Identity Infrastructure Is
Our Area Of Expertise

The subjects discussed here include technologies, standards, architecture, implementation, and applications ... a broad range, to be sure. Each area is evolving rapidly due to the dramatic increase in scope and importance of identity for services and applications. LDAP, virtual directories, federation, and SSO are now key ingredients in an IT infrastructure. The ability to get maximum performance from them is absolutely critical. We are fortunate to have a "behind-the-scenes" view, and hope the observations we share from that perspective prove useful to our readers who care about these topics.

Follow Symlabs
More Information
Blogroll
Entries By Topic
Tuesday
Apr202010

An Invitation - Join Symlabs At TEC 2010 To Discuss Virtual Directories And FIM

DateTuesday, April 20, 2010 at 06:52PM

The Experts Conference 2010 will be held next week, and our CEO Antonio Navarro will be giving a presentation there entitled "Virtual Directories and FIM: A Match Made in Heaven?" on Tuesday, April 27th, at 2:45 PM. And, while you're at the conference, please stop by and visit with one of the Symlabs experts who will be on hand and more than happy to discuss virtual directories, or any other identity management subject, with you. We'll offer you a demo and show you how to apply Symlabs Virtual Directory Server, Symlabs LDAP Proxy, or Symlabs Federated Identity Suite to solve many of the problems that are now common in an identity infrastructure. We can also give you some good tips on how to put our new Symlabs Free LDAP Browser to work in a variety of creative ways.

Microsoft's Forefront Identity Manager is a very hot topic these days, so if you're one of the many looking for useful information to plan a deployment, this session should be quite helpful. Antonio has a keen understanding of the underlying technologies and standards for virtual directories and identity management in general, and he has a broad experience in the various products, architectures, and management techniques required to implement a successful infrastructure, so whether it's FIM, Active Directory, or some other identity or directory topic that has your interest, he can offer advice worth listening to.

The Experts Conference (TEC) 2010 will be held on April 25-28 in the JW Marriott Hotel Los Angeles at L.A. LIVE, Los Angeles, California, and the session that Antonio is addressing will be held in room FIM-2 on April 27th from 2:45 PM to 4:00 PM. This will be an important event for all of you who are interested in Microsoft identify technologies, and I hope to meet a lot of you there!

Jeff Zukowski

AuthorJeff Zukowski | CommentPost a Comment |
in ,
Friday
Apr022010

Use 'Virtual Schemas' To Make Complex Data Management Problems Disappear

DateFriday, April 2, 2010 at 07:47PM

It has only been just over a month since we released Symlabs Free LDAP Browser, and already we're closing in on a thousand downloads of the software. The enthusiastic reception must indicate that we've done something right, and also makes this seem like a good time to take a closer look at what the browser has to offer plus why it's the perfect application to use in conjunction with Symlabs Virtual Directory Server and Symlabs LDAP Proxy, as well as a range of other LDAP directory products.

To quickly review, Symlabs LDAP Browser is a java application that can run on practically any OS that supports a Java Runtime Environment. It has many great built-in features like full TLS/SSL support, stored searches & bookmarks, LDIF exports, RootDSE & schema viewing, and two simplified editing interfaces for managing directory entries. It can even open multiple connections at once and switch between them using an intuitive tabbed interface, which is extremely useful when working with virtual directories since you'll most likely want to see the difference between views on your backend and the view that you are generating through the proxy engine.

One of the most common integration problems that virtual directories are typically called upon to resolve involves distributed or fragmented identity data. And, one feature that's unique to Symlabs LDAP Browser is proving to be particularly handy for virtual directory administrators who deal with this. They frequently find user data stored across multiple backend repositories, and, if they're lucky, these are repositories of the same type. If they're not so lucky, the various different repositories at least support the same protocol. But, if they're downright jinxed, they'll find themselves trying to consolidate data stored in several types of LDAP directories along with records stored in various relational databases.

Virtual directories offer a wealth of useful facilities to help resolve these problems, but quite often they do so by violating the schema. That's not to say schema violations are always a problem. Some applications are schema-agnostic and will just work with the attributes and LDAP objectClasses that they expect. Indeed some virtual directory products do offer the flexibility to smooth over problems caused by schema violation, and there are ways to trick an application into believing that the schema actually conforms (at least, we know it's possible with Symlabs LDAP Proxy and Symlabs Virtual Directory Server). Still, not every solution is going to call for such drastic measures. However, if you choose not to resolve schema violations, you may struggle to find a LDAP browser that can work properly in your environment.

