Directory services are software programs that link
directly into core databases to manage the identities and security
of users on a network. They are crucial to many medium and large
organisations.
Typically, a number of information repositories across an
organisation will store information regarding network users and
objects: SQL or other databases, telephone directories - electronic
and hard-copy - flat files, human resources software and network
management products.
Modern directory services are capable of storing rich
information relating to users and other organisational objects and
can provide this information to users and applications in a secure
manner. In this way, information can be maintained centrally and
can then be made available to other applications as necessary.
The most widely used directory services are Microsoft's Active
Directory and Novell's eDirectory (formerly NDS or Novell Directory
Services).
There are also specialist directory services available, one of
which is OpenLDap - a Lightweight Directory Access Protocol (LDap)
directory server developed by the open source community.
Directory services tend to conform to LDap, an internet protocol
used by e-mail and other programs to look up information from a
server. As a minimum, any high-end directory should be
LDap-certified and support the LDap v3 specification.
Novell's eDirectory is LDap-certified by independent standards
body The Open Group. Currently, Active Directory does not adhere to
the full LDap specification and is therefore not certified.
However, it does largely support LDap's features.
Messaging products from the likes of Microsoft, IBM, Lotus, and
Netscape also support the LDap standard with "LDap-aware" client
programs, which can ask LDap servers to look up entries in a
variety of ways, returning detailed information on a particular
user or group of users. LDap servers do this by indexing all the
data in their entries and using filters to home in on the required
information.
But LDap is not just limited to contact information, or
information about people. It is also used to look up encryption
certificates, pointers to printers and other services on a network,
and provide single sign-on, where a user can input one password to
gain access to multiple services or network resources.
An LDap-aware client may be an e-mail program, a printer
browser, or an address book, connecting to a server that only
speaks LDap, or also has other methods of sending and receiving
data, which is the case with Active Directory.
LDap also defines network permissions, set by the administrator
to allow only certain people to access the LDap database, and can
also keep certain data private. In addition, it can define schema -
the format and attributes of data on the server, for example, a
user's individual preferences.
Gary Barnett, IT research director at analyst firm Ovum, said,
"Your choice of directories is going to be informed by the core
applications you are using. Whether you like it or not, if you are
using Microsoft Exchange, you are going to have Active
Directory."
But he added, "I am not convinced that organisations need
another directory over and above Active Directory. The purpose of a
directory server is to act as an organisational Yellow Pages - to
sort out the things people have access to, and to record things.
Novell Directory Server majored on adherence to standards, and has
huge scalability. But Active Directory is now scalable and
accessible via LDap, so it is harder to differentiate between the
two."
Barnett said there were some situations where an organisation
might choose to have an alternative or additional directory. "If
you are a telco, and effectively running several different networks
that need to be talking to each other, you may take a very
high-performance bare-bones LDap server, and you might have one
looking more at people. It is also possible to manage trust
relationships with Windows and Unix without Active Directory."
Mainframe environments may also require more specialised
directories, he said.
Garry Williams, technical consultant at IT professional services
company Eurodata Systems believes directories can bring
consolidation, and therefore IT and business efficiencies.
"A directory service presents the opportunity to consolidate the
number of repositories in use and realise a number of benefits in
doing so: reduced administrative overheads, enhanced operational
efficiency and tighter control over the security of user
information," he said.
Last year, manufacturing giant Reckitt Benckiser implemented
Microsoft Windows Server 2003 Enterprise Edition with Active
Directory, rolling it out across 60 countries in just nine
months.
Reckitt used Active Directory to determine network paths and
define network relationships over its wide area network. A major
benefit for the company was the ability to collapse its
infrastructure into three domains (Windows sub-networks) down from
an unwieldy 96.
Catrin Brain, IS manager, service delivery and infrastructure at
Reckitt, said the Active Directory implementation gave
administrators a single repository to keep tight control over the
network environment, passwords, and corporate policy. Before, with
no centralised control over these areas, it was difficult to locate
and resolve any system problems, she said.
