11.20.2015

Are you trying to migrate off an expensive directory platform (e.g. Oracle directory Server) to something more economical (e.g. Active Directory or AD LDS)?  Are you finding the LDAP migration process difficult or perhaps even impossible? Do you wish there was one proven solution that would eliminate all of the trials and tribulations you are currently facing? I have three words for you…Virtual Identity Server. Anyone can do an LDAP migration with the Virtual Identity Server…well…almost anyone!

fish

Migration Challenges

Schema

A directory’s schema is essentially the blueprint of how the directory is constructed including the restraints and specific directory language therein. LDAP directory schemas are generally unique and in order to migrate one directory to another, the schemas of the LDAP directories must be the same. Without VIS One way to solve this problem is to manually change the schema of the new directory to match the schema of the original directory. This is only a viable option when there are not many changes to make. The more changes that are needed, the more time consuming and riskier the process becomes. For example, changing the schema of a directory may alter the behavior of the applications using it and in some cases may even cause the applications to stop functioning all together. With VIS The Virtual Identity Server (VIS) has out of the box capabilities to manage schema differences across multiple LDAP directories. The simple point and click interface allows administrators to quickly and easily map one LDAP directory to another making it appear as one seamless directory. Likewise, VIS can be configured to emulate one directory, while actually storing the data in another.

Paging

Used by some LDAP directories and client applications, paging is a method of breaking large results sets in to more usable chucks (or pages). Some directories support paging and some do not, which can cause major compatibility issues and even broken applications when trying to migrate from one directory to another. Without VIS You would have to re-code each and every application to handle the paging differences which is extremely costly and time consuming. With VIS Virtual Identity Server allows your existing code to work against the new LDAP directory without having to change a single line of code in your applications.

Directory System Agent (DSA/DSE)

A DSA-Specific Entry (DSE) is a special type of entry that provides information about a directory server agent (DSA), which is a synonym for directory server.  When a client application connects to an LDAP directory’s root DSE the directory returns information about the information contained in the server and the types of operations that it supports. This DSA information is different on different LDAP directories and can cause migration challenges. Without VIS You would need to manually re-code every single application to handle the LDAP DSA differences which again, is very costly and time consuming. LDAP iconWith VIS No application changes are needed. The Virtual Identity Server easily solves this problem by using its directory emulation capabilities. VIS acts like any Sun/Oracle/LDAP directory while essentially translating the data to the target directory.

Directory Information Tree (DIT)

Directory Information Tree (DIT) or namespaces, is a hierarchical tree-like organizational structure of Distinguished Names that is commonly used by LDAP. This causes challenges with migration because not all types of directories are structured this way. For example, Active Directory does not allow for namespaces where as a Sun/Oracle directory does. Without VIS You will need to re-code each and every application to handle the difference between the LDAP directories which in some cases isn’t even possible if the source code is not available. With VIS The Virtual Identity Server has the capability to easily map one namespace to another.  In this way, VIS can present one DIT to client applications, while actually storing the data in the DIT required by the backend directory.

Access Control Lists (ACLs)

Access Control List (ACL) is a list of permissions and attributes attached to a specific user that gives them access to certain objects, applications or data. How a directory implements an ACL can be extremely different which causes several roadblocks for migration. Without VIS Significant changes must be made to each application in order to handle the differences between ACL features in each directory. In some cases, this may not even be possible inside the target directory even after making application changes. With VIS Utilizing the Virtual Identity Server an administrator can assign distinct permissions at the virtual directly layer, as well as allowing backend ACLs to be enforced.

 Migrating Passwords

Another problem with a manual migration is the handling of password migrations. Different LDAP directories often do not use the same hashing algorithms for passwords.  Additionally, unless the passwords are stored in clear text or encrypted (where they can be decrypted), it will not be possible to move/migrate the passwords from one LDAP directory to another. Without VIS If the passwords are not stored in an encrypted format, it will not be possible to manually migrate them via import/export. Users would be forced to re-set passwords and then provide the new passwords to the end users. This may not be feasible from a technical or business perspective and would require costly custom code or other software to accomplish this task. With VIS Virtual Identity Server can be configured to intelligently route authentication requests based on whether the user has been migrated. If a user has not been migrated, VIS would then set the password found in the authentication request on the user object in the Target directory and mark this user as being migrated. Any subsequent authentication requests are routed to the Target LDAP directory.

Conclusion

Trying to manually migrate from one LDAP directory to another by reconfiguring and recoding the schema, Directory System Agents, Directory Information Tree, Access Control Lists and other discrepancies between directories is not only costly and time consuming, it is extremely risky. In an enterprise environment where there are likely more differences and even more applications, the risk significantly increases while the probability of a successful migration almost diminishes. The Virtual Identity Server is a proven solution that can make any directory migration a quick and easy process.

Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.