Red Hat Directory Server is most often used to simplify the management of Lightweight Directory Access Protocol, or LDAP. Its identity management capabilities have been overlooked, said Ferris. That won't be the case for long, however, as Directory Server -- which was born as Netscape Directory Server -- will get more identity control capabilities in the upcoming Red Hat Enterprise Linux 5 distribution.
Ferris spoke to SearchOpenSearch.com recently about Red Hat's plans in the area of security.
SearchOpenSource.com: What role does Red Hat Directory Server play in the upcoming Red Hat Enterprise Linux 5 release?
Mike Ferris: We are heavily investing in taking a very stable and scalable platform with a Directory Server and extending that with other technologies. The upcoming release of Red Hat Enterprise Linux 5 will include the ability to do smart cards and single sign-on into the platform itself, using back-end componentry that includes our certificate system and Directory Server technology. So, the Directory Server itself is not just an identity store, but it really starts to become part of the open source identity infrastructure to allow accelerated values such as single sign-on. At the core of it, you'll be better able to identify users, identify roles and identify applications and how they connect to resources and systems, and you'll be controlling that and auditing it at an exceptionally strong kernel level.
What is behind the inclusion of more identity management in RHEL5?
Ferris: Identity control is an issue being driven by regulations and general privacy issues. Companies have to have control over the information they store regarding their employees and their customers. Companies have to understand their IT architectures and know where they need to exhibit and exert control over resources in the organization.
Directory Server is a scalable switchboard for identify information. Directory Server can help you consolidate and manage identities and -- what's more important -- build a platform that is heterogeneous. It can support any standard LDAP environment and even connect Windows clients into [backend Unix and Linux applications.]
What role does LDAP and open source components play in RHEL5's Directory Server and identity management approach?
Ferris: If you look at authorization and authentication technologies, [public key infrastructure], Kerberos and LDAP are extremely well proven. The open source community around these projects has done such a good job that we can expand and leverage a lot of the capabilities on an enterprise level.
In RHEL5, everything is being built around standards -- LDAP V3 in this case. It's a lightweight directory access protocol. We've made sure those applications that are part of RHEL5 and that interface with LDAP work with Directory Server. After that, our intent is to provide a well-put-together mechanism for people to enable additional identity infrastructures.
Today with [RHEL4], you are able to put together a single sign-on solution on your own. As we move forward, we've clearly identified ways of combining Directory Server with some of the already-there technologies -- such as Kerberos -- and built these into an environment where you're able to leverage certificate systems and PTI certificates to provide a single sign-on solution from start to finish. So, authorized users will be able to walk up to an Enterprise Linux 5 terminal, insert a smart card and get a ticket that gives them access to all the resources of the back end.
What's next on Red Hat's agenda for improving identity control?
Ferris: There is a somewhat parallel effort to focus on users on the Web, supporting user information or identity information control. Our next focus will certainly be to help enable those types of capabilities, especially as Red Hat is invested pretty heavily in JBoss and its Web application framework.
We're [building out] a mechanism to help users not only provide single sign-on to the operating system but also to get the resources that the OS provides, such as printers, file sharers and applications. [What we need is] the ability to log into and manage applications simply and in an integrated fashion.
When we look at Directory Server, it's not just about providing a database of information or a switchboard for one application, it's about creating a foundation for all of the operating system infrastructure, as well as application infrastructure, across the enterprise. It's about including other technologies, like Kerberos, and investing in creating technologies that people will be able to deploy across the entire security stack.