What's up in Directory Services?

Every large enterprise has thousands of IT assets distributed across its
various offices around the globe and as a consequence, managing and keeping
track of each resource (users, computers, printers, e-mail addresses, cellphone
numbers, extension numbers, etc) alongwith employee hierarchy is a

major challenge. If things remain static, then over a period of time, the
organization could bring everything under control. Sadly, this is far from
reality. Users come and go, hardware gets upgraded and replaced, new
applications are constantly deployed. How do you keep track of all these
changes? If you keep everything on individual servers, then it would become a
nightmare to manage them separately on each server. Let's look at the software
side. Every organization provides its users with access to a variety of
different applications. There's email, ERP, CRM, and many other applications. If
you had to give each user a different username and password to access each
application, then users would go mad trying to remember them all, and your
support staff will go mad answering calls from hassled users. What's needed is
something that can smoothly integrate everything into a single place, be it your
applications, hardware, users, organizational structure, etc. That's where
directory services come in. These are nothing new, and in fact in the good old
days, it was Novell who introduced this concept through its NDS (which was later
called eDirectory). Later Microsoft adopted the same in its Active Directory

Services. Today, a variety of other directory services exist. In this story,
we'll revisit the concept of directory services, and look at the key trends in
this area. Basically, if used correctly, a directory service can become the
information repository of an organization.

What is it?

In simple terms, a directory service is nothing but a database that stores and
manages information about a company's hierarchy structure, which includes users,
network resources, application data, etc. This is a service that identifies all
network resources and serves them to users and applications. Ideally, a
directory service acts as a transparent layer between the user and the company's
IT resources (computer and connected peripherals) that one can access seamlessly
irrespective of location on the network. It's therefore, a shared information
repository for administrating, managing, locating and organizing regular items
and network resources. It has become an important component of most Network
Operating Systems today. In the more complex cases, a directory service is the
central information repository for a Service Delivery Platform. For example,
looking up 'computers' using a directory service might yield a list of available
computers and kind of information for accessing them.

LDAP as a DS protocol

Every directory service has two key components--database and LDAP (Lightweight
Directory Access Protocol). Database is essentially used to hold all information
about the organization, whereas the clients and other programs use LDAP to fetch
information from this database. It is a simplified successor of the traditional
X.500 protocol that provides exactly this functionality and has very rapidly
become the first choice for enterprise-wide user information/configuration data
provision. It's also known as DSA (Directory System Agent). LDAP lets you locate
individuals, and other resources such as files and devices in a network, whether
on the Internet or on a corporate intranet, and whether or not you know the
domain name, IP address, or geographies. LDAP has the following features, which
make it popular across organizations.

a) Information is kept in a format that has less protocol overhead generated,
while reading information by the client over the network and provide faster
access.

b) Now you can do inter-operable LDAP implementations on all platforms
including Windows, where it is referred to as the Active Directory.

c) The data schema that LDAP uses is inherently flexible and scalable unlike
the 'rows and columns' schema of conventional databases. This means that storing
multi-valued parameters such as multiple phone numbers and mail IDs become
natural yet structured.

d) LDAP offers ease of accommodating unstructured information, though not at
the cost of relationships between the entities -which are enforced by a
'tree-like' structure.

For more on this, refer to What to do with Directory Services, that we
carried in March 2006.

Key challenges

Implementing directory services is not that easy for a large
enterprise. A key challenge here is to take that first step of drawing out a
proper structure of your
organization and then connecting all offices to the root or central  office. Plus have proper connectivity between them.

Once the hierarchy is ready, you need to replicate it on to the directory
service. Another challenge that IT manages are facing today is integrating
multiple directory services, which would happen if a company acquires another or
there's a merger. If a directory service is used, then integrating all
applications seamlessly across and maintaining a common
authentication and ID management mechanism becomes easy.

Key Trends

Today directory services are not only meant for retrieving organizational
information, they are now used in variety of applications. Lets explore the
other area and trends, where directory services are used in a bigger way.

Single Sign On

In huge organizations, multiple applications are running to serve various
business processes and it's difficult for a user to remember multiple users ID
and passwords for multiple applications. Plus, administrator has to frequently
reset the user passwords, when users forget their passwords. To overcome this,
single sign-on came into existence, where user has a single user name and
password for all the applications. Now few directory services have incorporated
Single Sign On. This saves time and eliminates the use of multiple databases and
authentication methods for password for various applications. It uses single
repository for all kinds of authentication.

ID & presence mgmt

Identity and presence management is an issue of concern with most organizations.
Today everyone including your employees, customers and even business partners
needs access to data (though the level of access differs at each level. In
current business scenario, organizations like to access to more users in more
ways, without compromising security. The correct approach towards identity
management makes this possible by enabling organizations to securely manage user
identities in such a way that it can give comprehensive security to all users
and can be easily monitored. IT manager should know the information about who
has accessed what data and applications. Managing Presence of users using
directory services, build transparency between the users in the organization;
with this one can know the status of his co-worker. For example, a finance
manager wants to know whether his accountant is in the office. If not, where he
can be accessible. Plus this is also integrated with compliance, through
comprehensive auditing and reporting capabilities. ID management, in the today's
directory service, refers to the capabilities for provisioning resources,
controlling access, managing directory services, creating reusable identity
administration services to streamline collaborative application development and
delivering ID auditing data.

Security

Well, to provide right information to right and authenticate users, you need
build security system in place around your directory services. Because when the
information is communicated through LDAP, the connection between server and
client needs to be protected, otherwise information can be hacked. This
connection can be protected with SSL/TLS, depending on whether the client
negotiates the use of TLS (Transport Layer Security) for the connection.
Kerberos is another network authentication protocol, which is designed to
provide strong authentication for client/server apps by using secret-key
cryptography. The idea is to have single security mechanism, so that
administrator can manage security of all applications from a single point.

Application Integration

Another interesting trend that we are seeing today is that software developers
are designing applications with built-in LDAP support, so that you can simply
plug and play an
application into your IT infrastructure. One just has to install the application
as an IT resource and direct it to the DS.

For the rest, applications will take all configurations and user database from
the directory services without the need of manually recreating user names. Also,
apps written with LDAP support offer user authentication from the enterprise
directory server.

Benefits

Directory Services, in a way, consolidate IT resources in an organization. Being
a centralized database, IT objects like user, groups and peripheries, managing
security and authentication for multiple applications becomes easy. With
directory services in place, one does not need to manage redundant users for
every new deployment.

Plus, IT managers can decide security policies for all IT resources under the
directory services. Multiple applications running in the organization can fetch
configurations and security policies from a directory service. For example,
accessing database by the application, deciding types of data to be exposed to
the application from the database, etc can all be done through a DS.

Therefore, the benefits of directory services are that they eradicate the need
of keeping duplicate data, and give you single point of management, and do
identity management, policy management as well as user profiling with the help
of LDAP.