Symlabs LDAP Browser has a very clever feature that addresses this issue. Imagine an ugly situation in which some data for your users is stored within a relational database and, at the same time, you have an LDAP directory that stores entries for the same users. You have an application that needs to access both sets of data as if it were stored in a single LDAP directory entry. The obvious solution is to implement a virtual directory that maps data from the tables in the database onto branches within the virtual directory tree. Using some join functionality, you merge the data from each record with the data for each entry based on a common field or attribute. Now you have a problem ... the directory will still report the schema that it supports, but you also have a bunch of 'virtual attributes' that represent data in the database, and these attributes are not reported by the schema.

While your target application may be okay with this and your LDAP browser may get as far as displaying the values for these attributes, its very unlikely that the browser will let you modify entries that do not conform to the schema. Unless, of course, you're using Symlabs LDAP Browser. It is similar in that it really is schema strict - the difference is it also supports the novel idea of a 'virtual schema'.

Symlabs LDAP Browser will download a copy of the schema into memory, then allow you to modify the schema entries that it has stored for the connection. You can add new objectClasses or attributes to the schema, remove conflicting classes or attributes, and modify existing schema entries. Although this has no effect on the backend server, it means that if the data presented by your virtual directory solution does not conform to an existing schema, you will still be able to work with that data within the browser. This is because the virtual schema approach allows you to trick Symlabs LDAP Browser into believing that the data actually does conform. Best of all, you can store the virtual schema modifications that you make for any connection so when you open the same connection again, the browser will download the schema as usual and then apply the modifications you previously made.

You can easily perform virtual schema modifications
that accommodate your virtual directory solution
And, when adding a new virtual attribute, you can
fully define it as if it were a genuine schema entry

Of course, this functionality will only work where a solution is designed to support it. In other words, this isn't a quick and easy way to modify the schema on your server so other applications will work with your data. It's only a convenient trick to get the browser itself to work with non-conforming data, but it's a trick that the virtual directory enthusiasts out there are very glad to see. We specialize in virtual directory solutions, and in our many years of experience we hadn't come across a browser that was effective at handling this type of problem. So, we put this little innovation into our Symlabs Free LDAP Browser and we're pleased that it's so popular.

If you're looking for something that can handle your actual schema modification requirements without affecting your existing repository, then you should look to Symlabs Virtual Directory Server or Symlabs LDAP Proxy, particularly given many of the recent improvements that we've made. If, on the other hand, you just need a browser that can work with your virtual directory solution, regardless of how schema-compliant its data presentation is, then download Symlabs LDAP Browser for yourself and use it with our compliments - its free.

Rowan Puttergill

AuthorRowan Puttergill | CommentPost a Comment |
in , , ,
Friday
Feb262010

How To Connect A Virtual Directory Server To An Active Directory Via SASL In Less Than 10 Minutes

DateFriday, February 26, 2010 at 11:00PM

Now that Symlabs Virtual Directory Server v5.5 includes full SASL/GSSAPI support, integrating your virtual directory solution with Kerberos-enabled backends is both quick and easy. This is great news for Active Directory administrators, because Kerberos offers native protection for Active Directories. By using the GSSAPI backend connector in Symlabs Virtual Directory Server, they can easily provide full access and control to standard LDAP client applications that do not support Kerberos.

A common workaround to create LDAPS support for these clients has been to configure TLS/SSL on the Active Directory server, but any Windows administrator who has performed this configuration will attest to the fact that it is not a trivial task. On top of that, once this is up and running the directory will suffer reduced performance due to the additional cost of processing SSL in a Windows environment. It's naturally preferable to use the default authentication and encryption method, so delivering a way to fully integrate GSSAPI-incapable LDAP applications without the hassle of TLS/SSL is an important addition, one of many excellent new features in this latest release of Symlabs Virtual Directory Server.

Our technical author recently put together this how to connect Symlabs Virtual Directory Server to an Active Directory instance using SASL/GSSAPI tutorial and a demonstration video that show just how easy it is. In fact, according to the video, a basic configuration can be built from the ground up in under 10 minutes. That means once you've installed the software, you can have standard LDAP applications working with a protected Active Directory instance in a snap.

