Tuesday, January 22, 2008
A Common Weakness in all Identity Management Products
I bet you didn't know that pretty much all identity management products suffer from one big design flaw related to integration with Active Directory...
Consider for a moment, how many Fortune enterprises have Active Directory in a production environment. Out of the Fortune 500, Sun is the only hold out. You would think that if Active Directory were so pervasively implemented that software vendors would want to deeply integrate with it, but nothing could be further from the truth.
There are several directory services products available in the marketplace including Active Directory Application Mode (ADAM), Sun One Directory Server, OpenLDAP, and Oracle OID. Do you think that the identity management products from Sun, BMC and Oracle support all of them? Do you think that bloggers from these companies will share their roadmaps or will hide deficiencies?
Within the Active Directory product family there is an intriguing product called ADAM which provides high quality but cheap directory services capabilities within an enterprise setting. An enterprise deploying this product can setup multiple instances of directory services to be used within an application specific context while keeping the security aspects centralized.
One specific feature that every security person would want to take advantage of is the notion of bind redirection. The idea behind this says that you can connect to an instance of ADAM and perform normal LDAP queries but when it comes to authentication, you are in essence redirected to a domain controller.
The usage scenario says that attributes such as my preferences for food at the company picnic would be stored in ADAM while my password would be stored in AD. In today's tools, there is no good way of specifying interoperability with any of the identity management tools. Hopefully, the likes of Pat Patterson, Jeff Bohren, Nishant Kaushik, Gerry Gebel, Jackson Shaw and Bob Blakely will start having a public conversation on how to gain interoperability in the world of identity management.
On a side note, I was reading the blog of Laurence Hart who is absolutely brilliant when it comes to ECM and a previous entry he wrote on LDAP synchronization. Bet you didn't know that the product he referenced can't also synchronize with ADAM...
| | View blog reactionsConsider for a moment, how many Fortune enterprises have Active Directory in a production environment. Out of the Fortune 500, Sun is the only hold out. You would think that if Active Directory were so pervasively implemented that software vendors would want to deeply integrate with it, but nothing could be further from the truth.
There are several directory services products available in the marketplace including Active Directory Application Mode (ADAM), Sun One Directory Server, OpenLDAP, and Oracle OID. Do you think that the identity management products from Sun, BMC and Oracle support all of them? Do you think that bloggers from these companies will share their roadmaps or will hide deficiencies?
Within the Active Directory product family there is an intriguing product called ADAM which provides high quality but cheap directory services capabilities within an enterprise setting. An enterprise deploying this product can setup multiple instances of directory services to be used within an application specific context while keeping the security aspects centralized.
One specific feature that every security person would want to take advantage of is the notion of bind redirection. The idea behind this says that you can connect to an instance of ADAM and perform normal LDAP queries but when it comes to authentication, you are in essence redirected to a domain controller.
The usage scenario says that attributes such as my preferences for food at the company picnic would be stored in ADAM while my password would be stored in AD. In today's tools, there is no good way of specifying interoperability with any of the identity management tools. Hopefully, the likes of Pat Patterson, Jeff Bohren, Nishant Kaushik, Gerry Gebel, Jackson Shaw and Bob Blakely will start having a public conversation on how to gain interoperability in the world of identity management.
On a side note, I was reading the blog of Laurence Hart who is absolutely brilliant when it comes to ECM and a previous entry he wrote on LDAP synchronization. Bet you didn't know that the product he referenced can't also synchronize with ADAM...
