Some Better Known Directory Services


Directory Services.  Now that we have described some of the more general issues associated with directory services we will give an overview of two of the most popular.  The most widely used directory services are
  • Novell NDS
  • Microsoft Active Directory

Novell NDS.  Earlier versions of Novell NetWare such as 3.x make use of a directory database called a bindery.  Unfortunately, this works fairly well for security and other things on stand alone servers, but is extremely limited on larger networks.

With version 4.x, Novell introduced NDS - Network Directory Services which has a global database that is replicated between servers on the network.  Making use appropriately configured NDS a user can login to any server on the network and access the network's resources.

The database within NDS is hierarchical and arranges objects in an inverted tree.  It has two basic types of objects.

  • container objects - can contain other objects within it
  • leaf objects - endpoint of a branch - it represents the resource itself

Permissions and authorizations in NDS are assigned to OUs - Organizational Units.  Users and groups are placed into OUs.  A user's permissions can be changed by moving them from one OU to another.

Although NDS is generally associated  with Novell NetWare there are versions that run on all of the following platforms.

  • NetWare 4.x
  • NetWare 5.x
  • Microsoft Windows NT
  • Microsoft Windows 2000
  • IBM OS/390
  • Caldera OpenLinux
  • SCO Linux
  • Sun Solaris

Thus, NDS is Novell's directory service cross platform solution for integrated enterprise computing.

NDS enables at least the following protocols to access directory information.

  • NDAP - Novell Directory Access Protocol
  • LDAP
  • HTTP - when using a web server
  • ODBC - Open Database Connectivity APIs
  • ADSI - Active Directory Service Interface

Microsoft Active Directory.  Microsoft's approach to directory services, starting with Windows 2000, is similar to and different from Novell's NDS.  It generally more integrated into the overall operating system.  But it is also a distinct improvement over Microsoft's offerings previous to Windows 2000.

The Active Directory information works with three major components.

  • Active Directory database
    • this is the directory
  • Active Directory log files
    • these record changes made to the directory
  • Shared System Volume
    • Sysvol
    • this contains scripts and group policy objects on domain controllers

The logical structure of Active Directory is based on units called domains.  These domains are arranged in hierarchical domain trees.  These tree related concepts work differently in Active Directory from NDS.  In addition to these trees, forests can be built from domain trees.  These forests are developed as the result of a trust relationship.  This sort of relationship is represented in the following diagram.



All domains in the same tree and all trees in the same forest have an automatic implicit transitive trust.  With such trusts in place, users in one domain can access resources in other domains as long as their user accounts have the appropriate permissions.

Active Directory also makes use of OUs - Orgainzational Units to organize resources within domains.  In addition, authority can be delegated to individual OUs.  Active Directory also makes use of DNS naming conventions and relies on DNS in order to operate.  Thus there must be a DNS server on every Windows 2000 network.  In addition DNS zone updates can be integrated with Active Directory replications.  Windows 2000 also supports DDNS - Dynamic DNS.

In order to implement Active Directory, at least one server must be configured as the DC - Domain Controller.  It is also recommended that there are at least two DCs in each domain.  All DCs contain a copy of the Active Directory partition.  These copies are kept up to date through replication.  Replication is the process of copying data from one computer to others and synchronizing the data so that it is identical on all systems.

Sys admins can establish their own policies for when and how often replications take place.  Controlling replications is important for reducing operating overhead and making sure it doesn't overburden some links.

Each Active Directory has an ACL - Access Control List that contains all permissions associated with the object.  Permissions can be explicitly allowed or denied with fairly fine granularity.  There ar etwo main types of permissions.

  • Assigned permissions - those assigned by another user with the authority to do so.
  • Inherited permissions - permissions that are assigned to child objects because they are inherited from a parent object.

Permissions can be assigned at both a user and group level.  Sys admins can also control the inheritance process to a fairly large extent.

Active Directory is so tied in with the Windows operating system that it can only run with it in place.  On the other hand, all LDAP compatible products can interact with Active Directory.

Other Directory Services.  The following is a brief outline of other somewhat less widely used directory services.

  • IBM OS/400
    • part of the Secure Way Directory
    • LDAP compatible for AS/400 mainframes
    • runs on
      • OS/300
      • OS/400
      • AIX
      • Solaris
      • Windows NT
    • has client software that provides interoperability for Microsoft operating systems
  • SDS - Sun Directory Services
    • part of Solaris Easy Access Server
    • global directory that supports
      • global messaging
      • remote authentication
      • distributed directory to manage network resources
    • supports multiple protocols and aliases
    • directory is scalable to millions of entries
    • LDAPv3 compatible
    • access is through web browsers and Windows computers
    • management is done through a Java interface
  • Banyan VINES StreetTalk
    • LDAP compatible in more recent versions
    • runs  on
      • NetWare
      • UNIX
      • Windows NT
    • porting enables other networks to share a common directory with VINES networks
    • has dropped product support as of May 2000