Some Background on Directory Services


What are Directory Services?  Directory services provide an approach to enabling network operating systems to store and access information about network resources, accounts and service.  Networks that operate based on directory services require two components.
  • the directory itself
  • the service this directory manages

When we use the term directories in the context of directory services, we are not using it in its more typical meaning as a reference to a location on a hard drive containing a collection of files grouped under an identifying name.  Our present use of the term directories gives them a more general meaning relating to organizing information.  They are special types of databases.  For example, almost all of us make use of telephone directories.

In an object oriented programming system, the directory contains objects that have attributes.  For example, consider a user account to be contained in a directory such as Novell's NDS.  This user account is an instance of an object that has attributes such as the user's name, the username, the account password, permissions on particular resources and so on.

For example, in a telephone directory there is an instantiation of a listing type object for each person in the directory.  The object has properties/attributes such as the name on the listing, the address, the phone number and whether or not the address should be listed.  There are likely other attributes, but this should give another example.

Another directory that is likely to be contained in a directory service keeps track of printers on a network.  There should be an instance of an object for each printer containing attributes/properties such as a unique identifier for each printer, its type, its location and so on.

To reiterate, now that we have more background, directory services provide ways to store, update, locate and secure information in a directory.  They can be local, for a particular machine, global across a network.  If the information associated with the service is spread across several machines the directory service is said to be distributed.

Object classes define the attributes available for a class of objects and its place in the directory structure or hierarchy.  The schema is the definition of the object classes, along with the required and allowed attributes for each.  A particular NOS may enable an administrator to extend its existing schema or add new object classes and attributes. 

Without something like directory services, one of the most common ways to enable multiple access on networks is through something called sharing.  Sharing has several encumbering difficulties when used on networks, particularly as they grow.

  • shared resources are on individual workstations or servers
  • users need to know how to locate them
  • security was typically setup for each resource in isolation
  • users usually needed security developed specifically for each resource

Some of the major benefits of directory services are contained in the following list.

  • resources can be more easily organized
  • resources can be more easily secured
  • resources can be more easily located and accessed when authorized
  • users don't even need to know exactly where the resource is located in order to make use of it

A directory namespace refers to the way in which each of the directory objects are uniquely identified.  Some examples of namespaces include the following.

  • usernames
  • e-mail addresses
  • server names
  • printer names

Namespaces, like all kinds of databases can be flat file, hierarchical, relational, multidimensional and whatever.  The most typical are either flat file or hierarchical.  Remember, Windows NT and NetWare 3.x made use of directory services based on flat files.  Newer, more distributed directory services make use of hierarchical structures.  These sorts of structures are usually represented by inverted trees.

In directory trees, objects can have parent objects and child objects.  A parent object is directly above the object in a tree, a child object is directly below it.  These concepts are illustrated in the following figure.



Notice how the naming convention includes the name of a parent within the name of each child.  Objects U2C1 and U2C2 include the name of their parent object U2.

DNS - Domain Name System names are structured in a similar way as illustrated in the following diagram.



These likely represent servers within particular organizational categories and servers within the organizations.  Those that are further from the public Internet are deeper in the diagram.

Directory Services Standards.  In order to gain interoperability, different directory services need to have common methods of naming and referencing objects.  These standards also help ensure that vendors can develop products that operate over a broad range of platforms.

The three services standards we will survey are

  • X.500
    • EDS -Electronic Data Services standards ISO 9594
    • designed to be used in conjunction with X.400 messaging services
    • directory structure is inverted tree
    • database is hierarchical
    • compliant directories have three primary components
      • DSA - Directory System Agent to manage directory data
      • DUA - Directory User Agent to give users access to services
      • DIB - Directory Information Base which acts as the central data store where directory information is kept
  • DAP - Directory Access Protocol
    • enables DUA to communicate with the DSA
    • defines how users can do the following
      • search
      • read
      • add
      • delete
      • modify
    • has fairly high overhead associated  with operations
  • LDAP - Light Directory Access Protocol
    • developed as subset of DAP to decrease operating overhead
    • specifications for LDAPv3 contained in RFC 2251
      • LDAP protocol model
      • LDAP data model
      • common elements
        • naming conventions
        • attribute types
        • descriptions
        • bind
        • search
        • add
        • delete
        • modify

LDAP compatible directories use the standard X.500 naming conventions.  This produces

  • DN - Distinguished Name
    • looks like  DC=net DC=tacteam OU=training CN-users CN=John Doe
    • where
      • DC = domain component name
      • OU = organizational unit
      • CN = common name
  • Capacity to denote path to an object in the directory structure

Directory services such as Microsoft's Active Directory can also use RDNs - Relative Distinguished Names that provide shorter versions for DNs.  The RDN is actually an attribute of the object.  For example, the RDN for the DN outlined above would be RDN = John Doe.  Thus it is possible to have two different objects with the same RDN, but they must have different OUs or domains.  But every DN must be unique.

LDAP first appeared at University of Michigan.  Unlike DAP, it was designed to run over TCP and has spread over the world.  LDAP services are available for Windows, Macintosh, UNIX, and the X Windows system.

Popular implementations include the following.

  • Banyan StreetTalk
  • Netscape Directory Server
  • AltaVista Directory
  • Lucent Internet Directory Server

These different implementations can interoperate even if they are developed by different vendors.

Both Novell NDS and Microsoft Active Directory support LDAP clients and use the X.500 naming conventions.  For whatever real reasons, neither is completely X.500 compliant.

DEN - Directory Enabled Networking has become an integral part of managing resources on enterprise networks.  Capabilities to do things such as QoS - Quality of Service applications, groupware and other collaborative computing, and process automation have increased the  importance of having a centralized repository that enables users and applications to share data.

The growth in e-commerce has also driven their increased usage.  For example, directories are used in the methods that encrypt and sign digital transactions.  These sorts of security methods are called PKI - Public Key Infrastructure.