Subscribe

0

Advertisment
Trends Watch

What to do with Directory Services

author-image
PCQ Bureau
New Update

Enterprises, whatever their size and scale, require to
maintain an 'information directory' of some sort. Beginning with simple
information hives like addressbooks to large complicated multi-tiered
distributed hives that describe hardware, configuration of network services,
authentication and authorization data, a  'directory service' has now
become a part of every organization's IT infrastructure.  Apart from
storing personal details about people, a directory is also used to store their
'digital personality'-what applications do they have access to, what
attributes will identify them, mail delivery strategies and public keys of the
user if any.

Advertisment
Direct
Hit!
Applies
to: Linux administrators
USP:
Manage resources efficiently in a hierarchical structure
Links:
http://directory.fedora.redhat.com 
Google
keywords: LDAP, FDS and ADS

Directories are now increasingly used to define not just
users but also the services consumed. Most Unix and Windows services are
configured from flat plain-text files or simple one-file databases. Each service
has its own file format and configuration parameters that vary from one product
to another even for the same service. This tradition has come under considerable
stress for several reasons: product specific configuration leads to considerable
challenges during migration. Even migrating a mail service from Sendmail to
qMail or Postfix for example, requires rewriting around 13 configuration files.
And there is no one-to-one correspondence between features and configuration
variables to make the transition smooth. Changing the authenticating platform
from Windows to Unix or the other way round is even more scary. To complicate
matters, service configurations are rarely static. Multiple mail delivery
mechanisms for traveling and other groups who require frequent changes in their
user attributes, frequent changes to application access control and role
management for disparate applications that change periodically, are all part and
parcel of the problem. As configuration files become larger and larger, the
retrieval of per-user configuration parameters from plain-text files begins to
affect performance. A half-way solution adopted by several applications--of
compiling plain text configuration files into read optimized binary db files --
has not eased service administration since each time a new user is added or a
configuration change affected, the administrator has to re-compile the
configuration files and restart or reload the service.

Advertisment

What is required is a solution for storing user
information/configuration that is easy to administer, has little performance
overhead and one that can be accessed by multiple baseline services
(authentication, application access control, user-specific mail delivery and
gateway proxy services) from a common information store. The Lightweight
Directory Access Protocol (LDAP , current version 3) — a simplified descendant
of the traditional X.500 protocol provides exactly this functionality and has
very rapidly become the first choice for enterprise wide user
information/configuration data provision. The chief reasons for this recent rise
in the popularity of LDAP are:

  • Reasonably inter-operable LDAP implementations are
    available on all platforms including Windows, where it is referred to as the
    Active Directory.

  • Information is stored in a format that is optimized for
    reads, with very little protocol overheads. LDAP data retrievals are fast
    and often compensate for WAN latencies

  • Almost all enterprise grade network services are now
    'LDAP aware.'

  • The data schema that LDAP uses is inherently flexible
    and scalable unlike the 'rows and columns' schema of conventional
    databases. This means that storing multi-valued parameters such as multiple
    phone numbers and  mail ids) become natural yet structured.

  • The ease of accommodating unstructured information is
    not at the cost of relationships between the entities — which are enforced
    by a 'tree-like' structure.

  • While LDAP allows a flexible scheme; there is a fairly
    well respected name-space convention (attributes must have well defined
    names ) that must be certified by the IANA for seamless interoperability.

  • Large sections of a Directory Information Tree can be
    moved and physically located at remote locations, yet managed from a single
    administrative location. This feature, if properly designed and deployed,
    gives remote locations a significant degree of autonomy to manage and update
    information services and make this information available transparently to
    all other locations as if it were centrally managed.

Fedora Directory Server for Linux

There are several products that provide Directory
Services with varying degree of compliance with LDAP v3. The most popular
Open Source LDAP server today is OpenLDAP-a descendant of the

University
of
Michigan LDAP

server). Another product that is fast catching up is the recently open
sourced Netscape/iPlanet Directory Server (available as a free download
bundle called the 'Fedora Directory Server' for Redhat EL3/4 as well
as Fedora Core. There are several advantages that make the Fedora
Directory Service (FDS) ideally suitable for enterprise deployment over
similarly placed

LDAP products:

  • The Fedora Directory Server's dual-faced past,
    as a premium commercial (Netscape/iPlanet) Directory Server that
    branched out of the

    University
    of
    Michigan

    open-source product,  has
    provided it with the best features of both development styles.

  • The Fedora Directory Server comes with a
    Directory Administration Server -a single point of management for
    multiple directory servers. This product allows the administration
    (backup, restore, replicate, edit) of root and branch directory
    servers at remote locations from a single GUI application.

  • Its ability to interoperate with the Windows
    Active Directory Server (ADS) -given its commercial legacy-marks
    it ahead of all other Unix based

Directory services. The FDS supports a native Windows
NT User schema
allowing administrators to duplicate Windows Domain
User attributes in a Unix environment and allow any service to access
these attributes and their values transparently. The ADS can then be
configured to only authenticate
domain logins freeing a significant amount of
performance bandwidth for the Windows server's core function.

  •  The
    FDS default schema can be extended using an intuitive point and click
    GUI to seamlessly integrate proprietary schemas of third-party
    applications.

  • The FDS is more LDAP v3 compliant than other
    products for Unix  environments with bindings for Perl, PHP and
    Java which are currently in use at GPI, in addition to a very powerful
    scripting language for batch jobs.
Advertisment

Gurunandan Bhatt

Advertisment

Stay connected with us through our social media channels for the latest updates and news!

Follow us: