Information Technology Reference
In-Depth Information
Sneak Preview - What a LIMA Implementation Looks Like
We will go into the details in later sections, but for now, this is a quick
overview of some of the components a LIMA implementation may include.
Infrastructure:
Use commodity infrastructure components - e.g., Intel x86_64 servers,
Linux, Tomcat and stock-standard network devices that can filter
accesses, perform network address translation and load-balance web
servers. Higher-end infrastructure will generally cost you more without
delivering any greater benefit. We discuss how to provide scalability and
availability with an appropriate architecture.
Use commodity directory, database and message queuing products. If
you don't already have preferred products in these categories,
OpenLDAP, MySQL (or PostgreSQL) and ActiveMQ are perfectly
adequate Open Source offerings. There are some complications here for
organisations that already use Microsoft's Active Directory, but we will
cover that case a bit later.
Data design:
It may be counter-intuitive, but you must use both an LDAP directory
and a relational database, and split user data between them. Store only
authentication credentials in the directory using the simplest possible
tree structure and store all other attributes in the database 13 . The
database design will be unique and specific to your organisation.
Use a globally unique “User UUID” to associate multiple system
accounts (application-specific user IDs) across different systems,
including the IAM directory and database. This mapping provides the
foundational capability to manage a user's attributes and access rights
across multiple systems using a single, meaning-free identifier.
Use a single “Person UUID” to associate multiple “User UUIDs”. This
provides the foundation to build sophisticated audit capabilities across
13
Our thanks to Stan Levine of Hyro Ltd for this extremely useful suggestion.
 
Search WWH ::




Custom Search