LDAP Proxy product

  • 109 Views
  • Last Post 22 July 2015
sa.anupam posted this 17 July 2015

Hello All,
I am curious to know if anyone is using LDAP Proxy in their environment and which are the top few brands for this. I have also been looking out for Virtual Directory server, and found few.
Regards,Anupam

Order By: Standard | Newest | Votes
gkirkpatrick posted this 17 July 2015

EmpowerID, formerly DotNet Factory

http://www.empowerid.com/

Dell (formerly Symlabs)

http://software.dell.com/products/virtual-directory-server/

Oracle



http://www.oracle.com/technetwork/middleware/id-mgmt/index-093158.html

 

I have had some personal experience with the Symlabs product several years ago. Very fast, very flexible, a little challenging to configure

but I expect that has been addressed by now.

 

-gil

 

 

show

sa.anupam posted this 17 July 2015

Thank you so much Gill!! Do you also have suggestion for top Virtual Directory products? Thinking about a replacement for ADLDS

show

sa.anupam posted this 17 July 2015

Okay, I am checking these three. Looks like they are Virtual Directory Servers. I guess they have proxy mechanism as well

show

mcasey posted this 17 July 2015

Optimal IdM Virtual Identity Server. It's a solid .net based virtual directory t‎hat can be used as an ldap proxy. We have had a lot of success with the product. Good price point and straight forward to deploy and configure. 
Sent from my BlackBerry 10 smartphone.



show

gkirkpatrick posted this 17 July 2015

I’ve heard lots of good things about Optimal IdM as well.

 

What is it you’re trying to accomplish?

 

-gil

 

show

Ravi.Sabharanjak posted this 17 July 2015

I've used the Optimal IDM product about 5 years ago and it must have only improved over the years. It is pretty simple to set up and configure - way better than some of the Java based products that were around at that time.
-Ravi


show

sa.anupam posted this 20 July 2015

Apps in our company use multiple AD domains (having different user sets) and right now doing it through ADLDS. We are considering a better product who can help to achieve this. 
Optimal IDM, and Dell we are evaluating. However, there are not many articles or reviews available for such products :o( 
Apologies for the delayed response. I was lost (for good) in a jungle.

show

joe posted this 20 July 2015

Do you have any flexibility with the applications in terms of possibly externalizing the authentication mechanism such as using SAML or something like that? Generally speaking, you stand to gain even greater flexibility as well as SSO across applications by going in this direction. For example, you can add MFA into your SSO system and then apply that existing apps if you ever wanted to do that without having to change the apps once authentication is externalized.
Joe K.


show

robertsingers posted this 20 July 2015

"For good" means forever in my particular dialect of English and I've never heard it used another way.
Unless you're a doppelgänger I think you mean "for real".
Sent from my iPhone


show

mcasey posted this 20 July 2015

I agree with Joe on his point about externalizing/federating the auth mechanism if you have the opportunity. That is definitely the direction the many apps are going anyway.
As far as product reviews, I think the virtual directory space is an interesting one where you'll find lots of strong opinions about vendor selection and the mere existence/necessity of virtual directory technology itself.  You probably wont find any/many thorough reviews of any virtual directory products (except the creators asserting their abilities), particularly reviews that effectively compare one product to another. I can offer that each product varies widely in the level of effort, preq-reqs, and costs required to get up and running. 
I've been working with Optimal's VIS product since 2008/2009 (just after DEC in Chicago which i think was their 1.0 launch).  The base directory service is very lightweight and simple to setup (i.e. make sure .net is present, install product, step through config wizard, done.).  The level of complexity will come from things like; how many domains you need to integrate, dealing with non-LDAP or non-SQL back-end data sources, the degree of high availability you want to achieve, and how much magic that you need from the directory (e.g. merging/joining related objects, rewriting LDAP searches before processing, etc).   Have I mentioned no Java? 
I can also add that I've never encountered better product support than I have from Optimal. I cant speak highly enough of their team.  We deployed some new virtual directory infrastructure in December to support a critical service for my company (currently handling around 3 million LDAP searches daily).  The Optimal support team was available throughout the deployment and service integration, available night and morning hours of our go-live weekend, quickly assisting with performance tuning, and supplying hot-fixes for minor issues within the same weekend (it may have been within 24 hours but I don't recall exactly).
If you have any more specific questions about our use of VIS feel free to email me directly off-list.
-matt


