Directory service
Encyclopedia
A directory service is the software system that stores, organizes and provides access to information in a directory
. In software engineering, a directory is a map between names and values. It allows the lookup of values given a name, similar to a dictionary. As a word in a dictionary may have multiple definitions, in a directory, a name may be associated with multiple, different pieces of information. Likewise, as a word may have different parts of speech and different definitions, a name in a directory may have many different types of data.
Directories may be very narrow in scope, supporting only a small set of node
types and data types, or they may be very broad, supporting an arbitrary or extensible set of types. In a telephone directory
, the nodes are names and the data items are telephone numbers. In the DNS
the nodes are domain names and the data items are IP addresses (and alias, mail server names, etc.). In a directory used by a network operating system, the nodes represent resources that are managed by the OS, including users, computers, printers and other shared resources. Many different directory services have been used since the advent of the Internet but this article focuses mainly on those that have descended from the X.500
directory service.
.
A directory service defines the namespace
for the network. A namespace in this context is the term that is used to hold one or more objects as named entries. The directory design process normally has a set of rules that determine how network resources are named and identified. The rules specify that the names be unique and unambiguous. In X.500
(the directory service standards) and LDAP
the name is called the Distinguished name (DN) and is used to refer to a collection of attributes (relative distinguished names) which make up the name of a directory entry.
A directory service is a shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is an important component of a NOS
(Network Operating System). In the more complex cases a directory service is the central information repository for a Service Delivery Platform
. For example, looking up "computers" using a directory service might yield a list of available computers and information for accessing them.
Replication and Distribution have very distinct meanings in the design and management of a directory service. The term replication is used to indicate that the same directory namespace (the same objects) are copied to another directory server for redundancy and throughput reasons. The replicated namespace is governed by the same authority. The term distribution is used to indicate that multiple directory servers, that hold different namespaces, are interconnected to form a distributed directory service. Each distinct namespace can be governed by different authorities.
. Of course there are exceptions, but in general:
Directory schemas are defined as object classes, attributes, name bindings and knowledge (namespaces), where an object class has:
(OSI) initiative to get everyone in the industry to agree to common network standards to provide multi-vendor interoperability. In the 1980s the ITU
and ISO
came up with a set of standards - X.500
, for directory services, initially to support the requirements of inter-carrier electronic messaging and network name lookup. The Lightweight Directory Access Protocol, LDAP
, is based on the directory information services of X.500
, but uses the TCP/IP stack
and a string encoding scheme of the X.500
protocol DAP, giving it more relevance on the Internet
.
There have been numerous forms of directory service implementations from different vendors. Systems developed before the advent of X.500 include:
Among the LDAP/X.500 based implementations are:
There are also plenty of open-source tools to create directory services, including OpenLDAP
and the Kerberos protocol, and Samba software which can act as a Windows Domain Controller with Kerberos and LDAP backends. Administration is done using GOsa or Samba provided SWAT.
.
Directory
Directory may refer to:* Directory , or folder, a file system structure in which to store computer files* Directory , stored information about a database...
. In software engineering, a directory is a map between names and values. It allows the lookup of values given a name, similar to a dictionary. As a word in a dictionary may have multiple definitions, in a directory, a name may be associated with multiple, different pieces of information. Likewise, as a word may have different parts of speech and different definitions, a name in a directory may have many different types of data.
Directories may be very narrow in scope, supporting only a small set of node
Node (computer science)
A node is a record consisting of one or more fields that are links to other nodes, and a data field. The link and data fields are often implemented by pointers or references although it is also quite common for the data to be embedded directly in the node. Nodes are used to build linked, often...
types and data types, or they may be very broad, supporting an arbitrary or extensible set of types. In a telephone directory
Telephone directory
A telephone directory is a listing of telephone subscribers in a geographical area or subscribers to services provided by the organization that publishes the directory...
, the nodes are names and the data items are telephone numbers. In the DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
the nodes are domain names and the data items are IP addresses (and alias, mail server names, etc.). In a directory used by a network operating system, the nodes represent resources that are managed by the OS, including users, computers, printers and other shared resources. Many different directory services have been used since the advent of the Internet but this article focuses mainly on those that have descended from the X.500
X.500
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and...
directory service.
Introduction
A simple directory service called a naming service, maps the names of network resources to their respective network addresses. With the name service type of directory, a user doesn't have to remember the physical address of a network resource; providing a name will locate the resource. Each resource on the network is considered an object on the directory server. Information about a particular resource is stored as attributes of that object. Information within objects can be made secure so that only users with the available permissions are able to access it. More sophisticated directories are designed with namespaces as Subscribers, Services, Devices, Entitlements, Preferences, Content and so on. This design process is highly related to Identity managementIdentity management
Identity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
.
