Network directory services made popular by vendors such as IBM, Microsoft and Novell are in the process of being
Analysts at Burton Group, a Midvale, Utah-based consultancy, offered their vision on the evolutionary role of directories during a recent corporate conference call. They say directories are moving from their traditional role as general-purpose platforms serving one application in one area of the company, to serving as the foundation for identity management products. That role could further change as the concept of distributing identity services takes hold.
Monolithic directories are overloaded
Past conventional wisdom held that centralization in a single Lightweight Directory Access Protocol (LDAP) directory would make directories easier to administer, said Mike Neuenschwander, a Burton Group analyst. The thinking was that the
Nick Nikols, also a Burton Group analyst, said he sees a new wave of directories as specific to one platform and having one role, but interoperating with other directories across the enterprise. Directories are moving from isolation to consolidation -- and finally to a distributed phase that can support multiple, persistent use of the same information, he said.
"Now we can start managing these distributed environments as a single logical entity, but getting the benefits of tailoring the schemas and directory structures to meet the specific needs of applications throughout the environment," Nikols said.
Indeed, customers need to think of identity services as something more than just directories. Identity services won't require consolidation as the previous architecture did, Neuenschwander added.
"There is a role for virtualization, for proxy services, for meta directory and for certain types of provisioning," he said. "Mix it all together and you can create not just a single place for applications to go in the physical sense to get identity information, but also the ability for identity information to be shared without taxing the architecture beyond its capacity."
More standards needed
What's driving directory development is the fact that the products are mature, and so vendors need to make them more distinctive. Almost all vendors have support for LDAP Version 3, for example, and each continue to improve their directory's performance.
But even though the trend to align directories with identity management services is real, end-to-end distributed identity services are still in the future. Vendors need standard interfaces, such as Security Assertion Markup Language (SAML) and WS-Federation, to interact with other identity systems throughout the federation, Nikols said.
A future identity management service model will let customers determine what applications might use a directory, or help determine what requirements might be placed on a directory.
Today, IT staff can consider how centralized or distributed the enterprise should or could be, and which tools might best suit the job. "Realize that no one directory offering will satisfy all the roles you require in your environment," Nikols said. "You might have multiple instances of a given directory or multiple directories, but realize that in the grander context, you are having an integrated environment."
Single directory not the answer
IT experts say they have long struggled with the problem of sharing information between multiple directories. "There are always some people in every large company who say, 'We need one directory, as long as it is the one I want,' " said John McGlinchey, an Active Directory administrator at Bristol-Meyers Squibb Co., a global pharmaceutical company based in New York.
"But we need various directories for various purposes," he said. "You don't need just one directory, you just need a way to tie all these different directories together."
Customers need to realize that directories are not going away, but they may move toward broader identity management services, Nikols said. They are the best option for a persistent data repository and they are good for storing rules and roles. "LDAP is also not going away, but it won't be the only interface," he said. "There will be others."