Tuesday, November 21, 2006

Directory Design - What to do about duplicates

We are in the architecture phase of our Identity Management system and one of the haunting questions we have yet to get answers for is "What do we do about duplicate user names?"

Since we will be pulling user names from over 100 identity sources to populate a single ITIM there is a high probability there will be multiple people with the same name. First of all none of the source systems are synchronized in any way. So we will likely have duplicate names across different systems, but many of these systems also allow duplicate user names as long as the two users are not in the same OU. Since the OUs in the source system will not be anything like the OUs planned in the target system we have to devise some process for dealing with duplicate user names.

ITIM seems perfectly happy creating two identical users in the same OU since in each case the user DN will be unique. ITIM uses the erglobalid to uniquely identify the user in the DIT. The problem with this is that you have to have a way to tell the difference between two people with the same name. When defining static and dynamic roles choosing the correct user name is important.

I hope to learn more about this as we go through this design phase with our consultants (people we assume have done this before).

No comments: