Nishant Kaushik has some interesting thoughts about the Virtual-Directory vs Meta-Directory debate. He makes some good points, and has this to say about vendor lock-in:
Well, from the standpoint of a deployer/implementer, I can certainly understand the attraction of the above. But as a product architect and technologist, all I can say is “No, No, No”. Why would we want to tie ourselves into a non-competitive, no-way-out scenario that we see repeated over and over in the OS and Mobile Provider worlds? Choice is necessary, nay vital, to innovation and growth. The minute you lock yourself into a single provider model, you are doomed to forever be curtailed by what that provider dictates. Virtual Directory provides a nice abstraction that frees you from having to make these very decisions on which directory to support (something LDAP was supposed to do, but didn’t).
And how are more applications supporting AD anyway? A lot of that has to do with the emergence of Virtual Directory solutions. A number of applications in the Oracle stable today claim to support AD as the identity store. The mechanism for all these is moving to Virtual Directory NOT because Oracle has a Virtual Directory product, but because maintaining adapters/connectors/plugins and what have you for all LDAP variants is a colossal nightmare.
So this is an interesting question. Does moving to a virtual-directory architecture free the customer from vendor lock-in, or does it lock the customer to their choice of virtual-directory providers? Or put another way, could you deploy a set of these products and realistically swap out OVD and replace it with the virtual-directory from OptimalIdM or Red Hat? If technically possible, would Oracle support it? I suspect I know the answer to that last one.
BTW, having written code that supports multiple LDAP vendors at four different companies and three different programming languages, it’s really not all that difficult. The real power in virtual-directories is the ability to consolidate data from disparate sources, not abstracting the vendor for a single directory.
4 responses so far ↓
To AD or not to AD (Talking Identity) // July 8, 2008 at 6:11 pm |
[...] to be specific to custom in-house applications (where Virtual Directory lock-in, a great point raised by Jeff Bohren, is not considered as big of an issue) and is prevalent in heterogeneous directory environments, [...]
Is Connecting to Multiple Directories Really Easy? (Clayton Donley's Blog) // July 8, 2008 at 10:09 pm |
[...] backwards, I saw the following quote from Jeff Bohren in his entry about vendor independence in response to a few posts from our own Nishant Kaushik: BTW, having written code that supports [...]
Halfway converted « Identity Blogger // July 9, 2008 at 2:25 pm |
[...] I should not have said that it’s not that difficult to write vendor independent LDAP code. It can be very difficult [...]
Is Connecting to Multiple Directories Really Easy? | Oracle // September 5, 2008 at 7:19 am |
[...] backwards, I saw the following quote from Jeff Bohren in his entry about vendor independence in response to a few posts from our own Nishant Kaushik: BTW, having written code that supports [...]