DIRECTORY & INTEGRATION

Virtual Directory Server

Turn LDAP—the protocol your legacy systems already speak—into the universal on-ramp for identity governance. Normalize inbound events, aggregate read models, and serve applications through one secure endpoint—zero source-system changes.

Directory EngineersIGA ArchitectsSAP / AD TeamsCloud Migration

Book demo Talk to us

Hybrid Connectivity → Orchestration Service →

Virtual Directory Server bridging legacy LDAP systems into a governed event pipeline

Key advantages

Zero source-system changes — point an LDAP connection at VDS and go

Five-priority classifier turns every LDAP write into a typed 12-field governance event

Exactly-once Kafka delivery — LDAP success returned only after broker acknowledgment

Dual protocol: full RFC 4511 LDAP + SCIM 2.0 HTTP from the same ~100 MB container

The integration nightmare

"We have 12 systems that manage access. Each one has its own way of granting and revoking privileges. When someone approves a role in SAP GRC, we need that decision to flow through to Active Directory, Azure AD, and our entitlement ledger. Today, that takes 3 custom scripts, 2 middleware servers, and a prayer." — CISO, Fortune 500

Point-to-point integrations

Every new system requires custom development—$50K–$200K per connector, weeks of work.

No single audit trail

Compliance teams can't answer "who approved what" across systems. Days per audit cycle assembling evidence.

Delayed provisioning

Batch processing means hours or days between approval and access. Employees can't work.

Legacy systems can't change

SAP GRC and SAP IDM have no REST APIs. The LDAP interface is the interface.

Manual reconciliation

Staff re-key access decisions between systems—5–10 FTE hours every week.

SAP IDM is retiring

The sole consumer of GRC-approved provisioning requests is end-of-life, with no replacement path.

Why alternatives fall short

Custom middleware

$50K–$200K build · $20K–$50K/yr maintain

Breaks when either side updates. Partial LDAP compliance is a common source of production bugs. Every upgrade is a risk event.

iPaaS (MuleSoft, Boomi)

No native LDAP · weeks to integrate

Requires custom LDAP-to-REST translation. Generic data transformation, not identity-aware. Weeks to integrate vs. hours with VDS.

Directory synchronization

Syncs data, not decisions

Doesn't capture "who approved this" or "what policy applies." No governance context flows downstream. Data moves; decisions don't.

Upgrade or replace legacy

Multi-year · multi-million · massive risk

SAP GRC has no webhook API—the LDAP interface is it. Replacing the system is a multi-year, multi-million-dollar project with massive organizational risk.

How it works

Your legacy system sees a standard LDAP directory. It sends BIND, MODIFY, ADD, DELETE and gets standard result codes back. Behind the scenes, VDS classifies every operation and publishes it as a governance event.

Receive

→Accept standard LDAP ops from SAP GRC, ServiceNow, HR, or any LDAP-speaking app
→Each source gets its own partition—isolated auth, write policy, and event routing
→Adding a new source is a YAML block, not a development project

Classify & normalize

→5-priority classifier determines semantic meaning of every operation
→Maps to 12-field NormalizedEvent with UUID5, SHA-256, dedup keys
→No naive assumptions—every LDAP op classified by semantic meaning

Publish & govern

→Kafka acks=all — LDAP success only after broker acknowledgment
→Kafka failure returns LDAP error 52 — source retries automatically
→Downstream: policy evaluation, provisioning, and audit records

Five-priority object classifier

Every LDAP operation passes through a classification chain that determines its semantic meaning before it becomes a governance event. No guessing—every priority level has explicit fallback behavior.

Priority

Source

Example

DIT config override

OU=GRC-Roles → group

objectClass attribute

inetOrgPerson → user

Partition schema

objectclasses defined per partition

DIT branch heuristic

OU=Users → user

Fallback

"unknown" → LDAP error 53

Protocol bridge, not a proxy

Traditional virtual directories only proxy reads. EmpowerNow VDS captures writes and turns them into classified governance events—an architectural shift from passive aggregation to active identity automation.

