Directory Services Have Tall Orders to Fill

<a href="displayarticle.asp?ID=3239944915PM"><img src="archive/1999/pics/directory.jpg" border="0" align="right"></a>Dividing up the application workload among multiple platforms is extremely efficient but it means the administration of clients and servers can be a daunting challenge, reports Mark McFadden in this issue's feature story.

• 03/24/1999

Elizabeth Anderson, manager of a corporate IT network for a large manufacturer of agriculture tools in the Midwest, came to work one Monday and found that the number of directories she managed had doubled. "Over the weekend our parent corporation had finalized a merger, and we suddenly found ourselves with the directories we accumulated over many years, plus all the directories of our new subsidiary," she said. "It’s already a huge burden."

Yet it is a burden that must be borne. Directory services are the foundation of well-designed distributed networks. As operating systems evolved from a homogenous, centralized mainframe model to a distributed network operating system they preserved the concept of user accounts. Each user is given a name, password, home file directory and a set of permissions for using the system. The collection of information about each user forms the core of most modern directory services.

The centralized model, unfortunately, hasn’t matched up well with distributed networks and client server applications. The typical enterprise network contains a complex mix of computing environments that include many different servers, workstations and mainframes. Dividing up the application workload among multiple platforms is extremely efficient but it means the administration of clients and servers can be a daunting challenge.

The challenge not only comes from the number of servers in a network, but also comes from the many systems and applications that have their own access control mechanisms and directories. An enterprise using Oracle to serve up crucial enterprise databases, for example, will find Oracle uses a different directory than the one used by the organization’s Microsoft Exchange messaging system.

How severe is the problem? Forrester Research Inc. (www.forrester.com) suggests that Fortune 500 companies have an average of 190 directories. And as each new application is deployed, its directory plays an increasingly important role. For instance, as corporations move to support video conferencing and other collaborative tools, users need to know who is available for video conferencing and what tools they have. A new directory is created to meet this need, which adds to the cumulative administrative load.

Directories also are the foundation of tools that provide "single sign-on" capabilities in multiplatform networks. For many users, logging into each server in the network is an annoyance. Since a password is nothing more than a property of the "user" object in most directories, vendors are beginning to provide tools that synchronize the passwords across multiple platforms and that ensure a user’s password is the same for every server in the network.

Directories have a new and growing use, as well. Directories can be used as the cornerstone of electronic commerce. Ed Harrington, vice president for product marketing at Nexor (www.nexor.com), an enterprise-scale directory supplier, says, "The main kicker for new directory implementations is in Public Key Infrastructures (PKIs). As we see more and more business-to-business electronic commerce, we see more dependence on PKIs. And the natural tools to support a PKI? It’s clearly an enterprise directory."

One example is the Automotive Network Exchange (ANX, www.anx.com), which has an extranet for electronic commerce between suppliers and the automotive industry. "At its heart is a standards-based directory that provides public keys to any partner -- regardless of whether that partner uses Unix, MVS or Windows NT," says Robert Moscowitz, a security consultant to ANX."

In the Windows NT world, two directory systems compete for most of the attention: Novell Inc.’s NDS for Windows NT and Microsoft Corp.’s Active Directory, the forthcoming directory for Windows 2000. There are many other directory products available for Windows NT network designers, including products from established vendors such as IBM and Netscape, and products from lesser-known vendors such as Entevo Corp. (www.entevo.com), FastLane Technologies Inc. (www.fastlanetech.com) Isocor (www.isocor.com), Nexor or Zoomit Corp. (www.zoomit.com). Despite the alternatives, the shadow of Active Directory is so great that vendors already define their products in terms of Microsoft’s yet-to-be-delivered product.

In terms of Windows NT 4.0, however, the administration model has a key limitation. It provides no support for hierarchical organization of domains. Windows NT administrators not only are forced to use User Manager for a worker’s home domain, but also have to anticipate which other domains a user may require. "In NT today, there’s no way to build up an organizational hierarchy," says Dale Gardner, Entevo’s senior product manager. "As a result, just managing users across multiple domains is a tremendous time sink."

Peter Houston, Microsoft’s lead product manager for Windows NT server marketing, concurs that managing many directories over multiple domains is a problem. "Imagine when somebody new joins the organization," he says. "How many places in the network do you have to put a new entry? Many directories in which you have to add entries aren’t reachable via a standard interface."

Some approaches in the marketplace, such as Novell's NDS for NT and Entevo’s DirectManage, attempt to support a hierarchical view of an organization’s directory space while integrating with Windows NT’s native facilities. These products also attempt to avoid some of Windows NT’s other limitations: an inability to ensure that permissions flow down hierarchical trees in the directory and an inability to administer all parts of the directory from a single administration tool.

