Thursday, 24 November 2011

Directory Integration

Integration between disparate and not so disparate systems is becoming more and more commonplace in my current role, and I find myself having to write more code than ever to integrate systems.

It's strange, because in this connected age one would have thought that integration would have become simpler, but it seems that is not the case. Even simple things like integration with directory systems are either woefully lacking or badly implemented in my experience.

If you have a directory server, why do you need to maintain a copy of the user data locally as well as in the directory? There is NO reason to synchronise the data between the two, that's what replica servers are for.
I have been asked so many times "what happens if the directory goes down? That's why we synchronise the data"
Well I'm sorry folks, but if the directory goes down, and all the replicas fail, there's a much bigger problem than the users being unable to get email for example.

It also seems that the implementation of directory integration seems to be random. I was talking to a developer recently about their software, and how best to implement directory integration. One of the things that is so important in this type of integration is group mapping.

This software has a concurrent user licensing model. If every user in the directory is able to log in, then the chances are that the user licenses will be used up quickly. Then there's the aspect of roles, it's all very well being able to say only users in this group can log in, but how do you define roles? I want to be able to say "users in group a are admins, users in group b are normal users" If the user is in both groups I want to be able to configure whether the higher or lesser role gets mapped, and I want in documented!

Is this too much to ask?

And on top of all this, the user interface for the mapping has to be easy to use. Here's a screen shot of a plugin I wrote recently to enable this functionality. The Directory Groups are listed, select what role you wish that group to have, enable login for that group... simples!

Now I must confess that this was not as easy to write as I first thought. The problem is of course that Active Directory and Open Directory each handle groups in different ways, and querying the directories to find out which groups a user is a member of is not as straightforward as it first seems.

For example, in AD there is a member of container, which I found out doesn't always work!
In OD, one has to query the group to see if the user is in the members container.
I ended up using the the second method for both, as it seems more reliable.

It now works, and has been installed on a few systems, and each time it's installed I end up refining the code more and more.

So developers, can we please have directory integration that is functional and easy to use?

No comments:

Post a Comment