In LDAP Migrations Made Easy – Part 1, we discussed several common migration challenges dealing with schema, paging and Directory System Agents (DSA’s) that can easily be avoided by using a Virtual Identity Server. In this post we will cover several other challenges involving Directory Information Trees (DIT’s), Access Control Lists (ACL’s) and password migration and how to overcome them with the end result being an efficient, seamless and secure migration.
Directory Information Tree (DIT)
Directory Information Tree (DIT) or namespaces, is a hierarchical tree-like organizational structure of Distinguished Names that is commonly used by LDAP. This causes challenges with migration because not all types of directories are structured this way. For example, Active Directory does not allow for namespaces where as a Sun/Oracle directory does.
You will need to re-code each and every application to handle the difference between the LDAP directories which in some cases isn’t even possible if the source code is not available.
The Virtual Identity Server has the capability to easily map one namespace to another. In this way, VIS can present one DIT to client applications, while actually storing the data in the DIT required by the backend directory.
Access Control Lists (ACLs)
Access Control List (ACL) is a list of permissions and attributes attached to a specific user that gives them access to certain objects, applications or data. How a directory implements an ACL can be extremely different which causes several roadblocks for migration.
Significant changes must be made to each application in order to handle the differences between ACL features in each directory. In some cases, this may not even be possible inside the target directory even after making application changes.
Utilizing the Virtual Identity Server an administrator can assign distinct permissions at the virtual directly layer, as well as allowing backend ACLs to be enforced.
Another problem with a manual migration is the handling of password migrations. Different LDAP directories often do not use the same hashing algorithms for passwords. Additionally, unless the passwords are stored in clear text or encrypted (where they can be decrypted), it will not be possible to move/migrate the passwords from one LDAP directory to another.
If the passwords are not stored in an encrypted format, it will not be possible to manually migrate them via import/export. Users would be forced to re-set passwords and then provide the new passwords to the end users. This may not be feasible from a technical or business perspective and would require costly custom code or other software to accomplish this task.
Virtual Identity Server can be configured to intelligently route authentication requests based on whether the user has been migrated. If a user has not been migrated, VIS would then set the password found in the authentication request on the user object in the Target directory and mark this user as being migrated. Any subsequent authentication requests are routed to the Target LDAP directory.
Trying to manually migrate from one LDAP directory to another by reconfiguring and recoding the schema, Directory System Agents, Directory Information Tree, Access Control Lists and other discrepancies between directories is not only costly and time consuming, it is extremely risky. In an enterprise environment where there are likely more differences and even more applications, the risk significantly increases while the probability of a successful migration almost diminishes. The Virtual Identity Server is a proven solution that can make any directory migration a quick and easy process.