Directory service
Encyclopedia : D : DI : DIR : Directory service
A directory service is a software application — or a set of applications — that stores and organizes information about a computer network's users and network shares, and that allows network administrators to manage users' access to the shares. Additionally, directory services act as an abstraction layer between users and shared resources.
A directory service should not be confused with the directory itself, which is the database that holds the information about objects that are to be managed by the directory service. The directory service is the interface to the directory and provides access to the data that is contained in that directory. It acts as a central authority that can securely authenticate resources and manage identities and relationships between them.
A directory service is highly optimized for reads and provides advanced search on the many different attributes that can be associated with objects in a directory. The data that is stored in the directory is defined by an extendible and modifiable schema. Directory services use a distributed model for storing their information and that information is usually replicated between directory servers. Carter, Gerald (2003) "LDAP System Administration". O'Reilly pp 3–4
A directory service maps the names of network resources to their respective network addresses. The user doesn't have to remember the physical address of a network resource; providing a name helps locate the resource. Each resource on the network is considered as an object on the directory server. Information about a particular resource is stored as attributes of that object. Information within objects can be made secure so that only users with the available permissions are able to access it.
A directory service defines the namespace for the network. A namespace is a set of rules that determine how network resources are named and identified. The rules specify that the names be unique and unambiguous. In LDAP the name is called the distinguished name (DN) and is used to refer to a collection of attributes which make up a directory entry.
Directory service is a tool for locating, managing, administrating, and organizing network resources, which can include volumes, folders, files, printers, users, groups, and other objects. A directory service is a center component of NOS (Network Operating System) and it has functions much like a phone book. For example, if you look up “computers,” you will find a list of available computers and information for accessing them, however, for a directory service to function like a network phone book, it must be combined with a matching entity, the directory database. Examples of directory services produced by different vendors and standards bodies include the following:
- Windows NT Directory Services (NTDS) for Windows NT
- Active Directory for Windows 2000
- Novell Directory Servies (NDS) for Novell NetWare version 4.x
Comparison with relational databases
There are a number of things that distinguish a directory service from a relational database- In a directory, the information is generally read more often than it is written. Hence the usual database features of transactions and rollback are not implemented in a directory. Data may be made redundant, but the objective is to get a faster response time during searches.
- Data is organized in a strictly hierarchical manner. In terms of cardinality, directories do not have many-to-many relations. Instead, such relations must be maintained explicitly using lists of distinguished names.
- Attributes are defined as stand-alone schema entities. That is: they exist without being part of an object and have a fixed type.
- An objectClass has:
- * Must-attributes that each of its instances must have
- * May-attributes that can be defined for an instance, but could also be omitted when the object is created. The lack of a certain attribute is somewhat like a NULL in relational databases
- Attributes are often multi-valued in directories whereas this is seen in relational database design as a denormalized state of the database schema.
- Attributes and objectClasses are standardized throughout the industry and formally registered with the IANA for their object ID. Therefore directory applications seek to reuse much of the standard classes and attributes to maximize the benefit of existing directory server software.
- Object instances are slotted into namespaces. That is, each objectClass inherits from its parent objectClass (and ultimately from the root of the hierarchy) adding attributes to the must/may list.
- Directory services are often a central component in the security design of an IT system and have a correspondingly fine granularity regarding access control: who may operate in which manner on what information. Also see: ACLs
Implementations of Directory Services
Directory services were part of an Open Systems Interconnect (OSI) initiative to get everyone in the industry to agree to common network standards to provide multi-vendor interoperability. In the 1980s the ITU and ISO came up with a set of standards - X.500, for directory services, initially to support the requirements of inter-carrier electronic messaging and network name lookup. The Lightweight Directory Access Protocol, LDAP, is based on the services of X.500, but uses the TCP/IP stack, giving it more relevance on the Internet.
There have been numerous forms of directory service implementations from different vendors. Among them are:
- NIS: The Network Information Service (NIS) protocol, originally named Yellow Pages (YP), was Sun Microsystems' implementation of a directory service for Unix network environments. (Sun has, in the early 2000s, merged its iPlanet alliance Netscape and developed its LDAP-based directory service to become part of Sun ONE, now called Sun Java Enterprise.)
- eDirectory: This is Novell's implementation of directory services. It supports multiple architectures including Windows, Netware, Linux and several flavours of Unix and has long been used for user administration, configuration management, and software management. eDirectory has evolved into a central component in a broader range of Identity management products. It was previously known as Novell Directory Services.
- Red Hat Directory Server: Red Hat released the directory service that it acquired from Netscape Security Solutions as a commercial product running on top of Red Hat Enterprise Linux called Red Hat Directory Server and as part of Fedora Core called Fedora Directory Server.
- Active Directory: Microsoft's directory service is the Active Directory which is included in the Windows 2000 and Windows Server 2003 operating system versions.
- Open Directory: Apple's Mac OS X Server offers a directory service called Open Directory which integrates with many open standard protocols such as LDAP and Kerberos as well as proprietary directory solutions like Active Directory and eDirectory.
- Apache Directory Server: Apache Software Foundation offers a directory service called ApacheDS.
- Oracle Internet Directory: (OID) is Oracle's directory service, which is compatible with LDAP version 3.
There are also plenty of open-source tools to create directory services, including OpenLDAP and the Kerberos (protocol), and Samba software which can act as a Domain Controller with Kerberos and LDAP backends.
Notes
See also
References
- Carter, Gerald (2003) "LDAP System Administration". O'Reilly. ISBN 1-565592-491-6.
From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.