Blog

LDAP: Federate or Aggregate part 1


Tags :


With so many emails and questions coming in about LDAP integration for single sign-on as well as Sametime lookups, I imagined it was time to dump some quick information.  Let's forget which directory you are using for now as the LDAP source, be it your existing Domino Directory, Active Directory or SunOne.

If you are using multiple directories then starting out with Federating is a place to begin.  A requirement though is to have a common schema available across them all.  That way naming conventions and field mappings are so much simpler.  Why would you federate?  Well maybe you don't wish to manage the entire user directory and want certain departments, subsidiaries or groups to still maintain their own.  This way responsibility still lies with those areas to update their directory since you are simply passing a request for the username and password or name lookups.  Here is a great definition:

Federation is the process of "hooking" together naming systems so that the aggregate system can process composite names. One basic means by which you federate systems is to bind the reference of one naming system in a context in another naming system.

So what is important in this scenario?  Having a common schema.  One of the things we do not like to see is sites that want to link multiple LDAP directories together but cannot agree or establish some standard that everyone will work with.  Domino allows this federation through Directory Assistance by referring you to other LDAP directories for user information.  Imagine if one site used (LastName Firstname) then another (FirstName LastName), a subsidiary used (ShortName) and still another had an older product that would not allow a schema modification to include the Notes username or Sametime server field?  You get the picture here.

part 2 tomorrow on aggregation.