- A Mind for Numbers
- Accelerate
- Agile Project Management for Dummies
- Algorithms to Live By
- Atomic Habits
- AWS Certified Cloud Practitioner Study Guide
- Banking on It
- Brexitland
- Build Your Dream Network
- Bulletproof SSL and TLS
- Business Analysis
- Collapse
- CompTIA Security+ Practice Tests
- CompTIA Security+ Study Guide
- Corporate Rebels
- Countdown to Zero Day
- Creative Acts for Curious People
- Creative DIY Microcontroller Projects with TinyGo...
- Cryptanalysis
- Crypto Trader
- Cryptography
- Culture Code
- Daniel Goleman Omnibus
- Deep and deliberate delegation
- Dhl
- Drive
- Effective Python
- Every Tool's a Hammer
- Exam Ref AZ-900 Microsoft Azure Fundamentals
- Expert Scripting and Automation for SQL Server...
- Fifty Quick Ideas to Improve Your User Stories
- Fixing Your Scrum
- Fundamentals of ServiceNow Administration and...
- Future Leader
- Future of Violence - Robots and Germs, Hackers and...
- GCHQ Puzzle Book
- Getting Things Done
- Harvard Business Review manager's handbook
- Hooked
- How Google Works
- How to Take Smart Notes
- How to Win Friends and Influence People
- HTML and CSS
- I Think, Therefore I Am
- Itsm Value Streams : Transform Opportun
- JavaScript and jQuery
- Kill It with Fire
- Leaders Eat Last
- Leading change
- Leading Without Authority
- Lean Thinking
- LONDON'S UNDERGROUND.
- Managing Successful Projects Prince2
- Managing Successful Projects with PRINCE2
- Measure What Matters : OKRs
- Meteorology today
- Mindf*ck
- Modern Cryptanalysis
- Modernist cuisine at home
- Money Revolution
- Never Split the Difference
- New One Minute Manager
- Open Circuits
- Oversubscribed
- Permanent Record
- PHP 5 advanced
- Practical Docker with Python: Build, Release and...
- Practical electronics for inventors
- PRINCE2 for dummies
- Pro Python 3: Features and Tools for Professional...
- Pro SQL Server Always On Availability Groups
- Pro SQL Server on Linux: Including Container-Based...
- Professional Scrum Master Guide
- Project to Product
- Radical Simplicity
- Rules of People
- SAFe 5.0 Distilled
- Sapiens
- SEARCH INSIDE YOURSELF- TPB
- Secret Barrister
- Securing SQL Server: DBAs Defending the Database
- Site Reliability Engineering
- SQL Server 2017 Administration Inside Out
- Start with Why
- System Center Configuration Manager Current Branch...
- T-SQL Fundamentals
- Teach Yourself Electricity and Electronics,...
- Teach Yourself Setting Up a Small Business (Teach...
- Team Topologies
- The Art of Deception
- The art of invisibility
- The Chimp Paradox How Our Impulses And Emotions...
- The coaching habit
- The code book
- The Courage To Be Disliked
- The DevOps handbook
- The Epic Guide to Agile
- The Five Dysfunctions of a Team: A Leadership...
- The Go Programming Language
- The Golden Ratio
- The Introvert's Guide to the Workplace
- The Manager's Path
- The New Silk Roads: The Present and Future of the...
- The outward mindset
- The Phoenix Project
- The Professional Product Owner
- The Unicorn Project
- Turn The Ship Around!
- Visual Thinking
- Weapons of Math Destruction
- Who Moved My Cheese?
- Work Rules!
- Working Out Loud
- Writing An Interpreter In Go
- Wrong Fit, Right Fit
Identity Management Systems: Using Multiple LDAP Directory Services
As an IT Professional with over fifteen years of technical experience and specialising in Identity Management, I have been involved with designing, supporting, and debugging identity management systems in several academic institutions.
