Directory service

From Wikipedia, the free encyclopedia

A directory service is the software system that stores, organizes and provides access to information in a directory. In software engineering, a directory is a map between names and values. It allows the lookup of values given a name, similar to a dictionary. As a word in a dictionary may have multiple definitions, in a directory, a name may be associated with multiple, different pieces of information. Likewise, as a word may have different parts of speech and different definitions, a name in a directory may have many different types of data.

Directories may be very narrow in scope, supporting only a small set of node types and data types, or they may be very broad, supporting an arbitrary or extensible set of types. In a telephone directory, the nodes are names and the data items are telephone numbers. In the DNS the nodes are domain names and the data items are IP addresses (and alias, mail server names, etc.). In a directory used by a network operating system, the nodes represent resources that are managed by the OS, including users, computers, printers and other shared resources. Many different directory services have been used since the advent of the Internet but this article focuses mainly on those that have descended from the X.500 directory service.

Introduction

A directory service called a naming service, maps the names of network resources to their respective network addresses. With the name service type of directory, a user does not have to remember the physical address of a network resource; providing a name will locate the resource. Each resource on the network is considered an object on the directory server. Information about a particular resource is stored as attributes of that object. Information within objects can be made secure so that only users with the available permissions are able to access it. More sophisticated directories are designed with namespaces as Subscribers, Services, Devices, Entitlements, Preferences, Content and so on. This design process is highly related to Identity management.

A directory service defines the namespace for the network. A namespace in this context is the term that is used to hold one or more objects as named entries. The directory design process normally has a set of rules that determine how network resources are named and identified. The rules specify that the names be unique and unambiguous. In X.500 (the directory service standards) and LDAP the name is called the Distinguished name (DN) and is used to refer to a collection of attributes (relative distinguished names) which make up the name of a directory entry.

A directory service is a shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is an important component of a NOS (Network Operating System). In the more complex cases a directory service is the central information repository for a Service Delivery Platform. For example, looking up "computers" using a directory service might yield a list of available computers and information for accessing them.

Replication and Distribution have very distinct meanings in the design and management of a directory service. The term replication is used to indicate that the same directory namespace (the same objects) are copied to another directory server for redundancy and throughput reasons. The replicated namespace is governed by the same authority. The term distribution is used to indicate that multiple directory servers, that hold different namespaces, are interconnected to form a distributed directory service. Each distinct namespace can be governed by different authorities.

Comparison with relational databases

There are a number of things that distinguish a traditional directory service from a typical relational database. Of course there are exceptions, but in general:

  • directory information is read more often than it is written; this makes features related to transactions and rollback less important.
  • data can be redundant if it helps performance.

Directory schemas are defined as object classes, attributes, name bindings and knowledge (namespaces), where an object class has:

  • Must - attributes that each of its instances must have
  • May - attributes that can be defined for an instance, but can be omitted with the absence treated somewhat like NULL in a relational database
  • Attributes are sometimes multi-valued allowing multiple naming attributes at one level such as machine type and serial number concatenated or multiple phone numbers for "work phone".
  • Attributes and object classes are standardized throughout the industry and formally registered with the IANA for their object ID. Therefore directory applications seek to reuse much of the standard classes and attributes to maximize the benefit of existing directory server software.
  • Object instances are slotted into namespaces. That is, each object class inherits from its parent object class (and ultimately from the root of the hierarchy) adding attributes to the must/may list.
  • Directory services are often a central component in the security design of an IT system and have a correspondingly fine granularity regarding access control: who may operate in which manner on what information. Also see: ACLs

Implementations of directory services

Directory services were part of an Open Systems Interconnection (OSI) initiative to get everyone in the industry to agree to common network standards to provide multi-vendor interoperability. In the 1980s, the ITU and ISO came up with a set of standards - X.500, for directory services, initially to support the requirements of inter-carrier electronic messaging and network name lookup. The Lightweight Directory Access Protocol, LDAP, is based on the directory information services of X.500, but uses the TCP/IP stack and a string encoding scheme of the X.500 protocol DAP, giving it more relevance on the Internet.

There have been numerous forms of directory service implementations from different vendors. Systems developed before the advent of X.500 include:

  • Domain Name System: (DNS), the first directory service on the Internet, which is still used everywhere today.
  • Hesiod: was based on DNS and used at MIT's Project Athena.
  • Network Information Service: (NIS), originally named Yellow Pages (YP), was Sun Microsystems' implementation of a directory service for Unix network environments. It served a similar role as Hesiod.
  • NetInfo: was developed by NeXT in the late 1980s for NEXTSTEP. After being acquired by Apple, it was released as open source and used as the directory service for Mac OS X before being deprecated in favor of the LDAP-based Open Directory. Support for NetInfo was completely removed with the release of 10.5 Leopard.
  • Banyan VINES: was the first scalable directory services offering.
  • NT Domains: was developed by Microsoft to provide directory services for Windows machines prior to the release the LDAP-based Active Directory in Windows 2000. Windows Vista continues to support NT Domains, but only after relaxing the minimum authentication protocols it supports.