What the legacy system sees

What actually happens

10K+

events/sec throughput

623+

automated tests (55 RFC conformance)

~100 MB

Docker container, startup in seconds

source-system changes required

15 min

zero to events-on-Kafka

backend connector types

Capabilities

Eight core capabilities that turn a legacy protocol into a modern governance pipeline.

Intelligent event classification

5-priority chain · semantic meaning for every operation

Every LDAP operation passes through a five-priority classifier chain before becoming a governance event. No guessing—each level has explicit fallback behavior.

DIT config override → objectClass → partition schema → branch heuristic → fallback
Prevents naive assumptions like "every ADD is user onboarding"
Unresolvable objects return LDAP error 53 — never silently dropped

Multi-partition architecture

Independent auth, schema & routing per source

One VDS instance serves multiple external systems—each with its own isolated namespace.

Independent auth, schema, write policy, and Kafka topic per partition
Add a new source system with a YAML block — not a development project
Supports both UEAS and RAW normalization modes per partition

Bidirectional reads + writes

Aggregate reads · capture writes as events

Not just a proxy—VDS handles both directions of identity traffic.

Read: Aggregate AD, Azure AD, Auth0, ServiceNow through a single LDAP search with attribute mapping and merge rules
Write: Translate LDAP modifications into classified governance events published to Kafka
Six backend connector types (AD, SCIM, SQL, REST, LDAP, static)

SCIM 2.0 + LDAP dual protocol

Legacy and cloud-native from the same container

Full RFC 4511 LDAP on port 2636 and full SCIM 2.0 HTTP API on port 8011 from the same ~100 MB container.

Legacy apps keep their LDAP connections unchanged
Cloud-native consumers use SCIM for user/group lifecycle
SCIM directories hot-reload every second — no restart needed

12-field NormalizedEvent

Deterministic IDs · SHA-256 integrity · template expansion

Every event shares the same 12-field schema regardless of source system—one format for the entire governance pipeline.

Deterministic event_id (UUID5), correlation_id, dedupe_key (SHA-256)
Payload integrity hash for tamper detection
subject_key template expansion and attribute allowlisting — all computed server-side

Epoch-bucket deduplication

60-second windows · exactly-once semantics

Identical requests within a 60-second epoch window produce the same dedupe_key. Downstream IngestService drops duplicates.

Combined with Kafka's idempotent producer: exactly-once semantics
No events lost, no events duplicated — even across restarts
LDAP success (code 0) returned only after Kafka ISR confirmation

Declarative YAML + hot-reload

7 config files · 70+ env vars · Docker secrets

Pure configuration, no UI required. Everything defined in YAML, overridable with environment variables.

7 YAML config files covering partitions, backends, Kafka, security, and normalization
SCIM directories hot-reload every second — no restart, no downtime
Docker secrets for credential resolution — no plaintext passwords in config

Observability built in

Prometheus · OpenTelemetry · structured JSON logs

Full-stack observability from day one — no instrumentation project.

20+ Prometheus metrics exposed for scraping
OpenTelemetry distributed tracing with correlation IDs on every operation
Structured JSON logging: bind_dn, partition, event_id, and outcome per entry

Multi-partition isolation

One VDS instance serves multiple external systems. Each source gets its own partition with independent authentication, schema, write policy, and Kafka routing. Adding a new source is a YAML block, not a development project.

Business impact

90%

Faster integration

2–8 weeks custom dev → <1 day YAML config

95%

Lower maintenance

$20K–$50K/year per connector → near-zero

99%

Faster provisioning

Hours (batch sync) → real-time events

100%

Reconciliation eliminated

5–10 FTE hours/week → unified event stream

5-year TCO comparison (3 systems): Traditional integration $500K–$1.2M → VDS: included in platform

Security model

Five layers of protection from transport to data, with fail-closed defaults at every level.