Tony Gallagher, senior vice-president for information services
at Reckitt, said, "The reduction of domains from 96 to three,
together with the speed of the deployment in just a few months, has
made a major contribution to greater efficiency throughout our
business."
He added that Active Directory provides a central repository of
network connections, so if a user's name changes, for instance if
an employee gets married, a job changes, or someone is relocated,
it can all be tracked.
Active Directory was introduced in the Windows 2000 Server and
this means that, in upgrading to the latest Microsoft operating
system, most organisations will adopt a directory services product
because it is there, rather than to satisfy a strict requirement
for such technology, said Eurodata's Williams.
Williams said users rarely justify Active Directory as a
directory service implementation based on identified business
requirements.
"As a consequence of this almost inadvertent adoption, we have
found that the directory features within Active Directory - the
ability to securely publish and locate information on
organisational objects - are rarely understood or employed
effectively."
Microsoft's e-mail applications, Exchange Server 2000 and 2003,
rely on Active Directory as their central authentication backend
system, repository and e-mail provisioning system. These versions
of Exchange Server cannot be deployed in the absence of Active
Directory and so many organisations will employ Active Directory
for that reason alone, said Williams.
A main attraction of Active Directory is its security. It
centralises identity management and supports role-based security.
Active Directory works with multiple authentication protocols such
as Kerberos, X.509 certificates, and smartcards to support internal
desktop users, remote dial-up users, and external e-commerce
customers.
It can carry out single sign-on to network resources; lock down
desktop configurations and prevent access to specific operations
such as software installation or registry editing; and set access
control privileges on directory objects and the individual data
elements that make them up.
The main alternative to Microsoft Active Directory is Novell's
eDirectory.
Novell has been developing its directory services technology for
over a decade. The original product, NDS, was engineered to support
the Novell Netware environment and was termed a network operating
system directory, much as Active Directory is for Windows.
But NDS evolved, mainly to overcome the problems of managing
user accounts on multiple netware servers which at that time was
typically done manually. NDS ultimately became eDirectory, and a
high-performance, mission-critical component to support the
expanding role of directory services in IT.
One of the most widely used directories available, eDirectory
has more than 28,000 customers and most of the Fortune 1,000
companies using it, according to figures from Novell.
Mark Oldroyd, category specialist for identity at Novell UK,
said eDirectory is mainly considered to be a high-end directory
service for large-scale deployments and added that one of its
strengths is its ability to scale.
"EDirectory has been proven to scale to one billion entities,
and tested for sustained LDap performance on 100 million objects",
he said. He added that eDirectory has features to make it more
reliable, and is largely self- maintaining, so it can catch and
correct minor errors without administrator intervention.
Like Active Directory, eDirectory also has strong security
features, and supports LDap, and security standards including
Kerberos, SASL, Soap and DSML.
One key difference between Active Directory and eDirectory is
that Active Directory only supports Windows 2000 and 2003 operating
systems, whereas eDirectory can be hosted on a range of mixed
platforms including Netware, Linux, Windows, HP-UX, AIX and
Solaris.
Specialist directory services tools
OpenLDap
As well as Novell and Microsoft's directory services tools,
there are also more specialist directory services available. One of
these is a Lightweight Directory Access Protocol (LDap) directory
server developed by the open source community called OpenLDap.
OpenLDap features Slapd, a standalone LDap server which runs on
many different Unix platforms. It can be used to provide a bespoke
directory service, where a user can define what data they want the
directory to track and manage, or connect to the global LDap
directory service.
Computing and Communications Services Office
Computing and Communications Services Office(CSO) is another
directory services technology. It was originally developed at the
University of Illinois to make student and staff information, such
as phone numbers and e-mail addresses, available online. CSO is
normally used to provide a directory of a single organisation only,
and it is used across the world.
X.500
X.500 is a precursor to LDap and a standard for distributed
directory services, and is used in older directory services
programs. The standard includes the structure of the X.500
database, and also the protocol used in querying the database.
X.500 can be used for different types of directories, but its most
notable implementation is a global White Pages service containing
in excess of one million names contributed to by X.500 servers in
dozens of countries.