Understand directory services to maintain control of network information and users

Directory services are software programs that link directly into core databases to manage the identities and security of users on a network. They are crucial to many medium and large organisations.

Directory services are software programs that link directly into core databases to manage the identities and security of users on a network. They are crucial to many medium and large organisations.

Typically, a number of information repositories across an organisation will store information regarding network users and objects: SQL or other databases, telephone directories - electronic and hard-copy - flat files, human resources software and network management products.

Modern directory services are capable of storing rich information relating to users and other organisational objects and can provide this information to users and applications in a secure manner. In this way, information can be maintained centrally and can then be made available to other applications as necessary.

The most widely used directory services are Microsoft's Active Directory and Novell's eDirectory (formerly NDS or Novell Directory Services).

There are also specialist directory services available, one of which is OpenLDap - a Lightweight Directory Access Protocol (LDap) directory server developed by the open source community.

Directory services tend to conform to LDap, an internet protocol used by e-mail and other programs to look up information from a server. As a minimum, any high-end directory should be LDap-certified and support the LDap v3 specification.

Novell's eDirectory is LDap-certified by independent standards body The Open Group. Currently, Active Directory does not adhere to the full LDap specification and is therefore not certified. However, it does largely support LDap's features.

Messaging products from the likes of Microsoft, IBM, Lotus, and Netscape also support the LDap standard with "LDap-aware" client programs, which can ask LDap servers to look up entries in a variety of ways, returning detailed information on a particular user or group of users.  LDap servers do this by indexing all the data in their entries and using filters to home in on the required information.

But LDap is not just limited to contact information, or information about people. It is also used to look up encryption certificates, pointers to printers and other services on a network, and provide single sign-on, where a user can input one password to gain access to multiple services or network resources.

An LDap-aware client may be an e-mail program, a printer browser, or an address book, connecting to a server that only speaks LDap, or also has other methods of sending and receiving data, which is the case with Active Directory.

LDap also defines network permissions, set by the administrator to allow only certain people to access the LDap database, and can also keep certain data private. In addition, it can define schema - the format and attributes of data on the server, for example, a user's individual preferences.

Gary Barnett, IT research director at analyst firm Ovum, said, "Your choice of directories is going to be informed by the core applications you are using. Whether you like it or not, if you are using Microsoft Exchange, you are going to have Active Directory."

But he added, "I am not convinced that organisations need another directory over and above Active Directory. The purpose of a directory server is to act as an organisational Yellow Pages - to sort out the things people have access to, and to record things. Novell Directory Server majored on adherence to standards, and has huge scalability. But Active Directory is now scalable and accessible via LDap, so it is harder to differentiate between the two."

Barnett said there were some situations where an organisation might choose to have an alternative or additional directory. "If you are a telco, and effectively running several different networks that need to be talking to each other, you may take a very high-performance bare-bones LDap server, and you might have one looking more at people. It is also possible to manage trust relationships with Windows and Unix without Active Directory." Mainframe environments may also require more specialised directories, he said. 

Garry Williams, technical consultant at IT professional services company Eurodata Systems believes directories can bring consolidation, and therefore IT and business efficiencies.

"A directory service presents the opportunity to consolidate the number of repositories in use and realise a number of benefits in doing so: reduced administrative overheads, enhanced operational efficiency and tighter control over the security of user information," he said.

Last year, manufacturing giant Reckitt Benckiser implemented Microsoft Windows Server 2003 Enterprise Edition with Active Directory, rolling it out across 60 countries in just nine months.

Reckitt used Active Directory to determine network paths and define network relationships over its wide area network. A major benefit for the company was the ability to collapse its infrastructure into three domains (Windows sub-networks) down from an unwieldy 96.

Catrin Brain, IS manager, service delivery and infrastructure at Reckitt, said the Active Directory implementation gave administrators a single repository to keep tight control over the network environment, passwords, and corporate policy. Before, with no centralised control over these areas, it was difficult to locate and resolve any system problems, she said. 