A directory service defines the namespace
Namespace (computer science)
A namespace is an abstract container or environment created to hold a logical grouping of unique identifiers or symbols . An identifier defined in a namespace is associated only with that namespace. The same identifier can be independently defined in multiple namespaces...
for the network. A namespace in this context is the term that is used to hold one or more objects as named entries. The directory design process normally has a set of rules that determine how network resources are named and identified. The rules specify that the names be unique and unambiguous. In X.500
X.500
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and...
(the directory service standards) and LDAP
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
the name is called the Distinguished name (DN) and is used to refer to a collection of attributes (relative distinguished names) which make up the name of a directory entry.
A directory service is a shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is an important component of a NOS
Network operating system
A networking operating system , also referred to as the Dialoguer, is the software that runs on a server and enables the server to manage data, users, groups, security, applications, and other networking functions...
(Network Operating System). In the more complex cases a directory service is the central information repository for a Service Delivery Platform
Service Delivery Platform
In telecommunications, the term Service Delivery Platform usually refers to a set of components that provide a services delivery architecture for a type of service...
. For example, looking up "computers" using a directory service might yield a list of available computers and information for accessing them.
Replication and Distribution have very distinct meanings in the design and management of a directory service. The term replication is used to indicate that the same directory namespace (the same objects) are copied to another directory server for redundancy and throughput reasons. The replicated namespace is governed by the same authority. The term distribution is used to indicate that multiple directory servers, that hold different namespaces, are interconnected to form a distributed directory service. Each distinct namespace can be governed by different authorities.
Comparison with relational databases
There are a number of things that distinguish a traditional directory service from a typical relational databaseRelational database
A relational database is a database that conforms to relational model theory. The software used in a relational database is called a relational database management system . Colloquial use of the term "relational database" may refer to the RDBMS software, or the relational database itself...
. Of course there are exceptions, but in general:
- directory information is read more often than it is written; this makes features related to transactions and rollback less important.
- data can be redundant if it helps performance.
Directory schemas are defined as object classes, attributes, name bindings and knowledge (namespaces), where an object class has:
- Must - attributes that each of its instances must have
- May - attributes that can be defined for an instance, but can be omitted with the absence treated somewhat like NULL in a relational database
- Attributes are sometimes multi-valued allowing multiple naming attributes at one level such as machine type and serial number concatenated or multiple phone numbers for "work phone".
- Attributes and object classes are standardized throughout the industry and formally registered with the IANAInternet Assigned Numbers AuthorityThe Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
for their object ID. Therefore directory applications seek to reuse much of the standard classes and attributes to maximize the benefit of existing directory server software. - Object instances are slotted into namespaces. That is, each object class inheritsInheritance (computer science)In object-oriented programming , inheritance is a way to reuse code of existing objects, establish a subtype from an existing object, or both, depending upon programming language support...
from its parent object class (and ultimately from the root of the hierarchy) adding attributes to the must/may list. - Directory services are often a central component in the securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
design of an IT system and have a correspondingly fine granularity regarding access control: who may operate in which manner on what information. Also see: ACLsAccess control listAn access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
Implementations of directory services
Directory services were part of an Open Systems InterconnectionOpen Systems Interconnection
Open Systems Interconnection is an effort to standardize networking that was started in 1977 by the International Organization for Standardization , along with the ITU-T.-History:...
(OSI) initiative to get everyone in the industry to agree to common network standards to provide multi-vendor interoperability. In the 1980s the ITU
International Telecommunication Union
The International Telecommunication Union is the specialized agency of the United Nations which is responsible for information and communication technologies...
and ISO
International Organization for Standardization
The International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
came up with a set of standards - X.500
X.500
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and...
, for directory services, initially to support the requirements of inter-carrier electronic messaging and network name lookup. The Lightweight Directory Access Protocol, LDAP
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
, is based on the directory information services of X.500
X.500
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and...
, but uses the TCP/IP stack
Internet protocol suite
The Internet protocol suite is the set of communications protocols used for the Internet and other similar networks. It is commonly known as TCP/IP from its most important protocols: Transmission Control Protocol and Internet Protocol , which were the first networking protocols defined in this...
and a string encoding scheme of the X.500
X.500
X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by ITU-T, formerly known as CCITT, and first approved in 1988. The directory services were developed in order to support the requirements of X.400 electronic mail exchange and...
protocol DAP, giving it more relevance on the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
.
There have been numerous forms of directory service implementations from different vendors. Systems developed before the advent of X.500 include:
- Domain Name SystemDomain name systemThe Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
: (DNS), the first directory service on the Internet, which is still used everywhere today. - HesiodHesiod (name service)In computing, the Hesiod name service originated in Project Athena . It uses DNS functionality to provide access to databases of information that change infrequently...
