Some Better Known Directory Services

Directory Services. Now that we have described some of the more general issues associated with directory services we will give an overview of two of the most popular. The most widely used directory services are

Novell NDS

Microsoft Active Directory

Novell NDS. Earlier versions of Novell NetWare such as 3.x make use of a directory database called a bindery. Unfortunately, this works fairly well for security and other things on stand alone servers, but is extremely limited on larger networks.

With version 4.x, Novell introduced NDS - Network Directory Services which has a global database that is replicated between servers on the network. Making use appropriately configured NDS a user can login to any server on the network and access the network's resources.

The database within NDS is hierarchical and arranges objects in an inverted tree. It has two basic types of objects.

container objects - can contain other objects within it

leaf objects - endpoint of a branch - it represents the resource itself

Permissions and authorizations in NDS are assigned to OUs - Organizational Units. Users and groups are placed into OUs. A user's permissions can be changed by moving them from one OU to another.

Although NDS is generally associated with Novell NetWare there are versions that run on all of the following platforms.

NetWare 4.x

NetWare 5.x

Microsoft Windows NT

Microsoft Windows 2000

IBM AIX

IBM OS/390

Caldera OpenLinux

SCO Linux

Sun Solaris

Thus, NDS is Novell's directory service cross platform solution for integrated enterprise computing.

NDS enables at least the following protocols to access directory information.

NDAP - Novell Directory Access Protocol

LDAP

HTTP - when using a web server

ODBC - Open Database Connectivity APIs

ADSI - Active Directory Service Interface

Microsoft Active Directory. Microsoft's approach to directory services, starting with Windows 2000, is similar to and different from Novell's NDS. It generally more integrated into the overall operating system. But it is also a distinct improvement over Microsoft's offerings previous to Windows 2000.

The Active Directory information works with three major components.

Active Directory database

this is the directory

Active Directory log files

these record changes made to the directory

Shared System Volume

Sysvol

this contains scripts and group policy objects on domain controllers

The logical structure of Active Directory is based on units called domains. These domains are arranged in hierarchical domain trees. These tree related concepts work differently in Active Directory from NDS. In addition to these trees, forests can be built from domain trees. These forests are developed as the result of a trust relationship. This sort of relationship is represented in the following diagram.

All domains in the same tree and all trees in the same forest have an automatic implicit transitive trust. With such trusts in place, users in one domain can access resources in other domains as long as their user accounts have the appropriate permissions.

Active Directory also makes use of OUs - Orgainzational Units to organize resources within domains. In addition, authority can be delegated to individual OUs. Active Directory also makes use of DNS naming conventions and relies on DNS in order to operate. Thus there must be a DNS server on every Windows 2000 network. In addition DNS zone updates can be integrated with Active Directory replications. Windows 2000 also supports DDNS - Dynamic DNS.

In order to implement Active Directory, at least one server must be configured as the DC - Domain Controller. It is also recommended that there are at least two DCs in each domain. All DCs contain a copy of the Active Directory partition. These copies are kept up to date through replication. Replication is the process of copying data from one computer to others and synchronizing the data so that it is identical on all systems.

Sys admins can establish their own policies for when and how often replications take place. Controlling replications is important for reducing operating overhead and making sure it doesn't overburden some links.

Each Active Directory has an ACL - Access Control List that contains all permissions associated with the object. Permissions can be explicitly allowed or denied with fairly fine granularity. There ar etwo main types of permissions.

Assigned permissions - those assigned by another user with the authority to do so.

Inherited permissions - permissions that are assigned to child objects because they are inherited from a parent object.

Permissions can be assigned at both a user and group level. Sys admins can also control the inheritance process to a fairly large extent.

Active Directory is so tied in with the Windows operating system that it can only run with it in place. On the other hand, all LDAP compatible products can interact with Active Directory.

Other Directory Services. The following is a brief outline of other somewhat less widely used directory services.

IBM OS/400

part of the Secure Way Directory

LDAP compatible for AS/400 mainframes

runs on

OS/300

OS/400

AIX

Solaris

Windows NT

has client software that provides interoperability for Microsoft operating systems

SDS - Sun Directory Services

part of Solaris Easy Access Server

global directory that supports

global messaging

remote authentication

distributed directory to manage network resources

supports multiple protocols and aliases

directory is scalable to millions of entries

LDAPv3 compatible

access is through web browsers and Windows computers

management is done through a Java interface

Banyan VINES StreetTalk

LDAP compatible in more recent versions

runs on

NetWare

UNIX

Windows NT

porting enables other networks to share a common directory with VINES networks

has dropped product support as of May 2000