250 likes | 261 Views
Directory Services is a centralized system that stores, manages, and provides access to information about network objects. This article explores the X.500 directory model, directory architecture, information base, information tree, user and service agents, service protocols, and the LDAP directory standard. It also discusses major players in Directory Services and tree design approaches.
E N D
Directory Services • What is it? A way to store, manage, and access information about many different network objects • Directory Services plays an important role in integrating different NOS (Network Operating Systems) into one system that can be centrally administered and accessed • The directory database contains entries that store information about network objects in containers organized into a hierarchical tree structure and provides information to network services and clients
Directory Services • The X.500 directory model (original standard) It defined directory services, how they are displayed, and how they are accessed by users • X.500 model describes it as a collection of systems that work in a client-server relationship to represent information about network objects • X.500 directory architecture - the client queries and receives responses from one or more servers in the server’s directory service, with the Directory Access Protocol (DAP) controlling communication between client and server
Directory Services • X.500: Directory Information Base (DIB) • The directory database is made up of entries that contain information about objects, such as users, printers, computers, and data volumes - these objects are collectively known as the DIB • Within the DIB, each entry is made up of a collection of information fields called attributes • These attributes contain values
Directory Services • X.500: Directory Information Tree (DIT) • Directory Information Base (DIB) is arranged into a tree-like structure called the DIT • To keep the directory organized, a set of rules known as the Directory Schema is enforced • The Directory Schema defines a set of attributes and valid object classes • An object class defines a type of network object, such as a user or a printer, and includes all attributes that make up that type of object
Directory Services • X.500: Directory User and Service Agents • X.500 takes a client-server approach • The directory client, called the Directory User Agent (DUA), allows for the accessing of, and data retrieval from directory database • Processing a DUA request for information from the directory service consists of these steps: workstation-based DUA sends a request to the server-based Directory System Agent (DSA), DSA retrieves DIB data and sends it back to the DUA
Directory Services • X.500: Directory Service Protocols • The Directory Service Protocol (DSP) controls the interaction between two or more DSAs (directory system agent) so that users can access information in the directory without knowing its exact location • The Directory Access Protocol (DAP) controls communication between a DUA (directory user agent) and DSA (directory system agent) • The Directory Information Shadowing Protocol (DISP) is a special DSP that’s responsible for keeping multiple copies of the DIB synchronized, as is necessary in the shadowing process
Directory Services • The LDAP directory standard • Lightweight Directory Access Protocol (LDAP) was developed as a simpler version of X.500 • Although LDAP started as a simplified component of the X.500 directory, it developed into a protocol used to access information stored in a directory • LDAP supports TCP/IP • Now at version 3
Directory Services • Directory Services (3 major players) • Novell Directory Services (NDS) eDirectory • LDAP • Active Directory (Microsoft)
Some Directory Services • Some LDAP/X.500 based implementations are: • Active Directory • eDirectory • Red Hat Directory Server • Open Directory (Apple’s Mac OS X Server) • Oracle Internet Directory • CA Directory • OpenDS • OpenLDAP
Directory Services Tree Design • Using standards minimizes confusion as more servers, more users, and new directory tree objects appear • One of the most important areas for network standards is naming conventions • Balance tree depth and tree width so that distinguished names do not become too unwieldy (to wide or to deep) • Use a design approach that matches the directory tree to the organization
Directory Services Tree Design • Design approaches involve reflecting the actual organizational structure, based on geographic locations, or using a combination of the two approaches • Two possible organizational structures: functional areas and workgroups • The functional approach is based on the classic functional business areas such as operations, sales, marketing, finance, etc. • The workgroup approach is based on workgroups, or groups of members from functional areas
Directory Services Tree Design • Design approaches (cont.) • Some organizations create their primary organizational structure based on geographic location - in each location the directory tree can reflect a functional or workgroup structure • There may be situations where combining the functional area, workgroup and geographical approaches is warranted (so you can see there is a lot of different ways)
Directory Services Tree Design • So you can see, many different ways • One of the most important areas for network standards is naming conventions • Plan for the future • Once implemented, hard to make major changes • Directory Services becoming a must have for most large environments
Directory Services Terms • Identity Management (idM) • Sometimes called Access and Identity Management (AIM) • refers to an information system, or to a set of technologies that can be used for enterprise or cross-network Identity management. • describes the management of individual identities, their authentication, authorization, roles, and privileges within or across system and enterprise boundaries
Summary • Directory Services play an important role in administering and managing networks • Most directory services are based on the X.500 standard, which defines protocols for the Directory Information Base, Directory Information Tree, Directory User Agent, and Directory Service Agent • Directory Tree Design • Identity Management
Directory Services Questions