Technical FAQ

Contributor FAQ

What is Virtual Directory?

Virtual directory technology offers a way to provide that consolidated view of user identity without having to reconstruct an entire directory infrastructure. Implemented in the form of middleware, a virtual directory is a lightweight service that operates between applications and identity data.

A virtual directory receives queries and directs them to the appropriate data sources. When the user data comes back, the directory presents the data to the enterprise application as if it all had been stored in one place all along. This ability to reach into native repositories makes virtual directory technology ideal for consolidating data stored with two or more corporate divisions, between trading partners or within one entity that is using different directory services for different applications.

Virtual vs Meta Directory

An important distinction between virtual directory and metadirectory is that virtual directory loosely couple identity data and applications.

A meta directory provides a consolidated view of user identity by adding a layer of infrastructure that sits above native repositories, drawing user data from them and storing it in a new consolidated directory that faces an enterprise application. While this tight coupling is a good choice for situations in which data is not updated frequently, it is often insufficient to use with more agile applications such as portals and CRM systems, because synchronization delays could cause users to work with data that was minutes or even hours out of date.

Instead of creating new identity repositories, virtual directory handle identity queries on a case-by-case basis, drawing the required, authorized data (and only the required data) in real time from its native repositories around a network and presenting it to an enterprise application as needed. When the query is complete the virtual directory disappears; once again, the data exists only in its native repositories, under the control of the original owner.

Why do you want to use Virtual Directory ?

Virtual Directory, as simple as its concept, proven to be a versatile tool for numerous Identity Management initiatives. Please see the following use-cases.

Aside the obvious benefits of LDAP, such as, a self-disclosing schema and a ubiquitous API, Virtual directory has none of the headaches that come with a separate data model and redundant data. With Penrose, heterogenerous data aggregation across application boundaries is a simple task.

The most common reason why people want to use virtual directory is providing LDAP access to their database for authentication reason.

What are the components of Virtual Directory ?

Listener (LDAP), Virtualization Engine (Join Engine & Cache Engine), Adapters and Mapping Tools

What is Schema Adapations ?

In a directory server, the directory schema defines the rules for which object classes and attributes that can be present, in addition to the relationship between them. The LDAP clients are normally not able to change the set of attributes they include in their requests. Using the schema mapping abilities of the Virtual Directory makes it possible to map between the attribute names (columns) in the data source column and attributes names used in the LDAP requests. Even more advanced schema modifications are easily configured. It is possible to extend the attribute set by constructing attributes from existing attributes and even from external data sources.

What is Namespace Conversion ?

For security or political reasons an organization may want to expose different parts of the directory tree to different groups of users, or hide the real structure of the directory tree. Virtual Directory allows company to show a different directory tree for different user groups.

What is Attribute Value Modification?

In many cases, it may be necessary to change the actual attribute values being returned to the client. For example: Changing the sequence of the surname and given name in the common name - if the common name is stored as "Morrison, Brad", a method in the Java class may convert this to "Brad Morrison".

What are the benefits of providing LDAP Interface access to a database?

• LDAP provides a centralized configuration.
• LDAP is well suited for authentication.
• LDAP is well integrated with a lot of MTA/MUA, such as sendmail/posfix.
• LDAP is the standard access protocol used by corporate directory for a global address book.
• LDAP servers are designed for easy replication.

I think I found a bug in Penrose. Where do I report it?

The first thing you should do is search for any existing bugs in Penrose's bug tracking system: http://jira.safehaus.org. It is often the case that someone else may have already reported the bug, and a possible solution or workaround can be found in the existing bug report. If you are confident that your issue has not already been reported, you can report it to Penrose team by posting on the community newsgroups or sending mail to safehaus@googlegroups.com. Check out our Contributing Patches page for a further detail.

What's the relationship between Apache Directory and Penrose?

Penrose uses Apache Directory Server as one of its protocol listeners. For a real world usage, user can replace Penrose listener with their favorite directory server through various integration options.

Can my BSD/LGPL licensed software includes Penrose without violating your GPL license ?

Yes, you can. We created a FLOSS exception to address this concern. For example, if Jboss (LGPL) were to embed Penrose , that would not be a violation. Jboss doesn't have to worry about license compatibility. However, It would illegeal for a commercial vendor to re-distribute/re-sell Jboss with Penrose inside.

I never heard of this GPL exception, are you sure you can do this ?

Penrose developers hold copyright to all the Penrose code. We can include additional license provisions, in this case a FLOSS exception, to our software. MySQL has the same identical exception.