- Jason Trupp
How OpenLDAP Brought an Efficient New RBAC Security Solution to the Next Level
Updated: Aug 4, 2021
Shawn McKinney started developing RBAC systems 15 years ago, as a Security Architect for a major financial services company with worldwide deployments. You can imagine security was a hot topic in this context.
Shawn’s job was to design the software needed to protect the flow of money between these banking systems and consumers on the Internet. To that end, he learned a low-complexity technique using Role-Based Access Control, then a model from National Institute of Standards and Technology (NIST) – later drafted into a specification by American National Standards Institute (ANSI).
With security systems, standards are a good thing. But the solution required a directory server (LDAP) to function – and at the time, the options were not cheap.
THE SOLUTION REQUIRED A DIRECTORY… BUT THE OPTIONS WERE COST-PROHIBITIVE.
For example, the going rate for commercial directories ran a dollar per user per year. At that rate, a bank with 100,000 users would be consuming $100K in annual overhead just for directory services alone.
Worse, some of these commercial servers have major performance flaws. That drives costs up even further due to the need for increased hardware and system support.
Despite the difficulties, in 2004 Shawn’s organization embarked on a series of projects that brought the RBAC solution into several big data centers. One of these, a financial services company in Pennsylvania, liked the solution but wanted to side-step the heavy overhead.
They wondered if they could do so using OpenLDAP: an open-source alternative.
HERE’S WHERE OPENLDAP ENTERS THE PICTURE.
Shawn had experimented with OpenLDAP in test environments. But at the time, he didn’t believe it was ready for a large-scale commercial operation.
What he didn’t know is that the project had been reworked since the last time he’d experimented with it. Back in 1998, Symas CTO Howard Chu joined the OpenLDAP project, becoming the lead contributor and eventually its lead architect. Thanks to Howard’s work, by 2003 the OpenLDAP project had evolved considerably and was ready for production environments.
In any case, Shawn began developing a password policy module to meet the customer’s requirements, and ran into a number of bugs with OpenLDAP’s password policy overlay. That’s no surprise when working with a young technology; what did surprise him, however, is how quickly those bugs were resolved.
Every post made to the OpenLDAP software forum was promptly answered, and the bugs promptly fixed – sometimes in less than an hour. Compared to the time it takes to repair commercial software (not uncommonly weeks, even months), this was an impressive feat.
THE TIME HAD COME TO ASK SYMAS TO JOIN THE TEAM.
Over the course of his work on the password policy module, Shawn and Howard became well-acquainted.
Howard encouraged Shawn to go to Symas for commercial support once it was time to put the deployment into production. It’s one thing to run an LDAP server in a test environment; the risks increase dramatically in the real world.
Shawn readily agreed. Still, he was skeptical. Would his organization consent to work with a small, young company employing a revolutionary new approach? How would it work? Would Symas still be around after five years?
But the results spoke for themselves. Together they united OpenLDAP with the new RBAC security solution, and brought it through a series of new business deals where its performance exceeded expectations.
The OpenLDAP server ran flawlessly in production. It ran efficiently, with little need for support beyond routine maintenance.
The pre-built OpenLDAP packages that Symas provided could be installed on any operating system in just one or two commands, making implementation – once a notoriously difficult, time-consuming task – ridiculously easy.
Because it consumed so little CPU, OpenLDAP could be co-located with, say, an application server, with no problems.
The functionality, reliability and support that Symas provided were excellent. The servers hummed. The support teams loved Symas; their customers loved Symas too. Meanwhile, the deals rolled on.
That is, until management at Shawn’s company chose to make a break from OpenLDAP, in lieu of a different database technology.
With ongoing support from Symas (the commercial sponsor of OpenLDAP), Shawn’s organization took the RBAC solution through a series of successful business deals. The results spoke for themselves… until management pulled the plug.
In canceling development on any projects that relied on LDAP protocols, all future collaboration with Symas and OpenLDAP was cancelled, too.
The organization’s security systems had to be retooled, and the RBAC solution that Shawn had developed had to be rewritten. Shawn oversaw both efforts, the alternative solution worked, but was inferior in performance and reliability.
THAT’S WHEN SHAWN STARTED THINKING ABOUT THE OPEN SOURCE COMMUNITY.
Despite the new direction his organization had taken, Shawn knew the value of the solution that he had developed in collaboration with Symas – and he suspected the market would recognize its value, too.
A business proposal began to take shape in his mind.
He had seen how well the RBAC solution worked with OpenLDAP, and knew it could be offered at an affordable price. He also recognized the need for a commercially funded, open source RBAC solution to compete with the proprietary IAM products that dominated the market. And given his prior experiences, he had no doubt Symas would prove a capable and trustworthy partner.
Excited, Shawn pitched the idea to the executives of his organization. Their response was… lukewarm.
HIS COMPANY WASN’T INTERESTED – SO HE STARTED A BUSINESS OF HIS OWN.
In 2009, Shawn and his brothers formed McKinney Identity Management. Working alongside Symas, they met regularly to brainstorm their new company and the products it would offer.
Then, drawing from the knowledge that Shawn had gained through the development of his original RBAC security solution, he built his company’s first product: Open Access Manager. It was a complete rewrite of his earlier RBAC solution, refining that first attempt into a much higher-functioning solution.
Along the way, Symas continued to provide a sounding board, while offering technical guidance on how best to exploit OpenLDAP software for RBAC security.
At last in 2011, Shawn realized it was time to leave his day job.
As long as he remained with the organization where he worked, there would be a conflict of interests standing in the way of his own product release and marketing. It was time to make a leap.
WHICH IS HOW JOSHUA TREE WAS BORN.
Shawn and his brothers reformed their company into Joshua Tree Software. They chose the name for Joshua Tree National Park, where they had done a lot of company brainstorming, and also for love of the U2 album by the same name. Then too, the species of yucca called a “Joshua tree” is a robust, long-living entity, whose qualities they hoped to demonstrate in their work.
Not long after this, Shawn resigned his corporate position and became a full-time entrepreneur. The next fall, Joshua Tree released their initial suite of products to the open source community, and announced the debut at LDAPCon in Heidelberg.
IT WAS ONLY A MATTER OF TIME BEFORE JOSHUA TREE AND SYMAS WOULD JOIN FORCES.
While collaborating on an upcoming technical partnership with a multinational technology corporation, Symas and Joshua Tree acknowledged it would be easier to proceed as a single entity.
So Symas made an offer…. Joshua Tree accepted… and Shawn McKinney joined the Symas team.
As a result, the powerful suite of Joshua Tree products has now been integrated with OpenLDAP: the highest-performing, most reliable, most robust directory server available today.