Wednesday, July 09, 2008

Metaphysical Directory Virtual Storm

Or MDVS for those that like acronyms (hi all you current/ex-IBMers - if you don't get what I'm talking about, you've never heard an IBMer complain about PBCs, IDPs, RDMs, PDMs, SSM, RMs...I could go on but I won't).

For those that are unaware, there's a bit of a debate going on about virtual directories and meta-directories.

I think Jackson Shaw may have started it back in March this year and for some reason it got a whole lot noisier this week.

There's a lot to read if you haven't been following the thread so here's a timeline with the gist of each post (paraphrased/summarised by yours truly, so I'm not quoting directly - if I manage to offend anyone along the way, my sincere apologies as that's not my intent :-)):

Jackson Shaw: The meta-directory is dead.
Dave Kearns: I hope Microsoft is listening because ex-Microsoft/Zoomit meta-directory guru Jackson Shaw says the meta-directory is dead.
Kim Cameron: Claims are "the electrons that flow" on the Identity Bus. A meta-directory is the most advanced technology around to transform and arbitrate claims, and distribute metadata.
Nishant Kaushik: Meta-directory? What do you need that for? Just use a virtual directory and combine it with some provisioning!
Matt Flynn: The meta-directory isn't dead. It just got older. But hey, 50 is the new 30 isn't it?
Matt Pollicove: "Metadirectories and Identity Attributes are the molecules and atoms of the Identity universe which came long before any concept of Identity 2.0, which as a newcomer to the Identity Universe which might wind up being Compounds." (Note: Direct quote - Matt P didn't need paraphrasing.)
Jeff Bohren: It's about choosing the right tool people. Stop trying to be Philosophers.
Jackson Shaw: What Jeff said. Oh, and what Matt Flynn said too. Let's consolidate the suckers (directory technologies, not Jeff and Matt). (Note: Jackson didn't actually say "suckers"...and he definitely didn't say it in such a close proximity to mentioning Jeff and Matt - that was just artistic license on my part.)
James McGovern: Why don't we all just use Active Directory? We all have one!
Nishant Kaushik: Matt F, you can just use a virtual directory plus provisioning. Using a meta-directory is a point solution and you'll have to cludge your way around it down the track because of business processes and controls. Oh and aren't more vendors starting to support Active Directory because of the emergence of the virtual directory anyway? And using Active Directory locks you in to Microsoft. A virtual directory is much more flexible and abstracts you from things like that nasty Bill Gates nerd directory...I mean Steve Ballmer. (Note: Nishant made no such reference to Bill or Steve or a nerd directory. Again, artistic license on my part.)
Jeff Bohren: Some dude from the ApacheDS project wrote a comment saying all existing virtual directories are hacked together solutions with the end goal being an acquisition.
Dave Kearns: What's ApacheDS guy smoking?
Ash Motiwala: Did Nishant really just say that the reason for a "groundswell" of people building native Active Directory support into their apps is because of the emergence of virtual directories?
Jeff Bohren: Soooo Nishant, you think instead of being "locked-in" to Active Directory we should be "locked-in" to Oracle Virtual Directory? By the way, it's not that difficult to write code that supports multiple LDAPs.
Nishant Kaushik: Oops. I mis-stated what I was trying to say. I didn't mean to say that applications are supporting Active Directory directly as the identity store by using a virtual directory. I meant to say the reason for a "groundswell" of people building native Active Directory support into their apps is because of the emergence of virtual directories. By the way Jeff, virtual directory "lock-in" doesn't seem to be a big issue with customers. (Note: Is it just me or did Ash actually understand what Nishant was really trying to say and Nishant just thought that Ash thought that he meant the other thing? In which case Ash's question still stands. Is anyone confused yet? I am.)
Clayton Donley: Hey guys, what's up? Back from a great holiday. What the?! I go on vacation and all of you kick up this mini-storm on directories. Jeff, writing code for different directories is easy for an experienced LDAP guy like you, but for a lot of people it's a real pain in the a**. Virtual directories make things more dynamic and configurable if you decide to change the directory infrastructure. Just change some settings and away you go. As for virtual directory vendor "lock-in", that's why we're working on standards like the Identity Governance Framework and CARML, which will improve virtual directory interoperability.
Clayton Donley: As for all you Active Directory fan-boys, "What's more likely: 1. everyone standardizing on Active Directory, or 2. everyone not standardizing on Active Directory." Say "aye" for option 1...(dead silence)...
Clayton Donley: Yeah, what's that ApacheDS project guy smoking?!

By now, I doubt anyone cares what I think. But that's never stopped me before. So here goes:
  • Use the right tool for the right purpose. I may be over-generalising but here are some examples:
    • If you want to keep disparate data sources updated with the right info "auto-magically", use a meta-directory.
    • If you need to tie some business processes around the modification of information, go with a provisioning tool. Usually this is tied to some access control needs. e.g. changing an attribute might drive a dynamic role which suddenly gives you more access than you should have, which may be perfectly fine but requires the granting of dispensations and approval by a business or system owner.
    • If you want to be able to get at data from a known, semi-standardised access point and not have to worry about where to get all this various bits of data you need, go with a virtual directory.
  • There's enough room today (and in the foreseeable future) in an Enterprise Identity Ecosystem for a provisioning tool, a meta-directory, a virtual directory and obviously an actual real directory (or more likely, a few directories)...oh and let's not forget the "annoying uncle in the corner we don't like to invite to the party except for the fact it's his house", Active Directory (I know it's technically a directory too, but it's a little "different" - you all know what I mean).
  • If you can get an organisation to go with a service-oriented approach to security, the debate goes away. Everything becomes a service. How all these services get implemented will be largely up to the vendors. It may be a meta-directory underneath the covers. Or maybe it's a virtual directory. If I'm the person writing the code, I don't really care. Just point me at the service and stop preaching to me about security.
  • Meta-directories aren't dead. They're evolving. They're also aging as Matt Flynn says, but I'm not sure it's the fine wine type of aging. Nishant is somewhat correct in referring to meta-directories as point solutions. But what's wrong with that? If you have a requirement that a meta-directory solves perfectly (and you know what it will and won't do) then go with it. Matt and Nishant's comments aside, the concept of a virtual directory and meta-directory as separate types of "tools" will probably go away. I have a feeling they'll converge as vendors build out their feature sets. In typical "me-too" fashion (big vendors do this all the time), meta-directory products will add features to make them more "virtual directory-like" and vice versa. Maybe they'll get a new name. Integration Directory? Yeah that's a boring name. I'm sure someone will come up with a better one. Perhaps the evolution will lead to the meta-virtual-directory being the spine of the Identity Bus everyone keeps talking about. It won't need a name any longer. It'll just be a component.

So there you go. Problem solved. Well, that's just wishful thinking on my part :-) Debate is always healthy...especially with this many people involved.

Now I'll just sit here and wait for the surge of people telling me that I mis-interpreted them. Either that or people telling me I'm a fool :-)

Seriously, if I did please correct me either via the comments or send me a message (there's a form on the right side of my blog that sends me an email).


Matt Flynn said...

A fool? No. ...unless you mean in the "court jester" sense. I laughed numerous times reading this. Great stuff! And you did it with very un-funny content. Well done.

Anonymous said...

Best post of the year.

Pat Patterson said...

Excellent summary, Ian. I just aggregated you into Planet Identity, by the way.

Matt Pollicove said...

Possibly the first time I did not need paraphrasing.

Nice wrap up. It will make my own wrap up on the topic much easier :)

James McGovern said...


James McGovern said...