« What is a Virtual Directory? | Main | Claiming the blog »

I have multiple LDAP Servers but my applications can only speak to one!

By mark.wilcox on March 18, 2006 1:20 PM

[Renamed the title]

In many, if not most, large organizations you will find that there are
multiple directories used. Sometimes this is because you have an LDAP
domain controller for different global regions or subsidiaries or it
could be that one directory is internal & the other is external
people (such as customers or partners).



However, you will discover that many LDAP enabled applications are not
capable of speaking to multiple LDAP servers. Instead they can only
speak to a single service.



So what do you  do?



You can deploy a Virtual Directory (such as Oracle Virtual Directory)
which allows you to deploy a single, stateless "directory router"
service that makes multiple LDAP servers appear as a single LDAP server
without the need to synchronize to a single master service.



The way this works is that the Virtual Directory has "adapters" that
connect to your LDAP servers. In the adapter you define a namespace,
normally as a branch in the Virtual Directory's namespace.



For example -- if the root of your Virtual Directory is
"dc=example,dc=com" - you would create a virtual branch as
"ou=ldap1,dc=example,dc=com" for your first LDAP adapter. The value for
ou could be whatever makes the most sense for your organization.



And it doesn't even have to match the namespace your internal LDAP server is actually managing.



The benefit of exposing your LDAP adapters as branches is that it
simplifies the processing the Virtual Directory has to do in order to
determine which LDAP server is best suited to anwer the request.



After you have configured your LDAP adapters (with Oracle Virtual
Directory, this can be accomplished with just a few mouse clicks),
you're ready to point your LDAP client applications at the Virtual
Directory.



Now when the client performs a search against the Virtual Directory,
the Virtual Directory will pass the search request to all adapters that
could possibly answer that request. And then pass it back to the client
all responses received from all adapters that responded with returned
entries. 



Thus your clients believe they searched a single LDAP server and got 1
or more entries. It has no idea that in reality those entries came back
from multiple LDAP servers.



And this applies to all types of LDAP operations including bind and add/modify/delete - not just search.






AddThis Social Bookmark Button

TrackBack

Listed below are links to weblogs that reference I have multiple LDAP Servers but my applications can only speak to one!:

» Take My Word from Take My Word
Many people enjoy playing the Cornhole game, but they also e [Read More]

Tracked on July 8, 2008 9:38 PM

» Deleting Proxy Settings from Deleting Proxy Settings
button to refresh the list of configuration file(s) or Add and De [Read More]

Tracked on July 13, 2008 7:42 PM

Comments (2)

Marty Heyman:

OpenLDAP has back-ldap, a standard backend module that supports construction of such a virtual server without additional software. There is the residual issue of the subordinate directories needing to have very similar schema and attribute usage, That would be the same for the Open Source solution and, one assumes, the Oracle software.
OpenLDAP also has an open architecture for backend modules and overlays that simplifies the Open Source production of custom adaptors for other Virtual Directory requirements.

Posted by Marty Heyman | March 19, 2006 10:00 PM

Posted on March 19, 2006 22:00

Mark Wilcox:

This is true to a point. OpenLDAP's back-end is a form of LDAP proxy but does not do virtualization. A primary difference (which I'll point out in another post) is that Virtual Directory can totally change appearance of the back-end directory (such as namespaces) and even change attribute names, values or add/remove attirbutes on the fly.

That being said - if OpenLDAP is a solution for you - good for you :).

Just keep in mind that OpenLDAP isn't backed by Oracle's award-winning support and is much harder to configure than Oracle Virtual Directory.

But don't take my word for it - try out Oracle Virtual Directory or ask for a demonstration!

Posted by Mark Wilcox | March 19, 2006 10:52 PM

Posted on March 19, 2006 22:52

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search All Blogs

Google Search


Only search this blog

About This Entry

This page contains a single entry from the blog posted on March 18, 2006 1:20 PM.

The previous post in this blog was What is a Virtual Directory?.

The next post in this blog is Claiming the blog.

Many more can be found on the main index page or by looking through the archives.

Top Tags

RSS

Subscribe to this blog's feed
Powered by
Movable Type and Oracle