Taming Corporate Directories

Now that Windows 2000 has arrived, corporations and other large organizations can begin to get serious about installing corporate directories. Corporate directories represent a new category of data, stored in specialized databases, and optimized for identifying and locating networked objects such as people, applications, or servers. The good news is that Microsoft support for corporate directories means application vendors are now able to support a single corporate directory standard. The bad news is that someone is going to have to manage this data.

There are several benefits that companies achieve by implementing a corporate directory. The first is that a corporate directory can replace dozens of application and operating system-specific directories with a single, coordinated directory infrastructure that can be used by multiple applications and systems. This means a system administrator only has to add, modify, or delete a user or other object once, and the change is propagated to all directory-enabled systems. This will reduce the workload of a system administrator, and it will enhance corporate security as former employees only need to be deleted once from the directory. Without a single directory, a system administrator has to be sure the ex-employee is removed from all applications, file servers, e-mail systems, and so on.

Another benefit is that a directory allows a company to implement a single sign-on (SSO) strategy. SSO allows the user to log on once to the system, using a single username/password combination. Then, as the user accesses other applications or data sources, the directory can authenticate the user to the target system and can tell the target system about the user’s privileges. The user doesn’t have to remember a slew of username/password combinations, which reduces the likelihood of a security breach since multiple passwords won’t be lying around on sticky notes.

A third benefit of directories is the ease of managing distributed objects. A corporate directory helps users and applications locate network resources, such as file servers and printers.

There are two major directory implementations: LDAP and Active Directory.

Both are different from standard relational databases in several respects. First, a directory is optimized for read-only access, since most of the time people use directories to look stuff up. Updates and additions are more infrequent. Second, the directory structure is a hierarchical tree containing object classes, rather than a set of relational tables. An object class has both required and optional characteristics.

The LDAP tree root is a "country" object class, which is designated with the name/value pair "c=US". An entry of this type is called a distinguished name (DN). At the next level down is the object class "organization," which would be represented by an entry such as "o=ENT magazine, c=US". Below this could be an object class "person," represented by the entry "p=Robert Craig, o=ENT Magazine, c=US". At this level we might have other attributes associated with the entry, such as address, telephone number, e-mail, and application access rights/privileges.

One big difference between Active Directory and LDAP is that the Active Directory tree root is the "domain" component name, which is the LDAP equivalent of organization. Active Directory doesn’t support the LDAP tree country-class object.

Another big difference is that Active Directory uses both domain name server (DNS) and LDAP. DNS is used to resolve domain names to IP addresses, and LDAP to resolve access to other objects.

One concern about LDAP is security. Data in an LDAP directory is not encrypted and is stored in clear text. Active Directory enhances LDAP security by creating a unique security id for every user, group, and computer account in a Windows 2000 domain. Each Active Directory object is protected by an access control entry that contains the security id and access privileges of every user or group with permission to access that object. Active Directory can also be enhanced by security features such as Kerberos, smart cards, private key infrastructure (PKI), and digital certificates. These can be useful if you allow external users to access your systems through an extranet.

Active Directory support is being implemented by many large system and enterprise application vendors. However, companies that have made a strategic commitment to running Unix or mainframe systems, or which have entities that span countries, will have to develop a coexistence strategy. --Robert Craig is vice president of strategic marketing at Viador Inc. (Burlington, Mass.), and a former director at the Hurwitz Group Inc. Contact him at robert.craig@viador.com.