Some Background on Directory Services
|What are Directory Services?
Directory services provide an approach
to enabling network operating systems to store and access information
about network resources, accounts and service. Networks that operate
based on directory services require two components.
When we use the term directories in the context of directory services, we are not using it in its more typical meaning as a reference to a location on a hard drive containing a collection of files grouped under an identifying name. Our present use of the term directories gives them a more general meaning relating to organizing information. They are special types of databases. For example, almost all of us make use of telephone directories.
In an object oriented programming system, the directory contains objects that have attributes. For example, consider a user account to be contained in a directory such as Novell's NDS. This user account is an instance of an object that has attributes such as the user's name, the username, the account password, permissions on particular resources and so on.
For example, in a telephone directory there is an instantiation of a listing type object for each person in the directory. The object has properties/attributes such as the name on the listing, the address, the phone number and whether or not the address should be listed. There are likely other attributes, but this should give another example.
Another directory that is likely to be contained in a directory service keeps track of printers on a network. There should be an instance of an object for each printer containing attributes/properties such as a unique identifier for each printer, its type, its location and so on.
To reiterate, now that we have more background, directory services provide ways to store, update, locate and secure information in a directory. They can be local, for a particular machine, global across a network. If the information associated with the service is spread across several machines the directory service is said to be distributed.
Object classes define the attributes available for a class of objects and its place in the directory structure or hierarchy. The schema is the definition of the object classes, along with the required and allowed attributes for each. A particular NOS may enable an administrator to extend its existing schema or add new object classes and attributes.
Without something like directory services, one of the most common ways to enable multiple access on networks is through something called sharing. Sharing has several encumbering difficulties when used on networks, particularly as they grow.
Some of the major benefits of directory services are contained in the following list.
A directory namespace refers to the way in which each of the directory objects are uniquely identified. Some examples of namespaces include the following.
Namespaces, like all kinds of databases can be flat file, hierarchical, relational, multidimensional and whatever. The most typical are either flat file or hierarchical. Remember, Windows NT and NetWare 3.x made use of directory services based on flat files. Newer, more distributed directory services make use of hierarchical structures. These sorts of structures are usually represented by inverted trees.
In directory trees, objects can have parent objects and child objects. A parent object is directly above the object in a tree, a child object is directly below it. These concepts are illustrated in the following figure.
|Notice how the naming convention includes the name of
a parent within the name of each child. Objects U2C1 and U2C2
include the name of their parent object U2.
DNS - Domain Name System names are structured in a similar way as illustrated in the following diagram.
|These likely represent servers within particular
organizational categories and servers within the organizations.
Those that are further from the public Internet are deeper in the
Directory Services Standards. In order to gain interoperability, different directory services need to have common methods of naming and referencing objects. These standards also help ensure that vendors can develop products that operate over a broad range of platforms.
The three services standards we will survey are
LDAP compatible directories use the standard X.500 naming conventions. This produces
Directory services such as Microsoft's Active Directory can also use RDNs - Relative Distinguished Names that provide shorter versions for DNs. The RDN is actually an attribute of the object. For example, the RDN for the DN outlined above would be RDN = John Doe. Thus it is possible to have two different objects with the same RDN, but they must have different OUs or domains. But every DN must be unique.
LDAP first appeared at University of Michigan. Unlike DAP, it was designed to run over TCP and has spread over the world. LDAP services are available for Windows, Macintosh, UNIX, and the X Windows system.
Popular implementations include the following.
These different implementations can interoperate even if they are developed by different vendors.
Both Novell NDS and Microsoft Active Directory support LDAP clients and use the X.500 naming conventions. For whatever real reasons, neither is completely X.500 compliant.
DEN - Directory Enabled Networking has become an integral part of managing resources on enterprise networks. Capabilities to do things such as QoS - Quality of Service applications, groupware and other collaborative computing, and process automation have increased the importance of having a centralized repository that enables users and applications to share data.
The growth in e-commerce has also driven their increased usage. For example, directories are used in the methods that encrypt and sign digital transactions. These sorts of security methods are called PKI - Public Key Infrastructure.