal or other web services.