directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: Open architecture identity and authorization efforts.
Date Wed, 29 Nov 2006 14:32:33 GMT wrote:
> Enrique Rodriguez and I have been discussing issues surrounding
> identity in general and authorization in particular for some time.  We
> both feel the need for the Open-Source community to have a technology
> strategy to counter Active Directory and its increasingly pervasive
> influence on enterprise IT architectures.

First off I'm very glad you're approaching the entire community. 
Community is at the heart of any great and successful OS project.  Most 
of us share a similar vision of handling various authZ concerns.

Regarding the AD influence on IT and a lack of a strong OS solution I 
personally agree.  The prevalence of AD in IT is IMO a double edged 
sword in several respects.  It has increased the understanding and 
utilization of the LDAP/Kerberos duo which is a good thing.  However 
some protocol aspects have been bastardized in their implementation and 
this is not so good.

I do think there is a lot of room for something better if some good 
people are brave enough to build it.

However officially for the record I'm obligated to say the following:

Although we would like to offer the best directory and related security 
solution we can, our primary goal is not to compete with any particular 
implementation or implementor of directory/security solutions.  Although 
competition is fine and healthy we will not define our objectives on 
that basis alone.

> I've been involved for almost a decade now in research and development
> on the issue of identity generation and its role in defining
> authorization.  If I have learned nothing else over this time period
> I've learned the field of identity is ill defined, conceptually
> abstract, difficult to understand and in most organizations a
> political minefield.... :-)

I could not have said it better myself.  Let me add just a little to 
these shortcomings.

The identity problem is a subset of a greater more general problem: the 
integration problem.  It's the most wide reaching integration problem 
modern IT organizations have been confronted with up until now and 
they're completely messing it up.

Most solutions are difficult to comprehend, extremely convoluted, and 
wind up introducing complex integration problems in themselves.

> Our work has primarily focused on a methodology for defining
> identity.  This is in contrast to a large number of other initiatives
> such as OpenID, Shibboleth, Liberty Alliance etc. which have focused
> on the problem of asserting identity between organizations and/or
> individuals.
> In a paradigm similar to the UNIX philosophy of 'everything is a file'
> our strategy focused on the concept of 'everything is an identity'.
> Interestingly, this has proven to be a very powerful paradigm and has
> resulted in a methodology which has demonstrated considerable
> flexibility as different usage scenarios have been poised against it.
> For want of a better term we refer to our model as IDfusion.
> Conceptually it involves the heirarchical combination of identities
> within the context of an organization.  Primitive identities (user,
> services) are combined to form derived identities which represent a
> users ability to access a service or role

Very interesting!  Can you provide some example situation of how these 
derived identities come in handy?

> One fruitful area of work has been the application of identity
> generation technology to the problem of authorization.  This has
> proven to be particularly productive with respect to defining a
> standardized scheme for implementing authorization.
> I should emphasize that our focus is on 'implementing' authorization
> rather than 'executing' authorization.  IDfusion is best thought of as
> a methodology on which higher levels of abstraction, for example
> TripleSec, can be layered upon.

Do you have more information available on IDfusion and how authorization 
is implemented?

> We currently have a working implementation of our authorization model
> using payload injection into Kerberos tickets.  All of our work is GPL
> and has, up to this point, been based on MIT Kerberos and OpenLDAP.
> The identity engine and management client are Java based.  Multiple
> licensing methods are certainly something we would have no issue
> discussing.

That's most excellent.

> Our hope is to work with Enrique and others in the Apache community
> who are interested in furthering a standardized approach to identity
> generation and authorization.  

This is one of the primary concerns for us and the Triplesec effort 
which we are currently moving over to the ASF from Safehaus.

Hence this note of introduction which
> Enrique asked me to forward to the list which I have been quietly
> reading for some time.
> Anyone who is interested in reading a bit more can go to the
> confluence site.  The following URL has a link to a paper which I
> presented at the Kerberos conference in Ann Arbor in June:
> The project web-site is at the following location:
> The documentation section on the web-site has a link to a longer PDF
> which discusses the overall system architecture in much greater
> detail.

OK, this answers my question above.  I will take a look at these materials.

> I'm trying to get a new release rolled up and out before the holidays.
> The primary focus of this release will be a standardized ASN encoding
> scheme for the authorization payload field of Kerberos tickets.

We love ASN.1 :).

> With this work in place I would be very much interested in
> demonstrating compatibility between Kerberos tickets generated by the
> Apache server and our plug-ins for the MIT Kerberos server.


> I will keep the list advised on future releases.  In the meantime I
> would be happy to entertain any discussions or questions which people
> may have, either privately or on the list.
> Congratulations on your 1.0 release and best wishes for the continued
> success of your project from the northern plains.

Thanks Greg.  I'm sure I will be asking several questions.

BTW after a brief scan of the materials you've listed, I think there's a 
lot of room for collaboration, and possibly consolidating our efforts. 
I don't know if this is of interest to you but I would like to give you 
an open invitation.

You're welcome to join us here to implement IDfusion within ApacheDS as 
part of our Triplesec effort which will be a subproject of Apache 
Directory for now.

Unlike the MIT Kerberos + OpenLDAP solution which involves two separate 
moving parts, an ApacheDS solution would be integrated into a single 
process and embeddable.  These factors would allow the uptake of 
IDfusion into several application servers and products on the market in 
addition to a stand alone offering.

I'm glad you contacted us.  There are some exciting possibilities here.


View raw message