Relational LDAP Services
Challenge
Lightweight Directory Services are somewhat strict. They have a schema, which you have to follow. And they are read optimized, so perfect for access control and identity management.
But they lack a function that is available on databases: they are not relational, which means you have to have all required attributes and information on one object you will query. Sure, you can do more than one query, but nearly all systems using LDAP require you to deliver all information they request in ONE call.
Design
In the real world, an employee (user) belongs to a department, which belongs to an organization (you can add more relations like countries, locations, cost centers, etc here). In our approach, we exactly link these elements together: a user is linked to a department, which is linked to an organization. Lets call them all ‘Entities’.
Based on these relations, the entities can ‘inherit’ settings from each other. Why? Well imagine you can simply assign a new service (e.g. a group) to a department, and everyone in that department will get the service automatically. The department is renamed? Well - rename the department. And every user belonging to it is automatically updated.
Implementation
Using an Identity Management system, we ‘flatten’ the relational data (directly on the event itself) from the related entities. That means an event like ‘change organization name’ is triggering the event ‘Update the Organization-Information’ on all users belonging to that organization. Within seconds.
Operation
The first relational LDAP implementation was done by us in 2008. Since then, this system is operating as expected. Additionally to that, we quickly found out that this implementation ca be served as a kind of ‘virtualization layer’, which decouples the ‘real’ organization structure (often driven by financial aspects) from the requirements of IT-Systems and administration.
Today, we do not fear any organizational rebuild any more. We just adjust the relational rules and policies. A recent re-organization taking place at customer side affecting more than 1000 users took us just two days to adopt the system. New Organizations and departments are integrated within 1 working day.
And a complete provisioning of a new user with all rights and services assigned is happening with 2 minutes, targeting into more than 20 applications, services and databases.
Like what your just read? Need more information and references, where we have successfully applied our ideas?
Feel free to contact us