By David Stern

Meta Directories and Federation

Mergers and acquisitions tend to grow IT organizations horizontally. Companies such as Johnson and Johnson or Proctor and Gamble may have dozens of divisions that developed as the result of such activity. The challenge of integrating processes and personnel is big enough without trying to force a common directory environment. In these cases, the Meta Directory shines. As we mentioned early, today’s LDAP products are incredibly flexible in their ability to synchronize with AD, Novell, and other LDAP directories. By leveraging this capability, an organization can maintain a common Meta Directory that contains information from every business unit, without ever changing the way that business unit operates. Something as simple as a company Whitepages can scale very easily to include new divisions using this method.

The Meta Directory also plays a leading role in the ever widening use business partner connections. An uncontrolled laughing fit results when one organization suggests that a partner organization share access to their AD. The security model is weak at best, and no CIO will stake his job on this working. In most cases, partner access requirements results in a manual process of creating common logins and building virtual private networks. The administrative costs can sap some of the value of the partnership.

Meta Directories can solve this problem through a methodology known as Federation. Just as LDAP can be used to synchronize with diverse internal directories, it can do the same thing for external directories. LDAP’s implementation is widely understood, has been vetted for over a decade, and its security model is clean and robust. When compared to Active Directory, establishing an LDAP to LDAP connection is trivial, and carries none of the security stigma of AD. Outside of an LDAP Federation framework, partner access to external or internal applications requires a workflow to handle provisioning and de-provisioning of local AD accounts. Inside of an LDAP Federation framework, the external partner would identify which of its users should have access to the applications, and that information is passed through the IDM infrastructure.


Identity Management and Directory Services are probably one of the least understood pieces of the IT technology puzzle. The solutions can be complicated and are always expensive. But when the cost of administrative overhead, compliance issues, and business drivers are added to the technology price tag, the case for IDM becomes compelling. Hopefully the information that we covered here will prompt the reader to ask new questions and look at new solutions for some of the most common enterprise challenges.

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.