Identity management is present in every IT environment. It determines whether a user can log in, who they are, and what they can do.
Even though identity plays such a crucial role in IT, it is often neglected, understood by only one or two people, or thought of in overly simplified terms compared to the actual complicated business logic and user lifecycle processes involved.
The events that trigger actions in an identity management system are usually driven by an external ‘source of truth’ database, which could be a student records and/or HR system. It can be very difficult sometimes to identify all of the possible ways that this information can change, in what order, and accurately define what this means for the current status of an individual.
The record for a student, in a student record system, can be manipulated in ways that do not always follow the configured standard business logic. The user interface on a student records system allows changes to a multitude of attributes, set statuses like pre-enrolled, enrolled, failed to complete, withdrawn, and completed, and the process may not always follow the same path for each and every student.
All of this affects the quality of the identity management system, and the user experience. It is this reason why you should always have an understanding of what attributes are changing, how they are changing, and why they are changing.
Testing of an identity management system is therefore extremely difficult, and should not be taken lightly or rushed. A single misconfiguration in the business logic could result in thousands of user accounts being deleted, disabled, or left insecure, and unexpected results may only appear when a certain number of other factors coexist at the same time.
Authentication and authorisation are commonly confused with each other and misunderstood. They are two different functions, and not the same thing.
Authentication is solely responsible for checking the supplied username and password combination matches that of a user previously configured in an identity store.
Authorisation is solely responsible for providing a level of access to systems and services, usually based on group membership, roles, attributes, flags, tokens, etc.
It is the identity management function which is responsible for knowing who these users are, their name, department, telephone, office, etc.
One of the most common authentication and authorisation protocols is called Lightweight Directory Access Protocol and examples of LDAP directory services include Active Directory, Active Directory Lightweight Directory Services, and e-Directory.
After experiencing environments with multiple LDAP directories, each with their own purpose, I have fully explored the benefits of having a well designed, well structured, and secure LDAP directory services infrastructure.
It is possible to have an LDAP directory service that only provides authentication. This means that the only information in the directory are usernames and passwords. The security can be further improved by only allowing the authenticated user access to their own details. This minimises the risk of losing data, especially data that isn’t required for the specific service.
Using a single Active Directory directory service for all authentication purposes limits the ability to control authorisation on third party systems that rely solely on authentication to provide it’s authorisation. i.e. username and password is correct so you may use this system. In this case there is no ‘off button’ for selectively stopping access to services, and anyone can point a new system at Active Directory with no IT Admin intervention.
It is for this reason that I would not recommend Active Directory being the ‘source of truth’ for all authentication, and also not to hold any further information than required to support desktop, server, and email services.
I would definitely recommend using Active Directory for managing Windows environments, but the schema and functional level must be kept up to date. Upgrading Active Directory is a ‘business as usual’ task in the millions of businesses that use it around the world.
The attractive solution is to have an identity vault that holds details of all the user accounts ever created. The external ‘sources of truth’ update the identity vault and as the accounts are updated, the business logic ensures that other connected LDAP directory services are also updated to reflect the changes where required.
The passwords in the identity vault are stored using a reversible encryption, so they can be decrypted in the future. It is therefore extremely important to secure the clustered identity vault infrastructure and never let any user authenticate against it.
The ability to decrypt passwords allows us to create and delete accounts in other LDAP directory services at any point in the future. So, for example, when a user should no longer have access to log on to desktop computers, the account can be deleted from Active Directory. If at a later date the user is then authorised to access desktop computers again, the account can be recreated in Active Directory with the up to date information from the identity vault.
Using LDAP directory services for specific purposes can also greatly improve information security as only the minimum amount of information is being exposed. Sensitive information, for example, date of birth, shouldn’t be stored in Active Directory because of the inherited read permissions by default, but could be stored safely in an independent directory service.
Identity is an topic that can be discussed for hours, can be elegantly designed, and enable a secure and reliable user experience.