Virtual directory

From Wikipedia, the free encyclopedia

A virtual directory or virtual directory server is a technology that offers a way to provide a consolidated view of distributed user identity from multiple, often disparate, data sources without having to construct an entire directory infrastructure. Implemented in the form of middleware, a virtual directory is a lightweight service that operates between applications and identity data.

A virtual directory receives queries and directs them to the appropriate data sources. When the user data comes back, the directory presents the data to the enterprise application as if it all had been stored in one place all along. This ability to reach into native disparate repositories makes virtual directory technology ideal for consolidating data stored in a distributed environment.

The most commonly used protocol for virtual directory servers is LDAP.

Advantages of virtual directories:

  • Faster deployment by avoiding synchronization
  • Leverage existing investments in security and high-availability for authoritative data stores
  • Provide application specific views of identity data which can help avoid the need to develop a master enterprise schema
  • Allow a single view of identity data without violating internal or external regulations governing identity data
  • Act as identity firewalls - preventing denial of service attacks on the primary data-stores and providing further security on access to sensitive data
  • Changes made in authoritative sources are reflected in real-time

Some Typical Virtual Directory Terminology:

  • Namespace Joining - The creation of a single large directory by bringing multiple directories together at the namespace level. For instance if one directory has the namespace "ou=internal,dc=domain,dc=com" and a second directory has the namespace "ou=external,dc=domain,dc=com" then creating a virtual directory with both namespaces is an example of namespace joining.
  • Identity Joining - The creation of a user from various authoritative sources linked together by common data. For instance if the user joeuser exists in a directory as "cn=joeuser,ou=users" and in a database with a username of "joeuser" then the "joeuser" identity can be constructed from both the directory and the database.
  • Mapping - The transformation of data inside of the virtual directory. For instance mapping uid to samaccountname.
  • Identity Routing - Virtual directories may support the routing of requests based on certain criteria (such as write operations going to a master while read operations being forwarded to replicas).
  • Authoritative Source - A "virtualized" data repository, such as a directory or database, that the virtual directory can trust for user data.