With the acceleration of the pace of localization and the need for information security construction, more and more enterprises and organizations have begun to consider replacing the existing Microsoft Active Directory (AD) with the localized LDAP identity directory service (also known as unified identity authentication and management) system. This article will introduce a localized AD replacement solution and illustrate it through real cases to provide reference and experience for enterprises and organizations to build LDAP identity directory services in information innovation scenarios or pure enterprise scenarios.
Interpretation of Microsoft AD core capabilities
According to statistics, more than 91% of the world's large-scale enterprises use Microsoft Active Directory (Microsoft AD) as the foundation for digital identity. AD is also a best practice for identity management in large central state-owned enterprises, especially in manufacturing and financial institutions, providing unified authentication and management for IT resources such as Windows computers, Exchange, cloud desktops (such as Citrix, VMware), ERP, and OA.
In practice, some enterprises only use AD to store and manage organizational structure and user identity information (account and password) to provide identity authentication and authorization for LDAP applications, while some enterprises use AD group policies and file access rights to manage Windows computers. As a best practice for identity management, AD is very powerful, and there are six core functions that enterprises should know in advance when looking for AD localization alternatives. It determines whether the subsequent product selection and construction direction are accurate and clear, as well as the level of input costs.
Image source: Ning Dun
As shown in the figure above, the core capabilities of Microsoft AD can be divided into 6 main categories. Therefore, when choosing a localized AD replacement solution, it can be used as a reference research and selection.
When introducing the localized AD solution, we divide the scenario into two scenarios: the information innovation scenario and the enterprise scenario, so that enterprises can independently choose the corresponding solution according to their own situation.
Information and innovation scenario: Localized AD alternatives must be compatible with existing identity management systems
compatibility
AD replacement is not an overnight thing, and business sustainability, AD management sustainability, and supplier service sustainability must be placed on the premise. When choosing a localized AD replacement solution, it is necessary to be compatible with existing identity management systems, such as AD, IBM, Apache, etc. In this way, AD data migration can be smooth and smooth.
At the same time, localized AD also needs to be compatible with domestic heterogeneous IT infrastructure. The essence of Xinchuang/localization transformation is to migrate from foreign office IT architecture to domestic heterogeneous IT architecture, so the underlying domestic chips, operating systems, middleware, databases, applications, networks, cloud desktops, etc. need to be adapted and compatible.
Image source: Ning Dun
In the domestic office architecture indicated in the figure above, Nington's domestic identity domain management has been successfully adapted to operating systems such as Kirin, UnionTech, Zhongke Fangde, and China Netit, as well as Coremail mailbox, WeCom, Feishu, DingTalk, Huawei WeLink, virtual desktop (Huawei, Sangfor, etc.), network equipment, etc.
standardization
Microsoft AD covers the identity authentication and permission management of the entire IT infrastructure scenario, from applications, networks, terminals, servers, etc., to Microsoft AD through standard protocols and interfaces. Therefore, in the selection of domestic AD solutions, the person in charge of enterprise information security needs to consider standardized alternatives, rather than customized identity management platforms (similar to IAM), which are suitable for different business scenarios and can be used together, but IAM systems cannot play and replace the role of AD.
Enterprise scenario: AD localization solution to build a unified identity management platform for enterprises
Most of the growing enterprises have not yet used Microsoft AD domains or other LDAP identity management systems. When the scale of the enterprise gradually expands, and the number of personnel, application systems, terminals, and networks all increase greatly, the construction of a standardized unified identity management system in the enterprise is of great help to improve office efficiency and operation and maintenance management.
Although Microsoft AD is very powerful, it will still face problems such as HW being broken through and vulnerabilities. Therefore, when considering looking for a localization solution similar to AD, you can refer to Nington's unified identity middle platform solution. It is very similar to Microsoft AD in terms of function and user experience, which can help enterprises establish a unified identity standard and facilitate the rapid docking of applications (LDAP applications and non-LDAP applications), networks, VPNs, VDI, terminals, etc.
One of the reasons why the Unified Identity Middle End is more suitable for growing enterprises is that it can quickly synchronize the existing identity sources of the enterprise and supply them to downstream application systems. If the enterprise uses the HR system or Feishu internally, the unified identity middle platform can synchronize the organizational structure and personnel identity information of the HR system/Feishu to the middle office for unified management, which can be carried out in real time or manually. For enterprises with multiple identity sources that are centrally managed, identity synchronization will greatly reduce HR and IT management.
Image source: Ning Dun
The above are two scenarios of localized AD replacement solutions. Here are some examples to help you understand better.
Enterprise unified identity middle platform case: a research institute with a scale of 1,000 people
Customer Background:
The customer has deployed the IAM identity management system of a vendor, and the identity source comes from OA, but the network products and security products lack the identity source, and an integrated product that can unify the identity is urgently needed.
Problem:
1. User feedback that the user's security, network products, and security products have no identity source, and it is very troublesome to connect with IAM. Don't want to toss
3. According to user feedback, a vendor does not support the LDAP protocol and cannot connect with the application of the LDAP protocol, which is not conducive to business development
4. Although SSO single sign-on has been implemented to a certain extent, the integration and unification of identities have not been completed despite the operation and maintenance of multiple sets of accounts
Solution:
Nington's Unified Identity Center provides standard LDAP services and is highly compatible with Microsoft AD. Responsible for synchronizing accounts from OA and realizing the docking authentication of downstream applications mainly including behavior management, desktop cloud, zero trust, network, IAM system and access control.