Article

(View Disclaimer)

Our IDM product line is based on data synchronization technology. From time to time I come across requests for virtualization in identity management projects for various reasons. Some of them hold up; others don't and fall after only a short investigation. Read on to learn about some of the misconceptions that exist out there regarding synchronization versus virtualization.

I went out and did some research on what the general understanding of a virtual and a meta directory is. I found an article on Wikipedia very interesting, actually interesting enough to make changes to it. The article originally stated:

When compared against most metadirectory technologies, virtual directory implementations typically offer several advantages:

• A simpler administration model
• Better reaction times against changes as the data is read directly from the source,
• Better adoption in the Corporate IT politics as the ownership of data is not changed,
• Better match for environments where the bulk transfer of changes are inappropriate

When I read that I thought this is seriously wrong. I made the following changes:

When compared against metadirectory technologies, virtual directory implementations offer potential advantages and suffer from certain disadvantages:

Potential advantages:

• In certain political climates it may be preferrable to not synchronize data to a central identity vault. In all the other cases, however, synchronization offers unique advantages (some of which are listed under disadvantages below).
• It is a better match for environments where the bulk transfer of changes are inappropriate. An example might be transactional systems which hold information about a lot of transactions but only summaries or only the last couple of transactions should actually be retrieved through the directory service.
• There are potentially better reaction times against changes in low load/request environments, as the data is read directly from the source. This advantage may turn quickly into a huge disadvantage in heavy load/request scenarios, when all the backend systems are put under heavy load.

Disadvantages:

• All data is always available as long as the central identity vault is available. In a virtual directory implementation, some of the delegated data source may not be available and requests may return no or only incomplete data.
• A central identity vault is usually easier made to be highly-available and fault-tolerant than a conglomeration of separate data stores.
• In heavy load/request environments the identity vault absorbs all client requests, thus protecting the backend systems from having to handle the whole load.
• Using close-to-realtime synchronization technologies offers comparable performance, even in a load/request environment.

Editor's note: The Matt Flynn Blog also offers some practical advice on the question of virtualization vs. synchronization. Here are some examples:

http://360tek.blogspot.com/2007/01/re-synchronization-versus.html

Common scenarios where a virtual directory would be very useful:

http://360tek.blogspot.com/2006_03_01_360tek_archive.html

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.