Information Technology Reference
In-Depth Information
What Do We Do with Active Directory?
We've talked about the IAM directory and we'll shortly show how minimal its
data structure really is. However, most organisations with Windows
workstations also have Active Directory to provide a centralised
authentication point for LAN logins, as we saw during our SPNEGO
discussion.
Can organisations use AD as their IAM directory? This may seem trivial to do,
but there are some organisational reasons why it may not be a good idea.
The more elegant solution, we believe, is to maintain
both
directories. This
may appear logistically more complex, but doesn't have to be.
AD has a fairly complex data structure, and it holds data on many entities
(e.g., workstations and printers) in addition to users. The temptation when
using AD as the IAM directory is to go the whole hog and do away with the
IAM database altogether. That would be a bad idea. The separation of
directory and database, loosely coupled by the User UUID, is one of the
biggest effort-saving innovations we have seen. In fact, we would
recommend using as many directories as required to authenticate different
groups of users, but to share a single IAM database for their authorisation
32
.
Directories should hold authentication credentials and nothing else. As
always, the UUID is the link between repositories that recon ciles user data
between any directory and the database. (A trivial format conversion may be
required between AD's GUID and IAM's UUID
33
.)
32
The UUID's role in decoupling authentication and authorisation realms is illustrated
diagrammatically later on.
33
The curly brace -delimited GUID ā{0fec5f441dc64b4e8dd0a5404520118d}ā
favoured by Microsoft corresponds to the hyphenated UUID format ā0fec5f44-1dc6-
4b4e-8dd0-a5404520118dā that is more common in the Unix world.