Layer 5 — Audit & Integrity

Kafka acks=all · epoch-bucket dedup · event injection prevention

Layer 4 — Rate Limiting

Per-partition rate limits · configurable thresholds · fail-closed on overload

Layer 3 — Authorization

PDP integration · write policies · attribute allowlist · fail-closed config

Layer 2 — Authentication

BIND-before-write · SASL/EXTERNAL · mTLS client certs · OAuth2 (SCIM)

Layer 1 — Transport

TLS 1.2 / 1.3 · mTLS (SASL/EXTERNAL) · PROXY Protocol v2

All event fields (source, event_type, correlation_id) are computed server-side from partition config—never from client input. userPassword is always excluded regardless of configuration.

Connects to your stack

Inbound LDAP from any source system. Six backend connector types for read aggregation. Downstream to the full EmpowerNow governance pipeline.

SAP GRC / IDM

Active Directory

Entra ID

ServiceNow

Workday / SAP HCM

Auth0

Apache Kafka

Docker / K8s

SCIM 2.0

ODBC / SQL

Any LDAP client

REST APIs

How VDS compares

Traditional VDS

iPaaS

Custom

EmpowerNow VDS

Write normalization

Partial

5-priority classifier

LDAP native

Yes

Partial

Full RFC 4511

SCIM 2.0 built in

Separate product

Via connector

Dual protocol

Governance pipeline

Native UEAS

Time to integrate

Weeks

2–8 weeks

15 minutes

5-year TCO (3 sys)

$300K–$800K

$500K–$1M

$500K–$1.2M

Included

Frequently asked questions

How is VDS different from a traditional virtual directory?

Traditional virtual directories (Oracle, Radiant Logic) only proxy reads—they aggregate backend data into a unified LDAP tree. EmpowerNow VDS captures writes and turns them into classified governance events published to Kafka. It is an architectural shift from passive data aggregation to active identity automation. It also includes SCIM 2.0, ships as a ~100 MB Docker container, and is included in the platform.

What happens if Kafka is unavailable?

VDS returns LDAP error code 52 (unavailable). LDAP clients are designed to retry on temporary errors—standard directory behavior. No events are lost. When Kafka recovers, retries succeed automatically. The idempotent producer and epoch-bucket deduplication ensure no duplicates.

Does VDS replace our directory server?

No. VDS sits alongside your existing directories. Source systems point their LDAP connections at VDS instead of—or in addition to—the target directory. VDS normalizes writes into events and aggregates reads from backends. Your directories remain authoritative.

How long does it take to add a new source system?

The Quick Start guide gets you from zero to events-on-Kafka in 15 minutes for the first system. Additional systems require adding a YAML partition block with auth, write policy, and event routing—typically less than a day including testing. No code changes.

Is LDAP going away?

Not for 5+ years in most enterprises. SAP GRC, Active Directory, and many HR systems will speak LDAP for the foreseeable future. VDS bridges the gap today and also serves SCIM 2.0 for cloud-native consumers—your investment is future-proof regardless of protocol evolution.

Standards & protocols

Protocols

RFC 4511 (LDAP) RFC 4512 RFC 4513 SCIM 2.0 OAuth2 TLS / mTLS PROXY Protocol v2 ASN.1 / BER

Observability

OpenTelemetry Prometheus Structured JSON logs

Compliance-ready

SOX GDPR HIPAA SOC 2 ISO 27001 NIST 800-53

Use cases

SAP GRC integration

SAP GRC approves a role request and sends an LDAP MODIFY. VDS classifies it as membership_add, normalizes to an external_request.approved event, and publishes to Kafka. The pipeline provisions access across AD, Azure AD, and non-SAP systems automatically.

No custom ABAP · No middleware scripts

Multi-system governance

AD, Azure AD, Auth0, and ServiceNow each get their own VDS partition. All access decisions arrive as NormalizedEvents on the same Kafka topic. One event stream for all systems.

5–10 FTE hours/week reconciliation → eliminated

Cloud migration bridge

During migration from on-prem AD to Entra ID, legacy LDAP apps connect to VDS instead. VDS routes reads to the new cloud identity store and captures writes as governance events.

Zero application changes · Migrate at your pace

Ready to see it live?

Book a 15-minute walkthrough with an engineer. We'll map Virtual Directory Server to your architecture, show real event flows, and answer every technical question.