Access control

Restrictions and rules which control the areas of the virtual directory which people can view and the operations which they can perform. In Penrose Virtual Directory, the access control set on the virtual directory is enforced apart from any access control set on the data source.


An abstraction layer which interacts between Penrose Server and the data source; works on the server frontend. There are three adapters in Penrose Virtual Directory for LDAP, JDBC, and NIS sources.


A single descriptive element for an entry, defined in the schema for a server.


The process of binding, or logging in, to a server and providing a set of credentials which must be verified to allow the login.


Base DN

The distinguished name against which an LDAP operation is carried out. A search, for example, begins searching for entries at the base DN and then goes down the directory tree through all of its children subtrees and entries.

Basic mapping

A simple, direct association where one attribute is specifically matched to corresponding attributes in the virtual directory, such as mapping the firstname row in a database table to the givenName LDAP attribute in the virtual directory.



Temporary storage used by Penrose Virtual Directory to contain virtual directory entries. Penrose Virtual Directory supports two kinds of cache, persistent and in-memory.


The server or host information which is used to connect to data sources.


Specific text used to define a static mapping rule, field, or Penrose Virtual Directory other entry element. In the configuration files, this is indicated by <constant> tags; in Penrose Studio, this is sometimes labeled text.


Data source

Any server or application which contains information that is used by Penrose Virtual Directory to create a virtual entry.

Directory hierarchy

See Directory tree (DIT).

Directory migration

The process of copying information from one data source configured in Penrose Virtual Directory to another data source. This is usually configured using identity federation.

See Also Lazy migration.

Directory tree (DIT)

The organization of the entries and subentries contained in a directory; the visual layout of the directory is similar to a filesystem hierarchy. This is also called a directory information tree (DIT) or directory hierarchy.

Distinguished name (DN)

The full representation of an entry's name in an LDAP directory. This includes a naming attribute (the leftmost element in the name) and the position in the directory tree by including its parent entries.

Dynamic subtree

A type of virtual subtree in Penrose Virtual Directory where the entries within the subtree are generated according to a filter rather than being explicitly defined.



The identity in the virtual directory or in one of its sources. This can also refer to a configuration record in the Penrose Virtual Directory configuration.

Entry attributes

An attribute for a virtual directory entry. This is defined with the corresponding LDAP attribute name and an expression to supply the value, either dynamically through a Java expression or variable pointing to a source value or explicitly through a constant. Optionally, there is also a key to indicate whether the attribute is used to name an entry.


BeanShell expressions used to map attributes in the virtual directory to attributes in the sources. BeanShell expressions are described in more detail at the BeanShell site,



An attribute within a source entry which can be referenced for mapping into the virtual directory.

Flattened namespace

A unified naming organization for entries in the virtual directory. When entries are stored in multiple sources, particularly different kinds of sources, the way that entries are named and the organization of the directory structure can be very different. Virtual directories "flatten" or unify those different namespaces into a single namespace with a consistent rule for naming entries.


Global repository

The centralized directory used to combine entries for identity federation; this is usually an LDAP server, such as Red Hat Directory Server or Active Directory.



The person, server, or other entity which is described by an entry. Frequently, there can be more than one entry referring to the same person.

Identity federation

The configuration concept which combines entries from different applications or sources which all describe the same person into a single entry in a centralized global repository. This is most commonly used for LDAP and NIS environments or to facilitate a migration between NIS and LDAP, LDAP to Red Hat IPA, or different kinds of LDAP servers.

Identity linking

The process of matching entries in a local repository or source to the corresponding entry in the centralized global repository for identity federation.


The parts of the Penrose Virtual Directory code which translates the mappings configured in the virtual directory to generate the virtual entries.


Join mapping

A method of mapping which takes attributes from multiple source entries, which all represent a single identity, and use them to build a virtual entry. For join mapping, the different source entries must have at least one value in common in order to identify and combine properly the entries.


Lazy migration

The process of copying information from one data source configured in Penrose Virtual Directory to another data source. This is usually configured using identity federation.

Local repository

A source used to supply information for identity federation. This is the original source for information; the data are migrated over to the global repository.



Any association which is defined to supply an attribute and value in the virtual directory, either by pulling the attribute value from a source entry or by explicitly defining it.

Mapping rules

A single definition for an attribute mapping. A mapping rule is set for the virtual directory, not the source.


A managed bean in a Java environment. All of the partition-related operations for the virtual directory, including sources and connections, are MBeans.


A kind of centralized directory which interacts with multiple kinds of directory and database services. A meta directory holds an independent copy of information; it collects information from its sources and can synchronize that information back to other sources, to help unify the entire environment. This is a similar function to a virtual directory, except virtual directories do not store information.


Specialized Java classes which extend or change the behavior of Penrose Virtual Directory components; works on the server backend.



The organization, based on the name of the highest entry in the directory, which defines the relationship and names of entries.

Naming attribute

The attribute which supplies the relative distinguished name, the first element in an entry's name. For example, uid is the naming attribute in uid=jsmith,ou=people,dc=example,dc=com.