: was based on DNS and used at MIT's Project AthenaProject AthenaProject Athena was a joint project of MIT, Digital Equipment Corporation, and IBM to produce a campus-wide distributed computing environment for educational use. It was launched in 1983, and research and development ran until June 30, 1991, eight years after it began...
. - Network Information ServiceNetwork Information ServiceThe Network Information Service, or NIS is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network...
: (NIS), originally named Yellow Pages (YP), was Sun MicrosystemsSun MicrosystemsSun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
' implementation of a directory service for UnixUnixUnix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
network environments. It served a similar role as Hesiod. - NetInfoNetInfoNetInfo is the system configuration database in NeXTSTEP and Mac OS X versions up through Mac OS X v10.4 "Tiger". NetInfo replaces most of the Unix system configuration files, though they are still present for running the machine in single user mode; most Unix APIs wrap around NetInfo instead...
: was developed by NeXT in the late 80s for NEXTSTEPNEXTSTEPNeXTSTEP was the object-oriented, multitasking operating system developed by NeXT Computer to run on its range of proprietary workstation computers, such as the NeXTcube...
. After being acquired by Apple, it was released as open source and used as the directory service for Mac OS XMac OS XMac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
before being deprecated in favor of the LDAP-based Open Directory. Support for NetInfo was completely removed with the release of 10.5 Leopard. - Banyan VINESBanyan VINESBanyan VINES was a computer network operating system and the set of computer network protocols it used to talk to client machines on the network. The Banyan company based the VINES operating system on Unix, and the network protocols on the archetypical Xerox XNS stack...
: was the first scalable directory services offering. - NT DomainsWindows Server domainA Windows domain is a collection of security principals that share a central directory database. This central database contains the user accounts and security information for...
: was developed by Microsoft to provide directory services for Windows machines prior to the release the LDAP-based Active Directory in Windows 2000. Windows Vista continues to support NT Domains, but only after relaxing the minimum authentication protocols it supports.
Among the LDAP/X.500 based implementations are:
- Active DirectoryActive DirectoryActive Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
: MicrosoftMicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
's modern directory service for Windows, originating from the X.500 directory it created for use in Exchange Server, first shipped with Windows 2000 Server and is supported by successive versions of Windows. - eDirectory:Novell eDirectoryNovell eDirectory is an X.500-compatible directory service software product initially released in 1993 by Novell for centrally managing access to resources on multiple servers and computers within a given network...
This is NovellNovellNovell, Inc. is a multinational software and services company. It is a wholly owned subsidiary of The Attachmate Group. It specializes in network operating systems, such as Novell NetWare; systems management solutions, such as Novell ZENworks; and collaboration solutions, such as Novell Groupwise...
's implementation of directory services. It supports multiple architectures including WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, NetWare, LinuxLinuxLinux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
and several flavours of UnixUnixUnix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
and has long been used for user administration, configuration management, and software management. eDirectory has evolved into a central component in a broader range of Identity managementIdentity managementIdentity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
products. It was previously known as Novell Directory Services. - Red Hat Directory Server: Red HatRed HatRed Hat, Inc. is an S&P 500 company in the free and open source software sector, and a major Linux distribution vendor. Founded in 1993, Red Hat has its corporate headquarters in Raleigh, North Carolina with satellite offices worldwide....
released a directory service, that it acquired from AOL's Netscape Security Solutions unit, as a commercial product running on top of Red Hat Enterprise LinuxRed Hat Enterprise LinuxRed Hat Enterprise Linux is a Linux-based operating system developed by Red Hat and targeted toward the commercial market. Red Hat Enterprise Linux is released in server versions for x86, x86-64, Itanium, PowerPC and IBM System z, and desktop versions for x86 and x86-64...
called Red Hat Directory Server and as the community supported 389 Directory Server project. - Open Directory: Apple'sApple ComputerApple Inc. is an American multinational corporation that designs and markets consumer electronics, computer software, and personal computers. The company's best-known hardware products include the Macintosh line of computers, the iPod, the iPhone and the iPad...
Mac OS X ServerMac OS X ServerMac OS X Server is a Unix server operating system from Apple Inc. The server edition of Mac OS X is architecturally identical to its desktop counterpart, except that it includes work group management and administration software tools...
uses a directory service named Open DirectoryApple Open DirectoryApple Open Directory is the LDAP directory service model implementation from Apple Inc. A directory service is software which stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources.In...
