Some Better Known Directory Services
Now that we have described some of the more general
issues associated with directory services we will give an overview of two
of the most popular. The most widely used directory services are
Novell NDS. Earlier versions of Novell NetWare such as 3.x make use of a directory database called a bindery. Unfortunately, this works fairly well for security and other things on stand alone servers, but is extremely limited on larger networks.
With version 4.x, Novell introduced NDS - Network Directory Services which has a global database that is replicated between servers on the network. Making use appropriately configured NDS a user can login to any server on the network and access the network's resources.
The database within NDS is hierarchical and arranges objects in an inverted tree. It has two basic types of objects.
Permissions and authorizations in NDS are assigned to OUs - Organizational Units. Users and groups are placed into OUs. A user's permissions can be changed by moving them from one OU to another.
Although NDS is generally associated with Novell NetWare there are versions that run on all of the following platforms.
Thus, NDS is Novell's directory service cross platform solution for integrated enterprise computing.
NDS enables at least the following protocols to access directory information.
Microsoft Active Directory. Microsoft's approach to directory services, starting with Windows 2000, is similar to and different from Novell's NDS. It generally more integrated into the overall operating system. But it is also a distinct improvement over Microsoft's offerings previous to Windows 2000.
The Active Directory information works with three major components.
The logical structure of Active Directory is based on units called domains. These domains are arranged in hierarchical domain trees. These tree related concepts work differently in Active Directory from NDS. In addition to these trees, forests can be built from domain trees. These forests are developed as the result of a trust relationship. This sort of relationship is represented in the following diagram.
|All domains in the same tree and all trees in the same
forest have an automatic implicit transitive trust. With such trusts
in place, users in one domain can access resources in other domains as
long as their user accounts have the appropriate permissions.
Active Directory also makes use of OUs - Orgainzational Units to organize resources within domains. In addition, authority can be delegated to individual OUs. Active Directory also makes use of DNS naming conventions and relies on DNS in order to operate. Thus there must be a DNS server on every Windows 2000 network. In addition DNS zone updates can be integrated with Active Directory replications. Windows 2000 also supports DDNS - Dynamic DNS.
In order to implement Active Directory, at least one server must be configured as the DC - Domain Controller. It is also recommended that there are at least two DCs in each domain. All DCs contain a copy of the Active Directory partition. These copies are kept up to date through replication. Replication is the process of copying data from one computer to others and synchronizing the data so that it is identical on all systems.
Sys admins can establish their own policies for when and how often replications take place. Controlling replications is important for reducing operating overhead and making sure it doesn't overburden some links.
Each Active Directory has an ACL - Access Control List that contains all permissions associated with the object. Permissions can be explicitly allowed or denied with fairly fine granularity. There ar etwo main types of permissions.
Permissions can be assigned at both a user and group level. Sys admins can also control the inheritance process to a fairly large extent.
Active Directory is so tied in with the Windows operating system that it can only run with it in place. On the other hand, all LDAP compatible products can interact with Active Directory.
Other Directory Services. The following is a brief outline of other somewhat less widely used directory services.