What's up in Directory Services?

Every large enterprise has thousands of IT assets distributed across its

various offices around the globe and as a consequence, managing and keeping

track of each resource (users, computers, printers, e-mail addresses, cellphone

numbers, extension numbers, etc) alongwith employee hierarchy is a



major challenge. If things remain static, then over a period of time, the
organization could bring everything under control. Sadly, this is far from

reality. Users come and go, hardware gets upgraded and replaced, new

applications are constantly deployed. How do you keep track of all these

changes? If you keep everything on individual servers, then it would become a

nightmare to manage them separately on each server. Let's look at the software

side. Every organization provides its users with access to a variety of

different applications. There's email, ERP, CRM, and many other applications. If

you had to give each user a different username and password to access each

application, then users would go mad trying to remember them all, and your

support staff will go mad answering calls from hassled users. What's needed is

something that can smoothly integrate everything into a single place, be it your

applications, hardware, users, organizational structure, etc. That's where

directory services come in. These are nothing new, and in fact in the good old

days, it was Novell who introduced this concept through its NDS (which was later

called eDirectory). Later Microsoft adopted the same in its Active Directory

Services. Today, a variety of other directory services exist. In this story,

we'll revisit the concept of directory services, and look at the key trends in

this area. Basically, if used correctly, a directory service can become the

information repository of an organization.

What is it?



In simple terms, a directory service is nothing but a database that stores and
manages information about a company's hierarchy structure, which includes users,

network resources, application data, etc. This is a service that identifies all

network resources and serves them to users and applications. Ideally, a

directory service acts as a transparent layer between the user and the company's

IT resources (computer and connected peripherals) that one can access seamlessly

irrespective of location on the network. It's therefore, a shared information

repository for administrating, managing, locating and organizing regular items

and network resources. It has become an important component of most Network

Operating Systems today. In the more complex cases, a directory service is the

central information repository for a Service Delivery Platform. For example,

looking up 'computers' using a directory service might yield a list of available

computers and kind of information for accessing them.

LDAP as a DS protocol



Every directory service has two key components--database and LDAP (Lightweight
Directory Access Protocol). Database is essentially used to hold all information

about the organization, whereas the clients and other programs use LDAP to fetch

information from this database. It is a simplified successor of the traditional

X.500 protocol that provides exactly this functionality and has very rapidly

become the first choice for enterprise-wide user information/configuration data

provision. It's also known as DSA (Directory System Agent). LDAP lets you locate

individuals, and other resources such as files and devices in a network, whether

on the Internet or on a corporate intranet, and whether or not you know the

domain name, IP address, or geographies. LDAP has the following features, which

make it popular across organizations.

a) Information is kept in a format that has less protocol overhead generated,

while reading information by the client over the network and provide faster

access.

b) Now you can do inter-operable LDAP implementations on all platforms

including Windows, where it is referred to as the Active Directory.

c) The data schema that LDAP uses is inherently flexible and scalable unlike

the 'rows and columns' schema of conventional databases. This means that storing

multi-valued parameters such as multiple phone numbers and mail IDs become

natural yet structured.

d) LDAP offers ease of accommodating unstructured information, though not at

the cost of relationships between the entities -which are enforced by a

'tree-like' structure.

For more on this, refer to What to do with Directory Services, that we

carried in March 2006.

Key challenges



Implementing directory services is not that easy for a large
enterprise. A key challenge here is to take that first step of drawing out a

proper structure of your

organization and then connecting all offices to the root or central  office. Plus have proper connectivity between them.

Once the hierarchy is ready, you need to replicate it on to the directory

service. Another challenge that IT manages are facing today is integrating

multiple directory services, which would happen if a company acquires another or

there's a merger. If a directory service is used, then integrating all

applications seamlessly across and maintaining a common

authentication and ID management mechanism becomes easy.

Key Trends



Today directory services are not only meant for retrieving organizational
information, they are now used in variety of applications. Lets explore the

other area and trends, where directory services are used in a bigger way.

Single Sign On



In huge organizations, multiple applications are running to serve various
business processes and it's difficult for a user to remember multiple users ID

and passwords for multiple applications. Plus, administrator has to frequently

reset the user passwords, when users forget their passwords. To overcome this,

single sign-on came into existence, where user has a single user name and

password for all the applications. Now few directory services have incorporated

Single Sign On. This saves time and eliminates the use of multiple databases and

authentication methods for password for various applications. It uses single

repository for all kinds of authentication.

ID & presence mgmt



Identity and presence management is an issue of concern with most organizations.
Today everyone including your employees, customers and even business partners

needs access to data (though the level of access differs at each level. In

current business scenario, organizations like to access to more users in more

ways, without compromising security. The correct approach towards identity

management makes this possible by enabling organizations to securely manage user

identities in such a way that it can give comprehensive security to all users

and can be easily monitored. IT manager should know the information about who

has accessed what data and applications. Managing Presence of users using

directory services, build transparency between the users in the organization;

with this one can know the status of his co-worker. For example, a finance

manager wants to know whether his accountant is in the office. If not, where he

can be accessible. Plus this is also integrated with compliance, through

comprehensive auditing and reporting capabilities. ID management, in the today's

directory service, refers to the capabilities for provisioning resources,

controlling access, managing directory services, creating reusable identity

administration services to streamline collaborative application development and

delivering ID auditing data.

Security



Well, to provide right information to right and authenticate users, you need
build security system in place around your directory services. Because when the

information is communicated through LDAP, the connection between server and

client needs to be protected, otherwise information can be hacked. This

connection can be protected with SSL/TLS, depending on whether the client

negotiates the use of TLS (Transport Layer Security) for the connection.

Kerberos is another network authentication protocol, which is designed to

provide strong authentication for client/server apps by using secret-key

cryptography. The idea is to have single security mechanism, so that

administrator can manage security of all applications from a single point.

Application Integration



Another interesting trend that we are seeing today is that software developers
are designing applications with built-in LDAP support, so that you can simply

plug and play an

application into your IT infrastructure. One just has to install the application

as an IT resource and direct it to the DS.

For the rest, applications will take all configurations and user database from

the directory services without the need of manually recreating user names. Also,

apps written with LDAP support offer user authentication from the enterprise

directory server.

Benefits



Directory Services, in a way, consolidate IT resources in an organization. Being
a centralized database, IT objects like user, groups and peripheries, managing

security and authentication for multiple applications becomes easy. With

directory services in place, one does not need to manage redundant users for

every new deployment.

Plus, IT managers can decide security policies for all IT resources under the

directory services. Multiple applications running in the organization can fetch

configurations and security policies from a directory service. For example,

accessing database by the application, deciding types of data to be exposed to

the application from the database, etc can all be done through a DS.

Therefore, the benefits of directory services are that they eradicate the need

of keeping duplicate data, and give you single point of management, and do

identity management, policy management as well as user profiling with the help

of LDAP.