Saturday, February 28, 2009

When is a Virtual Directory not a Virtual Directory?

The answer is simple, when it is used as a Web Server Proxy rather than an LDAP Proxy.

Let's look at the classic definition of a virtual directory (in the interest of full disclosure, this is from the SAP VDS whitepaper)

"The Virtual Directory Server can logically represent information from a number of disparate directories, databases, and other data repositories in a virtual directory tree. Various users and applications can get different views of the information, based on their access rights. "

So what does this mean?  We're taking various sources and putting a LDAP front end on them.  Now what can these back ends be—databases, directories, other virtual directories, etc.  The connections can take the form of ODBC, XML, or other web services.

But what happens when we do web services on both the front and back end of the VDS?  Well, I do not think it is really a Virtual Directory any more.  We're not representing information in a Directory form and we're not doing read/search operations.  It certainly would seem to put the never ending cache debates to bed as well.  I'm thinking that what we now have is a web services proxy; or in a more mature implementation, a Virtual Application Server.

So how the VAS would be used?  Simplest case would be to have an application make a request to a VAS for information.  This information is available from another VAS connected system via some mapping logic that would be able to tell VAS where to find it. With this information delivered to the targeted system the proper information is obtained and returned to the requesting application.

You would have to wonder how often something like this is needed after all, web services connectors can be written easily enough.  However, what happens when we do not have all the code or if there’s a need to segregate the request over multiple domains or firewall zones.  That I think would be one use case for the VAS.  Another would be when there is no direct connection say, between a role management system and a provisioning system, two common IdM applications these days.  This could open up completely new ways for systems to interconnect.  I wonder if anyone has been thinking along these lines.

Post a Comment