Email	Print Reprint
	add to:
	Del.icio.us Digg Google Furl	Slashdot Y! MyWeb Blink

Enterprise Challenges

Directories are the lifeblood of the modern enterprise. They store critical user account and identity information for enterprise applications, services, network operating systems, and messaging systems. Directories also often store network configuration information for computers, printers, routers, and corporate security policies.

Yet managing directories can prove a serious challenge for an IT organization—largely because many enterprise applications ship with their own proprietary authentication subsystems. Just because you authenticate yourself to Windows2000 doesn't mean that Oracle Financials knows who you are (or how to access your authentication credentials, which are stored in Active Directory).

Forrester research and Gartner Group recently concluded in separate studies that the average Fortune 1000 company maintains over 181 separate directories. Needless to say, this creates a significant burden for system administrators, who must duplicate their efforts to create, modify, and remove directory information in multiple locations. It also impedes their ability to maintain directory data integrity when updates occur. Companies that efficiently integrate their directories stand to realize substantial competitive gains. The Burton Group estimates that a 25,000-user company can spend $360,000 annually on directory changes if the company has only seven user directories.

Directory Integration Techniques

Consistent identity management is important within a single enterprise, and it's essential if you're scaling your operations out beyond the firewall into partner organizations. There are four important techniques for integrating and unifying the information stored in directories: virtual directories, synchronization, metadirectories, and information brokering. These techniques range from simple system administration aids to full-blown data synchronization services that help you maintain the integrity of directory information. The integration solution that's right for your organization depends on what your business requirements are.

Virtual Directories: These are a useful tool for system administrators. The console interface is linked directly to the managed directories on the network, letting administrators manage multiple directories through a centralized point of control. Although helpful, virtual directories are generally used only for system administration purposes and don't typically provide the more complex management services, like directory synchronization, that help maintain data integrity.

Microsoft offers a directory development API called the Active Directory Services Interface (ADSI) for accessing and managing directory products from different vendors. Independent software vendors can use it to build virtual directories. ADSI is a set of COM programming interfaces that integrate with any directory service that offers an ADSI service provider. The NT 4.0 domain directory, NDS, Lotus Notes, and LDAP directories integrate with ADSI. See "ADSI Integration" for more information. Some popular virtual directory products on the market include Entevo's DirectAdmin, Computer Associates's Unicenter TNG Directory Management Option, and IBM's Tivoli User Administration.

Synchronization: As mentioned, replication is an important function provided by the directory services. If directory information is updated at one server in a distributed cluster, the changes need to be replicated across all of the other participating servers in the cluster. This is fine if all of the directory servers in your organization use the same general replication protocol—LDAP, for instance. But what happens when you make changes in an NT 4.0 domain that need to be replicated in an LDAP directory? That's where synchronization comes in.

Synchronization is the automatic update process that ensures that directory information is consistent across all participating directories in your organization—even if they use a different data model and schema. Synchronization differs from replication in that it can provide simple data translation services as well, which ensures that information is updated uniformly across all directories in the enterprise, regardless of their format. For instance, you can use synchronization to coordinate directory information stored in LDAP and NT 4.0 domains.

You can use two different models to synchronize directories: one-to-one and one-to-many. The one-to-one method only synchronizes two directories at a time, and is implemented using either one-way or two-way update semantics. In one-way synchronization, one directory serves as the master source of information and always propagates update information directly into the second directory. The second directory never propagates update information back to the first directory. In two-way synchronization, the two directories can update each other as necessary.

Directory Service Manager for NetWare (DSMN) from Microsoft uses one-way synchronization to coordinate NT domain information with NetWare. DSMN propagates changed user account information from an NT domain into a corresponding NetWare Bindery directory. By contrast, Netscape's Directory Server uses two-way synchronization to coordinate user account information with NT. Changes in NT are propagated to Directory Server, and changes in Directory Server are propagated back to NT.

One-to-many synchronization scales beyond two directories. You choose one directory to serve as the centralized enterprise directory, and configure the other directories on the network to route information into or out of the enterprise directory as needed. See "One-to-Many Synchronization" for more information.

