Identity Management or Red Hat Directory Server – Which One Should I Use?

In the identity management server space Red Hat has two offerings: Identity Management (IdM) in Red Hat Enterprise Linux and Red Hat Directory Server (RHDS). This article is dedicated to helping you understand why there are two solutions and how to chose the best one for your environment.

Before diving in too deep

it might be wise to more formally define IdM and RHDS. IdM is a domain controller, its main purpose is to manage identities within the enterprise. It is a component of Red Hat Enterprise Linux and is made available at no extra charge (i.e. it’s included with all Red Hat Enterprise Linux server subscriptions). RHDS, on the other hand, is a fully functional directory server. It is a tool for building your business applications and, unlike IdM, it is its own product and has its own price tag.

You might be asking yourself - can I use a generic directory server like RHDS as a central server for enterprise identities? If yes, would I want to? The answer: yes, you most certainly can use RHDS as a central server for enterprise identities. In fact, this is exactly what many companies have been doing for years (...long before IdM was "born"). That said, IdM has a lot of features and capabilities that are either completely absent in the pure DS solution or require a lot of custom development. This makes IdM interesting but different. Also, IdM is implemented following best practices that have emerged from experience with DS based deployments. Because of this IdM does some things differently as compared to DS based custom solutions. These differences can make moving from a DS solution to an IdM based solution a bit harder even if the benefits of IdM are acknowledged. For deployments that have a directory server and are not ready to change from the DS approach to IdM – RHDS is a good option.

Management of enterprise identities aside, another major area where identity management is of great importance is business applications. For example, let’s pretend your company provides an online service that customers pay for. For applications of this nature you usually need a place to store customer account information and authentication credentials. Traditionally, Directory Servers were the best technology for this task. Choosing RHDS as a back-end for your business application is thus a logical choice.

Could IdM be used in such cases (i.e. for identity management of business applications)? Probably... but maybe not. Business applications usually require a lot of customization of the directory server structure called schema. While changing schema for a DS is normal / fully expected, changing schema for IdM should be done carefully and following the specific rules. Why the caution? The reason is that IdM includes different components that are expected to work together. These components make a series of assumptions about data structures... so changes to IdM schema might inadvertently cause one or more of these components to fail. IdM was built with flexibility in mind and is not totally locked down. One can safely make changes to the IdM schema but only following specific rules as described/outlined in the FreeIPA project.

The considerations above lead to the following summary:

• Use IdM if you want to explore the power of the centralized identity management within your enterprise.
• Use RHDS if you are building a business application and need an LDAP back-end or if you have been using a directory server to manage your enterprise identities and are not yet ready to switch to a different technology.

Stay tuned as I plan to explore certificates in my next entry. Until then – feel free to reach out using the comments section below.