Saturday, January 22, 2011

Multi-tenant aware LDAP

This is my short note on the usage of  a LDAP storage in a multi-tenant environment which I intend to refer in a future post.

Well.. what is LDAP?
It is simply a protocol that basically defines how entries are stored and retrieved in a directory like storage (or directory server). If you want to learn more about LDAP, please find a comprehensive tutorial here. There are several implementations of this protocol out there. OpenLDAP and ApacheDS are two such popular LDAP servers.

How tenant management related with LDAP?
As I mentioned before, directory servers implemented according to LDAP, can be used as efficient and secure storages to maintain organizational user information. For an example, users will be authenticated into various applications against the user credentials stored there.

Usually LDAP serves as organizational user store. Storage is created and maintained as a tree structure and different contexts become branches of the tree. Generally when it is used as organizational user store, user entries are stored under one such context, where we call it a flat LDAP storage.

In cloud computing, we have this concept of multi-tenancy where the same application/service (customized for each organization/tenant) is used by  users from different organizations independent from one another. In this case, it would be good if we can store users of different tenants in separate directory trees or in different contexts of the same tree, rather than storing all user entries in a flat LDAP storage. 

What is a multi-tenant aware LDAP?
So..
  • when we create a tenant in a cloud environment, if a separate directory structure or separate context is created in LDAP server for storing the users belonging to that particular tenant, 
  • when we search a user of a particular tenant, if the search can only be directed to the relevant partition or context in the LDAP server,
  • and if an admin of a particular tenant can connect to the LDAP server used in a multi-tenant application and view only the users of his tenant,
we can say it is a multi-tenant aware LDAP. In order to achieve the above requirements, we have to exploit the concepts of directory structure and access control mechanisms in LDAP.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.