Nested mapping

A method of associating entry values where one attribute value is dynamically generated and those results are used to generate the next part of the mapped value.


Object class

An entry element which defines the type of entry and has defined rules on what attributes are required and allowed to describe the entry; for a directory, this is an LDAP schema element.



A designated object within Penrose Virtual Directory which has a common set of Java classes and libraries to run the virtual directory and specific configuration defining the sources, connections, modules, mappings, and other virtual directory configurations.

Pass-through authentication

A form of binding to a directory service where the bind information, such as the username and password, are sent to one service (Penrose Virtual Directory) and are then sent to a source, unchanged, to allow the user to bind to the source. Penrose Virtual Directory supports pass-through authentication to services such as Active Directory and Red Hat Directory Server.

Primary key

An argument set for an attribute defined in the mapping which indicates whether the attribute is a naming attribute, meaning that is supplies the element on the far left of the entry's distinguished name. For example, if the uid parameter is the primary key, then that attribute value is used in the entry name, such as uid=jsmith,ou=people,dc=example,dc=com.


A service, such as Penrose Virtual Directory, which is contacted in place of another service. Penrose Virtual Directory can function as an LDAP proxy for Red Hat Directory Server and Active Directory, for example, and route requests and operations to the appropriate LDAP server.

See Also Pass-through authentication.



A defined mapping association for a single attribute in the virtual directory.

Relative distinguished name

The first element of the distinguished name; for example, uid=jsmith in uid=jsmith,ou=people,dc=example,dc=com.


A source to store information in identity federation.

See Also Local repository, Global repository.

Root DSE

The entry in the directory tree configuration which defines the configuration of the directory service, such as its LDAP protocol, supported LDAP mechanisms and controls, and its server URLs. The root DSE for the virtual directory is configured in the partition and defines what the virtual directory supports.



A list of different elements which are used to describe entries in directory services. Attribute elements define what descriptive elements are available; object class elements identify the kind of entry being describe and the required or allowed attributes to describe it. The list of attributes and object classes, together, is the schema.


In Penrose Virtual Directory, any code which is configured to run before or after mapping rule to manipulate the data as used in the virtual directory entry.

Security provider

Additional libraries which extend SSL/TLS support for Penrose Virtual Directory and additional algorithms, ciphers, and encryption-related information.


In Penrose Virtual Directory, interfaces which are used by Penrose Virtual Directory to connect to LDAP or database sources. An additional JMX service connects to Penrose Studio and other Java-based clients.


The server instance entry, usually the name assigned to a directory server instance.

Single sign-on

A concept where users need only log into a single service and can have authenticated access to any service on the network. Penrose Virtual Directory, by creating a centralized location for nearly all directory and database services, is part of a single sign-on solution because users can authenticate to Penrose Virtual Directory and be authenticated, through the Penrose Virtual Directory configuration, to all of the sources in the virtual directory.


A copy of the entire LDAP subtree or directory, with all entries, as it exists at that moment. Because this mirrors an existing directory on Penrose Virtual Directory, this is similar to an LDAP proxy.

See Also Proxy.


Any server or application which contains information that is used by Penrose Virtual Directory to create a virtual entry. Source entries are configured within a partition.

For synchronization or migration, the source is the repository which contains the original copy of the data being synchronized.

Static subtree

A type of virtual subtree in Penrose Virtual Directory where the entries within the subtree are explicitly defined. This is common for configuration subtrees which are directory or hierarchy container entries.


A Java-based user interface which manages, views, creates, and edits virtual directory entries for Penrose Virtual Directory.

A branch point within the directory hierarchy. For example, organizational units (ou entries) are branch points because they indicate a subset of the overall directory entries.


The operation of copying data between two sources or repositories so that the same information is mirrored in two locations. Penrose Virtual Directory supports synchronization between NIS, LDAP, Active Directory, Red Hat IPA, and other sources.



In migration or synchronization, the target server is the one to which information is copied. For example, in a migration from NIS to LDAP, the NIS server is the source repository and the LDAP server is the target.


UID/GID conflict

In identity federation, the potential conflict in assigned user ID or group ID numbers. Because there can be multiple sources combined in identity federation, the same ID numbers may be duplicated. These conflicts can be resolved by assigning new ID numbers as part of the identity federation process and any file ownerships reassigned.



In Penrose Virtual Directory, a source attribute which is used to supply an attribute value in a virtual directory mapping entry. These have the form source_name.attribute_name.

Virtual directory

A lightweight, centralized directory which interacts with multiple kinds of directory and database services. A virtual directory uses configuration files to identify data sources and rules for how to recognize and apply attributes to entries, as well as definitions for the centralized directory configuration. The actual data remain in the data sources; views of the directory and the information contained in the entries is located and displayed on the fly, rather than physically copying the information into a different directory, as in a meta directory.

Virtual Directory Server

The lightweight directory engine which creates the virtual directory, interacts with LDAP and database sources, and contains all configuration information.