Another approach that may help solve the administration problem is to tie together directories from throughout an organization, such as messaging, network operating system, database and custom applications. This approach, referred to as a "metadirectory" strategy, integrates directories by tying together dissimilar schema and attributes into a common, logical view. One metadirectory strategy strives to provide a master metadirectory built from all the information in the directories to which it is connected. An alternative approach doesn’t build a new directory, but instead provides a window, or logical view, on the connected directories.

"There’s plenty of confusion regarding metadirectories," says Microsoft’s Houston. "But if you look under the covers there’s always going to be four key ingredients. There are going to be ‘connectors’ that connect the metadirectory to each of the target directories; ‘brokers,’ software that knows how to use each of the connectors to provide bi-directional updates of the directories; and the directories themselves. In addition, there will be ‘metadata,’ the descriptions of where users of the metadirectory needs to go to get the information they need. We think that our customers are going to aggressively build a metadirectory infrastructure," Houston explains.

If metadirectories are going to become an important part of enterprise networks, what will the impact of Active Directory be? Active Directory is the foundation for Windows 2000 networks’ directory services needs. It addresses many of the limitations of the current Windows NT directory model by providing a hierarchical organization of information, an expanded authentication model, and support for standards-based access. In addition, it will provide a consolidated directory service for Windows 2000 and BackOffice applications.

Also, Microsoft is advocating the Active Directory Service Interfaces (ADSI) as a tool for providing connectors between dissimilar databases. Applications can use ADSI standard routines -- implemented as a set of COM objects -- to make connections between Active Directory and any other directory. This model works much like the ODBC model works for databases: As long as the directory exposes ADSI compliant services, any other directory can be synchronized with it.

Houston says this means that Active Directory can "become a part of any organization’s metadirectory infrastructure." Expect to see Microsoft working with ISV’s to develop industrial-strength, ADSI-based connectors for key third-party directories, Houston predicts.

The features of Active Directory could affect companies that already provide tools and services that layer over the top of the existing Windows NT 4.0 domain model. But according to Novell’s Adam Smith, product marketing manager, NDS for NT, "NDS will be available as an ADSI provider as soon as Windows 2000 ships. Until then, NDS provides a foundation for rolling out many technologies that you would have to wait for otherwise. When the time comes, we will be able to integrate Active Directory into NDS."

Keeping the administrative costs of directory management under control is a growing concern. Many vendors are coming to market with products targeted at easing that workload. Will their products be magic bullets? It’s not likely, but finding a way to limit the growing costs of managing existing directories and new applications, such as electronic commerce and extranets, may force enterprises into early adoption of tools that help consolidate and manage existing investment in directories.

A single metadirectory that ties all directories together may not be practical. In fact, some research suggests that metadirectory implementation projects can require up to two years to implement. In this case, you may want to consider pursuing products that use a standard that allows disparate directories to work together. Vendor-neutral, industry-standard approaches are the backbone of Internet success; so why can't there be a vendor-independent directory standard?

First promulgated in 1988, X.500 was the first attempt to establish an industry standard for directories. The complexity of X.500 limited industry attempts to produce full implementations; but the standard has been extremely influential in subsequent attempts to develop an alternative approach. Seeing the need for an "X.500-lite" researchers at the University of Michigan put the previous standard on a severe diet and produced the Lightweight Directory Access Protocol (LDAP). LDAP allows compatible clients to add, delete or change entries in any LDAP-compliant directory.

Compared with X.500, LDAP's simplicity encouraged vendors to adopt its easier path to interoperability. Almost every directory services vendor pledges LDAP support and some have been built from the ground up as LDAP directories.

But the current standard, LDAP 3.0, still suffers from some severe limitations. Customers find it difficult to mix-and-match directories from multiple vendors. According to Ed Harrington, vice president for product marketing at Nexor, there are three things missing in the current LDAP specification. "The first is replication, which provides the standard protocols and procedures for moving data from one directory to another," he says. "The next thing missing is access control: A way to determine who has permission to view objects and attributes in the directory. The final missing ingredient is ‘chaining,’ the ability for servers to act on behalf of users in retrieving information from other directories."

These concerns, and a series of other LDAP extensions, are under consideration by the Internet Engineering Task Force (IETF, www.ietf.org). The IETF has draft standards for these functions that are nearly ready for the final steps in the standards process, which will probably not be until later in the spring.

Despite the fact that the standards have not been finalized, vendors are already updating their products. But with the revisions made on their directories before the extension specification is approved by the IETF, customers run the risk of deploying products that are not fully interoperable. A variety of proposals have emerged to help customers deal with claims of standards compliance, including an LDAP standards test suite and an LDAP certification process. Unfortunately, for organizations looking to deploy LDAP at the core of their directory services, these certification services are still unavailable.

But that doesn't change the importance of LDAP. "Customers are absolutely demanding standards-based implementations," Harrington says. "And vendors are going to do what it takes to make sure their products are compliant with the extensions once they are finalized."