show

sa.anupam posted this 21 July 2015

ROFL!! Great catch. I was bad at that. It was more like an informal use of the phrase. Btw, in formal you can compare this example with "I ate my Dog instead of writing I fed my Dog" ;o)


Subject: Re: [ActiveDir] LDAP Proxy product

show

sa.anupam posted this 21 July 2015

Great highlights. ADFS was something I have been thinking about. But many applications are homegrown and they do authentication piece (Read AD to populate identities). Some of those apps need to be tweaked to support SAML and Developers are normally reluctant to change their golden piece of codes :o(  
Can you please elaborate what did you mean by externalizing auth mechanism? I am familiar with federation concept. Is it the same? Sorry if I am sounding stupid!!


Date: Mon, 20 Jul 2015 16:53:33 -0400
Subject: Re: [ActiveDir] LDAP Proxy product

show

gkirkpatrick posted this 21 July 2015

I agree with Matt and Joe, if what your apps need the directory for is authentication, you would be much better off looking into federation

and convincing your devs they need to support it instead of using LDAP to do authentication. Most app frameworks have SAML support as some sort of an option.

 

“Externalizing auth” means taking authentication out of the application. For instance, if your app prompts for a user name and password

and then checks the password against either a database or a directory (by doing an LDAP bind for instance), then that is internal authentication. Externalizing authentication means that the apps lets some other process do the authentication, and simply receives

an secure artifact representing that authentication, for instance a SAML or OpenID Connect token. The application doesn’t know or care how the authentication was done, just that it was done by a process that the application trusts.

 

The benefits are enormous… it simplifies the application, it removes a whole bunch of security concerns from the application developer,

it simplifies management and operations (once you have it set it up), and improves overall security by using one or two reliable, trusted authentication mechanisms, rather than having each application handle its own.

 

-g

 

show

joe posted this 22 July 2015

Gil stated that really well. I'll just add a few details that might help in terms of technical options.
First, it is good to standardize on standard protocols for implementing externalized auth. For example, SAML, WS-Fed and OIDC are great for this. They are well reviewed protocols that have lots of implementations out there. OAuth is great for service authorization and also has tons of software support. Finding the right fit for any given app may take some research but there are frameworks for just about every platform so you should have some options if you do the research.
The other piece you mentioned is the directory/provisioning piece where you do some queries to a central store to find the users. That is less well implemented by SAML although there is some story for that in OIDC. AzureAD has a great story for this with the graph API which goes really well with their protocol support. It's availability story is going to be hard to beat as well.
Joe K.


show

gkirkpatrick posted this 22 July 2015

Just to clarify… OAuth is not suitable for authentication, despite many people using it that way. There is a good write of why here:

http://www.thread-safe.com/2012/01/problem-with-oauth-for-authentication.html

 

-gil

 

show

joe posted this 22 July 2015

Yeah, I've gotten used to people saying "OAuth for service authorization" and I even used it in my post but that terminology is also kind of lame and misleading since it doesn't clarify what you really meant by it. I've also
discovered that I have trouble explaining it to senior management. :)
So, what Gil said...
Joe K.


show

sa.anupam posted this 22 July 2015

These are the most valuable information that even Google might fail to provide. I will talk to our dev team. Security is the most powerful term that every Dev guy fears and with that so many benefits of using SAML!! Thank you so much for sharing the details and explaining these to me. Thank you!!


Date: Tue, 21 Jul 2015 22:56:45 -0500
Subject: Re: [ActiveDir] LDAP Proxy product

show