Advertisment
Trends Watch

What to do with Directory Services

author-image
PCQ Bureau
New Update

Enterprises, whatever their size and scale, require to

maintain an 'information directory' of some sort. Beginning with simple

information hives like addressbooks to large complicated multi-tiered

distributed hives that describe hardware, configuration of network services,

authentication and authorization data, a  'directory service' has now

become a part of every organization's IT infrastructure.  Apart from

storing personal details about people, a directory is also used to store their

'digital personality'-what applications do they have access to, what

attributes will identify them, mail delivery strategies and public keys of the

user if any.

Advertisment
Direct

Hit!
Applies

to: Linux administrators
USP:

Manage resources efficiently in a hierarchical structure
Links:

http://directory.fedora.redhat.com 
Google

keywords: LDAP, FDS and ADS

Directories are now increasingly used to define not just

users but also the services consumed. Most Unix and Windows services are

configured from flat plain-text files or simple one-file databases. Each service

has its own file format and configuration parameters that vary from one product

to another even for the same service. This tradition has come under considerable

stress for several reasons: product specific configuration leads to considerable

challenges during migration. Even migrating a mail service from Sendmail to

qMail or Postfix for example, requires rewriting around 13 configuration files.

And there is no one-to-one correspondence between features and configuration

variables to make the transition smooth. Changing the authenticating platform

from Windows to Unix or the other way round is even more scary. To complicate

matters, service configurations are rarely static. Multiple mail delivery

mechanisms for traveling and other groups who require frequent changes in their

user attributes, frequent changes to application access control and role

management for disparate applications that change periodically, are all part and

parcel of the problem. As configuration files become larger and larger, the

retrieval of per-user configuration parameters from plain-text files begins to

affect performance. A half-way solution adopted by several applications--of

compiling plain text configuration files into read optimized binary db files --

has not eased service administration since each time a new user is added or a

configuration change affected, the administrator has to re-compile the

configuration files and restart or reload the service.

Advertisment

What is required is a solution for storing user

information/configuration that is easy to administer, has little performance

overhead and one that can be accessed by multiple baseline services

(authentication, application access control, user-specific mail delivery and

gateway proxy services) from a common information store. The Lightweight

Directory Access Protocol (LDAP , current version 3) — a simplified descendant

of the traditional X.500 protocol provides exactly this functionality and has

very rapidly become the first choice for enterprise wide user

information/configuration data provision. The chief reasons for this recent rise

in the popularity of LDAP are:

  • Reasonably inter-operable LDAP implementations are

    available on all platforms including Windows, where it is referred to as the

    Active Directory.

  • Information is stored in a format that is optimized for

    reads, with very little protocol overheads. LDAP data retrievals are fast

    and often compensate for WAN latencies

  • Almost all enterprise grade network services are now

    'LDAP aware.'

  • The data schema that LDAP uses is inherently flexible

    and scalable unlike the 'rows and columns' schema of conventional

    databases. This means that storing multi-valued parameters such as multiple

    phone numbers and  mail ids) become natural yet structured.

  • The ease of accommodating unstructured information is

    not at the cost of relationships between the entities — which are enforced

    by a 'tree-like' structure.

  • While LDAP allows a flexible scheme; there is a fairly

    well respected name-space convention (attributes must have well defined

    names ) that must be certified by the IANA for seamless interoperability.

  • Large sections of a Directory Information Tree can be

    moved and physically located at remote locations, yet managed from a single

    administrative location. This feature, if properly designed and deployed,

    gives remote locations a significant degree of autonomy to manage and update

    information services and make this information available transparently to

    all other locations as if it were centrally managed.

Fedora Directory Server for Linux

There are several products that provide Directory

Services with varying degree of compliance with LDAP v3. The most popular

Open Source LDAP server today is OpenLDAP-a descendant of the



University

of

Michigan LDAP



server). Another product that is fast catching up is the recently open

sourced Netscape/iPlanet Directory Server (available as a free download

bundle called the 'Fedora Directory Server' for Redhat EL3/4 as well

as Fedora Core. There are several advantages that make the Fedora

Directory Service (FDS) ideally suitable for enterprise deployment over

similarly placed



LDAP products:

  • The Fedora Directory Server's dual-faced past,

    as a premium commercial (Netscape/iPlanet) Directory Server that

    branched out of the



    University

    of

    Michigan



    open-source product,  has

    provided it with the best features of both development styles.

  • The Fedora Directory Server comes with a

    Directory Administration Server -a single point of management for

    multiple directory servers. This product allows the administration

    (backup, restore, replicate, edit) of root and branch directory

    servers at remote locations from a single GUI application.

  • Its ability to interoperate with the Windows

    Active Directory Server (ADS) -given its commercial legacy-marks

    it ahead of all other Unix based

Directory services. The FDS supports a native Windows

NT User schema

allowing administrators to duplicate Windows Domain

User attributes in a Unix environment and allow any service to access

these attributes and their values transparently. The ADS can then be

configured to only authenticate

domain logins freeing a significant amount of

performance bandwidth for the Windows server's core function.

  •  The

    FDS default schema can be extended using an intuitive point and click

    GUI to seamlessly integrate proprietary schemas of third-party

    applications.

  • The FDS is more LDAP v3 compliant than other

    products for Unix  environments with bindings for Perl, PHP and

    Java which are currently in use at GPI, in addition to a very powerful

    scripting language for batch jobs.

Gurunandan Bhatt

Advertisment