News Stay informed about the latest enterprise technology news and product updates.

Directory services -- not your father's LDAP

Identity management and the strain of applications are changing the role of network directories.

Network directory services made popular by vendors such as IBM, Microsoft and Novell are in the process of being

Realize that no one directory offering will satisfy all the roles you require in your environment.

Nick Nikols, analyst,

Burton Group

transformed from single-use platforms to specialized directories that interoperate with each other across the enterprise.

Analysts at Burton Group, a Midvale, Utah-based consultancy, offered their vision on the evolutionary role of directories during a recent corporate conference call. They say directories are moving from their traditional role as general-purpose platforms serving one application in one area of the company, to serving as the foundation for identity management products. That role could further change as the concept of distributing identity services takes hold.

Monolithic directories are overloaded

Past conventional wisdom held that centralization in a single Lightweight Directory Access Protocol (LDAP) directory would make directories easier to administer, said Mike Neuenschwander, a Burton Group analyst. The thinking was that the

Who's who in directory software

The major directory software makers include IBM, Microsoft, Novell, Sun Microsystems, Computer Associates, Oracle, Critical Path, Netscape, Siemens and OpenLDAP. Each addresses slightly different aspects of the market.

Here's a sampling:

Computer Associates' eTrust directory software addresses large-scale enterprise needs and supports distributed environments. The company recently acquired Netegrity, an identity and access management software vendor.

IBM's Directory Server straddles both the enterprise class and the multi-purpose tier of directories.

Microsoft pushes on two fronts. It's traditionally strong in the special-purpose tier with Active Directory. With Windows Server 2003, it makes a push toward the enterprise tier, Burton Group analyst Nick Nikols said.

Novell's eDirectory is distributed and focused on the enterprise. By mid-year, Novell will be the first to introduce an embedded, application-specific directory service as part of Novell Virtual Directory Service.

Sun's Java System Directory Server focuses on enterprise directories. In late 2003, Sun acquired Waveset Technologies, an identity management company, which extended its product line in this area.

directory would be the central repository for all the identity data needed for applications. But today's monolithic directories are cracking under the strain of solving the application requirements that are placed on them, due in part to their convergence with vendors' identity management products.

Nick Nikols, also a Burton Group analyst, said he sees a new wave of directories as specific to one platform and having one role, but interoperating with other directories across the enterprise. Directories are moving from isolation to consolidation -- and finally to a distributed phase that can support multiple, persistent use of the same information, he said.

"Now we can start managing these distributed environments as a single logical entity, but getting the benefits of tailoring the schemas and directory structures to meet the specific needs of applications throughout the environment," Nikols said.

Indeed, customers need to think of identity services as something more than just directories. Identity services won't require consolidation as the previous architecture did, Neuenschwander added.

"There is a role for virtualization, for proxy services, for meta directory and for certain types of provisioning," he said. "Mix it all together and you can create not just a single place for applications to go in the physical sense to get identity information, but also the ability for identity information to be shared without taxing the architecture beyond its capacity."

More standards needed

What's driving directory development is the fact that the products are mature, and so vendors need to make them more distinctive. Almost all vendors have support for LDAP Version 3, for example, and each continue to improve their directory's performance.

But even though the trend to align directories with identity management services is real, end-to-end distributed identity services are still in the future. Vendors need standard interfaces, such as Security Assertion Markup Language (SAML) and WS-Federation, to interact with other identity systems throughout the federation, Nikols said.

A future identity management service model will let customers determine what applications might use a directory, or help determine what requirements might be placed on a directory.

Today, IT staff can consider how centralized or distributed the enterprise should or could be, and which tools might best suit the job. "Realize that no one directory offering will satisfy all the roles you require in your environment," Nikols said. "You might have multiple instances of a given directory or multiple directories, but realize that in the grander context, you are having an integrated environment."

Single directory not the answer

IT experts say they have long struggled with the problem of sharing information between multiple directories. "There are always some people in every large company who say, 'We need one directory, as long as it is the one I want,' " said John McGlinchey, an Active Directory administrator at Bristol-Meyers Squibb Co., a global pharmaceutical company based in New York.

"But we need various directories for various purposes," he said. "You don't need just one directory, you just need a way to tie all these different directories together."

Customers need to realize that directories are not going away, but they may move toward broader identity management services, Nikols said. They are the best option for a persistent data repository and they are good for storing rules and roles. "LDAP is also not going away, but it won't be the only interface," he said. "There will be others."

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.