• United States

The Open Group’s directory muddle

Apr 05, 20043 mins
Access ControlEnterprise Applications

* What directories are and what they're not

For the past few issues we’ve been exploring the key concepts of identity management as promulgated by the Open Group in a recent white paper (link below). We’re going to wrap up the current discussion of this issue by looking at the role of directories in identity management.

The section of the paper dealing with the directory concept opens by stating: “Directories obviously serve a role as a repository for some (but not all) identity and permissions data,” but I’m going to quibble about that.

It has been said about the philosopher William James, who wrote the seminal work “The Varieties of Religious Experience,” that you could sum up his thesis as “Whatever you worship, that is your god.” In identity management, I’ll propose the thesis wherever you store identity information, that is your directory. It’s true that some information may not be stored in your primary directory, but there’s nothing to stop it being referenced from that directory (see the myriad issues of this newsletter about virtual and meta directories).

Another quibble would be the sentence “Directories are often relied upon to make decisions, most notably decisions related to authentication.” Directories, per se, don’t make anything, certainly not decisions. Directories are datastores, databases, repositories of information. A directory service may (and most likely will) contain authentication services, applications, methods and/or protocols but the directory itself is only a small part of the directory service.

The paper goes on to recommend that only relatively stable data (data which is read much more often than it’s written) be stored in the directory, but gives no hints as to where more dynamic data should go nor how it should be referenced. The best solution, of course, is to keep pointers to dynamic data in the directory so that all reads are directed to one datastore.

The paper then goes on to a murky and muddled discussion of access control, authentication, directories, technology partners, security enforcement and more. Of all the concept sections, this is by far the weakest containing as it does faulty definitions, misinformation and muddied thinking. I would hope this section might be rewritten, or at least edited, in a subsequent version of the paper. As just one more example of sloppiness, Novell’s eDirectory is referenced as “e-directory”.

There’s a lot more to the paper (another 80 pages or so, in fact) and we may return to look at more of the information, in particular the three “perspectives” (personal, technical, legal) on identity management. But it’s alright if you read ahead. You could even point out to me areas you think are especially good (or vice versa). In the meantime, we’ll move on to some other things.