title: Directory and Identity Services Blues link: https://onemoretech.wordpress.com/2008/05/07/directory-and-identity-services-blues/ author: lembobro description: post_id: 536 created: 2008/05/07 21:21:37 created_gmt: 2008/05/07 21:21:37 comment_status: open post_name: directory-and-identity-services-blues status: publish post_type: post

Directory and Identity Services Blues

Clayton Donley of Oracle pulls together some recent discussion around directory, identity and web services in a recent post that bears reading. Amongst his prose, the following first caught my eye:

…LDAP access in most applications is poorly written, even when using ADSI or ADO to talk natively to Active Directory. I can’t count the number of virtual directory deployments that we’ve sold to help customers in environments that were nearly 100% Microsoft (ADO/ADSI-enabled apps talking to Microsoft AD). Many of these deployments were to get around bad schema assumptions, others were to get around topology issues or forest boundary issues.

and then this:

LDAP is great. LDAP is ubiquitous. LDAP is not, however, the future of identity access.

Check out Clayton’s post to track down the threads that prompted him to make these statements.

The bottom line here is that the developer community is looking for something better, different, from identity services. In the past, Clayton and others at Oracle have trumpeted virtual directories. Others, like Kim Cameron of Microsoft, have written about “second generation metadirectories” (I always shudder at the mere mention of the word “metadirectory”, recalling the horrors of managing an abortive Sun Metadirectory 1.0 installation that was inflicted on my company by a now defunct consultancy). Still others, like Phil Hunt, also of Oracle, have asked whether developers should move away from LDAP in favor of an “identity bus” on the web services continuum, most often in connection with the Liberty Alliance’s IGF (formally called the Identity Governance Framework).

All really heady stuff for a simple directory manager like me to grapple with. Fortunately, because my main focus is on practical solutions directed to improving both access and security for our users, on budget, I don’t have to get hung up too much on the philosophical permutations. What is important is getting as clear a view as possible of the road ahead, to avoid steering the machine into a ditch along the way. Given the ubiquitousness of LDAP as a glue protocol for exchanging identity information, it’s not going away any time soon. Heck, it may even take me into retirement (of course, 15 more years in information technology is like a century in the “normal” world, so that’s highly unlikely).

Copyright 2004-2019 Phil Lembo