So what are the steps? It's all so simple that they can be summarized as a quick list of things you need to do:

  1. Open DSGUI, the Symlabs Virtual Directory Server Administration Console, and create a new configuration
  2. Configure a simple pass-through proxy, with a single backend ServerGroup that connects to Active Directory, and a single LDAP listener (you could even configure this with SSL if you want to protect client-side connections)
  3. Enable SASL on the backend ServerGroup, and configure a SASL-protected Connection Pool
  4. Make sure the MIT Kerberos libraries are available on the virtual directory server host system
  5. Edit the krb5.conf configuration file to specify your domain details
  6. Authenticate against your domain controller using the kinit tool that comes with MIT Kerberos
  7. Start your Symlabs Virtual Directory Server configuration
That's all there is to it!

At first glance, it may look too simplistic to be true. Have a look at the tutorial or watch the video and you'll be amazed at how straightforward this process really is. Symlabs Virtual Directory Server is now the perfect tool for Active Directory administrators who need to solve the many integration challenges that exist within their identity infrastructures.

Fernando García Vegas

AuthorFernando García Vegas | Comment1 Comment |
in , ,
Monday
Feb152010

Free LDAP Browser From Symlabs

DateMonday, February 15, 2010 at 08:11PM

We're fortunate to receive enthusiastic support for our virtual directory products, including a lot of great input from our clients, and that has resulted in many improvements to Symlabs Virtual Directory Server and Symlabs LDAP Proxy. With the release that we just announced last month, we added an external LDAP browser interface in response to customers who asked for tighter integration with their existing management platforms. When we did that, we also created a new standalone LDAP browser to include as a bundled application.

We couldn't help notice that its impressive set of features would be pretty useful to anyone with an LDAP infrastructure, and that started us thinking - why not make it available to everyone? Since LDAP directories play a critical role nearly everywhere now, it seemed to us that a freely accessible tool for viewing and changing them was sort of a basic need across the industry, and given our roots in LDAP standards and technology, we thought it would be a good idea for us to contribute one. In this case, one that's powerful enough to go well beyond the usual definition of "basic".

Symlabs Free LDAP Browser lets you see LDAP server and directory information in a clear, intuitive GUI plus handles basic operations such as searching, adding, removing, or modifying entries. But as I noted, it doesn't stop there - here's a summary of what else Symlabs Free LDAP Browser can do:

  • Interfaces with any LDAP v2 or v3 directory server, including (but not limited to):
    • Microsoft Active Directory
    • Sun Directory Server Enterprise Edition
    • Oracle Internet Directory
    • Novell eDirectory
    • OpenLDAP
    • OpenDS
  • Offers excellent support for TLS/SSL
  • Works with any virtual directory infrastructure
  • Stores connection information for recall
  • Saves searches and bookmarks for repetition
  • Supports command line switches for automation
  • Provides LDIF export capability to create back-up copies of directories
  • Edits locally stored schema information for use with various schema-agnostic environments

Symlabs Free LDAP Browser is Java-based and runs on Windows, Linux, Solaris, and many Unix variants. Simply download SymlabsFree LDAP Browser now and try it. First you'll see it's a simple and effective multipurpose tool that every IT professional can appreciate. But, you'll soon discover that it provides everything a systems administrator needs to effectively manage the data stored in an Active Directory or any other LDAP(S) infrastructure. We hope you find it useful!

Jeff Zukowski

AuthorJeff Zukowski | CommentPost a Comment |
in , ,
Wednesday
Jan272010

Lots new in our virtual directory products version 5.5 (GSSAPI/SASL & Kerberos, HTTP Server Groups ...)

DateWednesday, January 27, 2010 at 02:49PM

We have just launched a new release of Symlabs LDAP Proxy and Symlabs Virtual Directory Server that delivers many performance enhancements plus a load of new and exciting features, and I'd like to share the information about these significant upgrades with you here.

Our development team has worked hard to create tighter integration with current technologies that are critical to the operation of both large and small enterprises. For example, the new GSSAPI/SASL interfacing capabilities that are included with Symlabs Virtual Directory Server provide significantly better support for Active Directory or other Kerberos-enabled environments, and the new extensions facility which has been added to both products offers the ability to download and install plug-ins as needed for the ultimate in flexibility. And, thanks to major usability improvements, a complete overhaul of the LDAP Browser that was bundled in, and a load of new plug-ins, this latest release from Symlabs is a polished product that is even easier to use. Of course, we haven't forgotten our commitment to industry-leading speed and reliability - version 5.5 is not only better, it's faster.