Tony Gallagher, senior vice-president for information services at Reckitt, said, "The reduction of domains from 96 to three, together with the speed of the deployment in just a few months, has made a major contribution to greater efficiency throughout our business."

He added that Active Directory provides a central repository of network connections, so if a user's name changes, for instance if an employee gets married, a job changes, or someone is relocated, it can all be tracked.

Active Directory was introduced in the Windows 2000 Server and this means that, in upgrading to the latest Microsoft operating system, most organisations will adopt a directory services product because it is there, rather than to satisfy a strict requirement for such technology, said Eurodata's Williams.

Williams said users rarely justify Active Directory as a directory service implementation based on identified business requirements.

"As a consequence of this almost inadvertent adoption, we have found that the directory features within Active Directory - the ability to securely publish and locate information on organisational objects - are rarely understood or employed effectively."

Microsoft's e-mail applications, Exchange Server 2000 and 2003, rely on Active Directory as their central authentication backend system, repository and e-mail provisioning system. These versions of Exchange Server cannot be deployed in the absence of Active Directory and so many organisations will employ Active Directory for that reason alone, said Williams.

A main attraction of Active Directory is its security. It centralises identity management and supports role-based security. Active Directory works with multiple authentication protocols such as Kerberos, X.509 certificates, and smartcards to support internal desktop users, remote dial-up users, and external e-commerce customers.

It can carry out single sign-on to network resources; lock down desktop configurations and prevent access to specific operations such as software installation or registry editing; and set access control privileges on directory objects and the individual data elements that make them up.

The main alternative to Microsoft Active Directory is Novell's eDirectory.

Novell has been developing its directory services technology for over a decade. The original product, NDS, was engineered to support the Novell Netware environment and was termed a network operating system directory, much as Active Directory is for Windows.

But NDS evolved, mainly to overcome the problems of managing user accounts on multiple netware servers which at that time was typically done manually. NDS ultimately became eDirectory, and a high-performance, mission-critical component to support the expanding role of directory services in IT.

One of the most widely used directories available, eDirectory has more than 28,000 customers and most of the Fortune 1,000 companies using it, according to figures from Novell.

Mark Oldroyd, category specialist for identity at Novell UK, said eDirectory is mainly considered to be a high-end directory service for large-scale deployments and added that one of its strengths is its ability to scale.

"EDirectory has been proven to scale to one billion entities, and tested for sustained LDap performance on 100 million objects", he said. He added that eDirectory has features to make it more reliable, and is largely self- maintaining, so it can catch and correct minor errors without administrator intervention.

Like Active Directory, eDirectory also has strong security features, and supports LDap, and security standards including Kerberos, SASL, Soap and DSML.

One key difference between Active Directory and eDirectory is that Active Directory only supports Windows 2000 and 2003 operating systems, whereas eDirectory can be hosted on a range of mixed platforms including Netware, Linux, Windows, HP-UX, AIX and Solaris.

Specialist directory services tools


As well as Novell and Microsoft's directory services tools, there are also more specialist directory services available. One of these is a Lightweight Directory Access Protocol (LDap) directory server developed by the open source community called OpenLDap.

OpenLDap features Slapd, a standalone LDap server which runs on many different Unix platforms. It can be used to provide a bespoke directory service, where a user can define what data they want the directory to track and manage, or connect to the global LDap directory service.

Computing and Communications Services Office

Computing and Communications Services Office(CSO) is another directory services technology. It was originally developed at the University of Illinois to make student and staff information, such as phone numbers and e-mail addresses, available online. CSO is normally used to provide a directory of a single organisation only, and it is used across the world.


X.500 is a precursor to LDap and a standard for distributed directory services, and is used in older directory services programs. The standard includes the structure of the X.500 database, and also the protocol used in querying the database. X.500 can be used for different types of directories, but its most notable implementation is a global White Pages service containing in excess of one million names contributed to by X.500 servers in dozens of countries.


Read more on Wireless networking