12.17.2015

LDAP iconIn LDAP Migrations Made Easy – Part 1, we discussed several common migration challenges dealing with schema,  paging and Directory System Agents (DSA’s) that can easily be avoided by using a Virtual Identity Server. In this post we will cover several other challenges involving Directory Information Trees (DIT’s), Access Control Lists (ACL’s) and password migration and how to overcome them with the end result being an efficient, seamless and secure migration.

Directory Information Tree (DIT)

Directory Information Tree (DIT) or namespaces, is a hierarchical tree-like organizational structure of Distinguished Names that is commonly used by LDAP. This causes challenges with migration because not all types of directories are structured this way. For example, Active Directory does not allow for namespaces where as a Sun/Oracle directory does.

Without VIS

You will need to re-code each and every application to handle the difference between the LDAP directories which in some cases isn’t even possible if the source code is not available.

With VIS

The Virtual Identity Server has the capability to easily map one namespace to another.  In this way, VIS can present one DIT to client applications, while actually storing the data in the DIT required by the backend directory.

Access Control Lists (ACLs)

Access Control List (ACL) is a list of permissions and attributes attached to a specific user that gives them access to certain objects, applications or data. How a directory implements an ACL can be extremely different which causes several roadblocks for migration.

Without VIS

Significant changes must be made to each application in order to handle the differences between ACL features in each directory. In some cases, this may not even be possible inside the target directory even after making application changes.

With VIS

Utilizing the Virtual Identity Server an administrator can assign distinct permissions at the virtual directly layer, as well as allowing backend ACLs to be enforced.

 Migrating Passwords

Another problem with a manual migration is the handling of password migrations. Different LDAP directories often do not use the same hashing algorithms for passwords.  Additionally, unless the passwords are stored in clear text or encrypted (where they can be decrypted), it will not be possible to move/migrate the passwords from one LDAP directory to another.

Without VIS

If the passwords are not stored in an encrypted format, it will not be possible to manually migrate them via import/export. Users would be forced to re-set passwords and then provide the new passwords to the end users. This may not be feasible from a technical or business perspective and would require costly custom code or other software to accomplish this task.

With VIS

Virtual Identity Server can be configured to intelligently route authentication requests based on whether the user has been migrated. If a user has not been migrated, VIS would then set the password found in the authentication request on the user object in the Target directory and mark this user as being migrated. Any subsequent authentication requests are routed to the Target LDAP directory.

Conclusion

Trying to manually migrate from one LDAP directory to another by reconfiguring and recoding the schema, Directory System Agents, Directory Information Tree, Access Control Lists and other discrepancies between directories is not only costly and time consuming, it is extremely risky. In an enterprise environment where there are likely more differences and even more applications, the risk significantly increases while the probability of a successful migration almost diminishes. The Virtual Identity Server is a proven solution that can make any directory migration a quick and easy process.

Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.