LDAP implementations

Among the LDAP/X.500 based implementations are:

  • Active Directory: Microsoft's modern directory service for Windows, originating from the X.500 directory, created for use in Exchange Server, first shipped with Windows 2000 Server and is supported by successive versions of Windows.
  • eDirectory: This is Novell's implementation of directory services. It supports multiple architectures including Windows, NetWare, Linux and several flavours of Unix and has long been used for user administration, configuration management, and software management. eDirectory has evolved into a central component in a broader range of Identity management products. It was previously known as Novell Directory Services.
  • Red Hat Directory Server: Red Hat released a directory service, that it acquired from AOL's Netscape Security Solutions unit,[1] as a commercial product running on top of Red Hat Enterprise Linux called Red Hat Directory Server and as the community supported 389 Directory Server project.
  • eNitiatives ViewDS Directory Server: ViewDS[2][3][4] was originally developed by Telstra Research Laboratories in Clayton Victoria Australia (previously Telecom Australia) as an X.500 Directory server known as View500 to run online White & Yellow Pages services. ViewDS was acquired by eNitiatives in 2000. It differs from other X.500 Directory products in that it has a built-in indexing engine capable of indexing all attributes and also supports a range of different types of searching and matching on entries, such as word matching, stem matching, synonym matching, acronym matching, component matching, misspelling matching, and sounds like matching. This matching is available on multiple languages including Pinyin and Traditional Mandarin. ViewDS is LDAPv3 compliant and is also the world's first Directory to support the XACML[5] standard for Policy Based Access control onto all attributes stored in the directory, with an inbuilt combined Policy Decision Point (PDP) and Policy Information Point (PIP) as well as two Policy Administration Tools (PAP). ViewDS is also CCEB ACP133EdD (Military)[6] and IATA ATN-AMHS standards compliant, and supports the storage of XML objects, data and schema in the Directory using the draft IETF XML Enabled Directory standard. It also supports SPMLv2.0, DSMLv2 and SCIM 1.0. ViewDS is widely used in the Government,[7][8][9] Aviation, Health & Defence sectors.
  • Open Directory: Apple's Mac OS X Server uses a directory service named Open Directory, which implements LDAP using a customized build of OpenLDAP and integrates support for both SASL and Kerberos authentication. It uses a plugins architecture to work with other LDAPv3 directories, including proprietary solutions like Active Directory and eDirectory.
  • Apache Directory Server: Apache Software Foundation offers a directory service called ApacheDS.
  • Oracle Internet Directory: (OID) is Oracle Corporation's directory service, which is compatible with LDAP version 3.
  • CA Directory: CA Directory contains pre-caching engine which can index all attributes that are used in LDAP search filters, and caching all attributes returned in search results.
  • Alcatel-Lucent Directory Server: CTIA 2009 - 4G Service Creation & Development Award Winner offering enhanced performance, high availability and proven efficiencies[10]
  • Sun Java System Directory Server: Sun Microsystems' current directory service offering[11]
  • OpenDS: An open source directory service implementation from scratch in Java, backed by Sun Microsystems[12]
  • IBM Tivoli Directory Server It is a customized build of an old release of OpenLDAP.
  • DirX Directory Server from Atos (ex-Siemens software)[13]
  • Windows NT Directory Services (NTDS), later renamed Active Directory, replaces the former NT Domain system.
  • Critical Path Directory Server
  • OpenLDAP Derived from the original University of Michigan reference LDAP implementation (as are the Netscape/Red Hat/Fedora/Sun JSDS servers) but significantly evolved. It supports all current computer architectures, including Unix and Unix derivatives, Linux, Windows, z/OS, and a variety of embedded/realtime systems.
  • Isode Limited: High performance and high availability LDAP and X.500 servers.
  • Lotus Domino
  • Nexor Directory

There are also plenty of open-source tools to create directory services, including OpenLDAP and the Kerberos protocol, and Samba software which can act as a Windows Domain Controller with Kerberos and LDAP backends. Administration is done using GOsa or Samba provided SWAT.

Using name services

Unix OSs

Name services on Unix systems are typically configured through nsswitch.conf. Information from name services can be retrieved using getent.

See also

Notes

  2. Identity and Access Management Solutions - Authorization Services - Meta Data Integration. ViewDS. Retrieved on 2013-07-17.
  3. Australian Technology Showcase - eB2Bcom. Ats.business.gov.au (2010-09-27). Retrieved on 2013-07-17.
  4. Directory Services | Martin Kuppinger. Blogs.kuppingercole.com. Retrieved on 2013-07-17.
  5. XACML-based directory server. Networkworld.com (2011-08-30). Retrieved on 2013-07-17.
  6. Telos Corporation Partners with eNitiatives to Feature ViewDS in AMHS. Business Wire (2011-01-11). Retrieved on 2013-07-17.
  7. http://www.directory.gov.au.com
  8. http://www.vic.gov.au.com/contactsandservices/directory
  9. http://www.directory.act.gov.au
  10. "Alcatel-Lucent 8661 Directory Server". Alcatel-lucent.com. Retrieved 2012-01-09. 
  11. "Oracle and Sun". Sun.com. 2010-09-07. Retrieved 2012-01-09. 
  12. "Java.net". Opends.dev.java.net. Retrieved 2012-01-09. 
  13. "DirX". ATOS. Retrieved 24 December 2012. 

References

  • Carter, Gerald (2003). LDAP System Administration. O'Reilly Media. ISBN 978-1-56592-491-8. 


This article is issued from Wikipedia. The text is available under the Creative Commons Attribution/Share Alike; additional terms may apply for the media files.