Core components of both products have been reviewed and tweaked to improve performance, particularly under Windows, while health monitoring and connection pooling capabilities have been updated to improve their functionality and flexibility in addition to performance. But, the major focus for this release has been to enhance usability and provide of new features. As a result, many new plug-ins have been added. There is a new, easy-to-use security plug-in that restricts data views based on simple criteria; various new mapping plug-ins, such as one for DN Suffix Mapping that makes it easy to work with group entries in a virtual tree; plus a number of plug-ins that create Active Directory functionality for the virtual directory, such as the new BackLinks plug-in which can link attributes across entries and the new Victim Attributes plug-in that provides a great way to work around schema modifications. Existing plug-ins for both products have also been updated, with some particularly useful enhancements for the logging plug-ins.

Symlabs Virtual Directory Server v5.5 comes with a host of powerful new features, particularly the GSSAPI/SASL interfacing capabilities - with Microsoft's strong adoption of Kerberos as its central authentication mechanism, adding this functionality to the system administrator's toolbox is a big plus. Using GSSAPI, you can now provide Kerberos authentication on a front-end listener, or alternatively use Kerberos to authenticate against back-end repositories. This means that you are much better able to integrate applications which are not designed to work within an Active Directory environment. Aside from Kerberos, Symlabs Virtual Directory Server also features automatic HTTP server groups, with proper health-checking and appropriate session-handling for failover scenarios already built-in. HTTP server groups open up the possibility to integrate B2B applications via web services as well as with generic XML over SOAP. Not only does this functionality now become incredibly easy to deploy, it also comes with a whole set of HTTP-specific plug-ins to control routing of requests to appropriate back-end servers plus a set of great logging plug-ins.

Many GUI enhancements have been made to both products, most notably the extension manager that now makes it possible to download and install new plug-ins as you require them. For many enterprise customers that require custom development, this will prove to be a massively useful feature. A fully functional GUI configuration component can be designed for any manual processing stage, and the resulting component can be developed for the client by Symlabs, then downloaded and incorporated into an existing version of the GUI to be used just like any other plug-in. This means that new features can be added to the product between full version releases, and that any custom functionality needed by a client to support a new requirement can be made as simple to configure as any of the standard plug-ins.

The DSGUI component for both products now includes better internal checks to ensure that valid or sensible variables are used during configuration, there is now an option to control warning messages for the right level of information, and canonicalization options have been improved and moved into their own advanced tab for a less cluttered interface. Many users will be glad to discover that DSGUI now not only provides a variety of options to integrate with an external LDAP Browser of their choosing, but also comes bundled with with a newly developed, fully-featured, SSL-capable, standalone LDAP Browser. The bundled Symlabs LDAP Browser has a long list of features and functionality, is fully compatible with both Symlabs Virtual Directory Server and Symlabs LDAP Proxy, and can be used with any LDAP or LDAP(S) server (including virtualized) so it's a great choice for an enterprise-wide tool.

The developers have spent a lot of time improving and adding to the logging plug-ins, and they have included a powerful log parsing script in the new release. This script can be used to extract particular log elements of interest for reports that are easier to understand, and for better integration with other monitoring applications that may already be in use throughout the infrastructure. There are also numerous improvements to documentation, including a complete guide to SSL, SASL, GSSAPI, and Kerberos plus a comprehensive manual for the new Symlabs LDAP Browser. The Help system inside DSGUI has also been upgraded so help pages now open in the default web browser, making it easier to step through the content using a familiar application.

These new versions of Symlabs Virtual Directory Server and Symlabs LDAP Proxy are sure to break new ground in the market. I know all our customers are going to appreciate the improvements that have been made throughout, and Active Directory systems administrators in particular will find a lot in this release that is aimed directly at them. Our focus has been on providing better integration tools, enhanced usability, and the best possible performance, and I'm pleased to say that by all accounts we've delivered. Best of all, you can see for yourself - just download an evaluation copy of either one at our website.

Jeff Zukowski

AuthorJeff Zukowski | CommentPost a Comment |
in ,
Page 1 2 3 4 5 ... 8 Next 5 Entries »