Metadirectory: A problem with synchronization in a large enterprise environment is that the same user may use different logons for separate directory systems throughout the enterprise. For instance, I may authenticate to NT as psholtz and authenticate to NDS simply as paul.

Having multiple identifiers for the same user can be a problem for synchronization programs. Synchronization often requires a single unique identifier for each user that's accepted across all connected directories. For instance, in the above example, two-way synchronization would simply create a new account in NDS called psholtz and a new account in NT called paul, rather than synchronizing the appropriate information between the existing accounts. Metadirectories can address this problem. These are similar to the centralized enterprise directories described in the one-to-many synchronization technique above, except that user objects are imported into the metadirectory using a technique called joining. Joining can correlate the user attributes of one particular user from each of the participating directories with the corresponding user object in the metadirectory. The metadirectory then holds all of its underlying directories' user attributes.

Joining permits some relatively sophisticated synchronization policies. For example, you can synchronize one set of user attributes with one participating directory (such as NT) and synchronize a completely different set of user attributes with another participating directory (such as NDS).

Information Brokering: This technique is more about optimization than integration. Gathering all of the directory information from across the enterprise into one place can make metadirectories top-heavy. Avoid this problem by keeping some information locally in the underlying directories and propagating that information to the metadirectory only when the metadirectory needs it. The metadirectory therefore doesn't store information that it doesn't need, saving replication and synchronization costs between directories. This technique is called information brokering.

Be aware that information brokering can cause problems if you don't deploy it carefully. The information broker can bog down the network with search requests if there isn't enough data stored directly in the metadirectory.

Emerging Trends

Identity management and directory services are an exciting area of IT innovation right now, and I've only barely scratched the surface of this topic here. Some other emerging trends and technologies that you should bear in mind are password synchronization and single sign-on (SSO) systems. Also, watch for Internet-scale identity management systems like Microsoft Passport and the Liberty Alliance. These types of systems may dramatically change the way users authenticate themselves to enterprise applications and services in the near future. Keeping on top of these emerging technologies will help you identify new ways to create value for your business partners while cutting your own system administration costs.

---

Paul is the cofounder and CTO of PrivacyRight, a San Francisco, CA—based developer of secure enterprise middleware. You can contact him at paul@privacyright.com.

Glossary ADSI: A set of Microsoft ActiveX controls that abstract the capabilities of directory services from different network providers to present a single set of directory service interfaces for accessing and managing network resources. Information Broker: Technique used to optimize performance on large metadirectories by storing some information locally in participating directories. The metadirectory will search for and locate the information in the local directory if necessary. Join: The process of joining disparate enterprise directory services into a single, centralized metadirectory. Join is useful in environments where individuals use authentication credentials that aren't consistent across the participating directory services. Open Systems Interconnect (OSI) Network Model: The standard model for networking protocols and distributed applications defined by the International Organization for Standardization (ISO) in 1984. The OSI network model defines seven layers: physical, data link, network, transport, session, presentation, and application. The layers provide clearly defined functions that can improve internetworking connectivity between computers and other network-enabled devices. X.500: X.500 is the OSI directory service. It defines a comprehensive directory service, including an information model, a namespace, a functional model, and an authentication framework. X.500 also defines the Directory Access Protocol (DAP) that clients use to access the directory. DAP is a full OSI protocol that contains a large amount of functionality, much of which goes unused by most applications. X.509: A common format for specifying the content of digital certificates. Digital certificates are digitally signed statements by an independent and trusted third party vouching for the identity of a particular principle. They're commonly used for authentication purposes in client-server applications. —PS

Previous Page | 1 | 2

RELATED ARTICLES ZigBee Alliance, DLMS User Assoc Collaborate on Metering Data Compatibility Embarcadero Takes DBMS Admin Into the Cloud McObject Updates eXtremeDB Real-Time Database System IBM Offers Free Public Cloud Beta For Software Development Zend, Oracle Hook Up for Enterprise-Class Linux and PHP		TOP 5 ARTICLES No Top Articles.