, which implements LDAPLightweight Directory Access ProtocolThe Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
using a customized build of OpenLDAPOpenLDAPOpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. Several common Linux distributions...
and integrates support for both SASLSimple Authentication and Security LayerSimple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
and Kerberos authentication. It uses a plugins architecture to work with other LDAPv3 directories, including proprietary solutions like Active Directory and eDirectory. - Apache Directory Server: Apache Software FoundationApache Software FoundationThe Apache Software Foundation is a non-profit corporation to support Apache software projects, including the Apache HTTP Server. The ASF was formed from the Apache Group and incorporated in Delaware, U.S., in June 1999.The Apache Software Foundation is a decentralized community of developers...
offers a directory service called ApacheDSApache Directory ServerApache Directory is an open source project of the Apache Software Foundation. Its flagship product, the Apache Directory Server, is an embeddable directory server entirely written in Java. It was certified LDAPv3-compatible by The Open Group in 2006...
. - Oracle Internet Directory: (OID) is Oracle CorporationOracle CorporationOracle Corporation is an American multinational computer technology corporation that specializes in developing and marketing hardware systems and enterprise software products – particularly database management systems...
's directory service, which is compatible with LDAP version 3. - CA Directory: CA Directory contains pre-caching engine which can index all attributes that are used in LDAP search filters, and caching all attributes returned in search results.
- Alcatel-Lucent Directory Server: CTIA 2009 - 4G Service Creation & Development Award Winner offering enhanced performance, high availability and proven efficiencies
- Sun Java System Directory ServerSun Java System Directory ServerThe Sun Java System Directory Server is Sun Microsystems' scalable LDAP directory server and DSML server. The Java System Directory Server is a component of the Java Enterprise System...
: Sun MicrosystemsSun MicrosystemsSun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
' current directory service offering - OpenDSOpenDSOpenDS Software is a free, open source directory service, written in Java, and developed as part of the OpenDS project. OpenDS Software implements a wide range of Lightweight Directory Access Protocol and related standards, including full compliance with LDAPv3 but also support for Directory...
: An open source directory service implementation from scratch in Java, backed by Sun MicrosystemsSun MicrosystemsSun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982... - IBM Tivoli Directory ServerIBM Tivoli Directory ServerITDS may refer to:*ITDS, IBM Tivoli Directory Server*ITDS, Internet, Tecnologia e Desenvolvimento de SoftwareIBM Tivoli Directory Server , formerly known as IBM Directory Server, is an IBM implementation of the Lightweight Directory Access Protocol, and is part of the IBM Tivoli Identity & Access...
It is a customized build of an old release of OpenLDAPOpenLDAPOpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. Several common Linux distributions...
. - Siemens DirX Directory Server
- Windows NT Directory Services (NTDS), later renamed Active DirectoryActive DirectoryActive Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
, replaces the former NT Domain system. - Critical Path Directory Server
- OpenLDAPOpenLDAPOpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. Several common Linux distributions...
Derived from the original University of Michigan reference LDAP implementation (as are the Netscape/Red Hat/Fedora/Sun JSDS servers) but significantly evolved. It supports all current computer architectures, including Unix and Unix derivatives, Linux, Windows, z/OS, and a variety of embedded/realtime systems. - Isode LimitedIsode LimitedIsode Limited is a software company based in the United Kingdom. Isode develops and markets messaging and directory server software based on the LDAP and X.500 protocols and SMTP, IMAP, POP3, XMPP and X.400 protocols .-History:...
: High performance and high availability LDAP and X.500 servers. - UnboundID Directory Server: A commercial high-performance Directory Server product produced by the UnboundID Corporation.
- Lotus Domino
There are also plenty of open-source tools to create directory services, including OpenLDAP
OpenLDAP
OpenLDAP Software is a free, open source implementation of the Lightweight Directory Access Protocol developed by the OpenLDAP Project. It is released under its own BSD-style license called the OpenLDAP Public License. LDAP is a platform-independent protocol. Several common Linux distributions...
and the Kerberos protocol, and Samba software which can act as a Windows Domain Controller with Kerberos and LDAP backends. Administration is done using GOsa or Samba provided SWAT.
Unix OSs
Name services on Unix systems are typically configured through nsswitch.conf. Information from name services can be retrieved using getentGetent
getent is a unix command that helps a user get entries in a number of important text files called databases. This includes the passwd and group databases which store user information – hence getent is a common way to look up user details on Unix...
.
See also
- Domain name systemDomain name systemThe Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
- LDAP Data Interchange FormatLDAP Data Interchange FormatThe LDAP Data Interchange Format is a standard plain text data interchange format for representing LDAP directory content and update requests. LDIF conveys directory content as a set of records, one record for each object...
- Directory Service Markup LanguageDirectory Service Markup LanguageDirectory Services Markup Language is a representation of directory service information in an XML syntax.The DSML version 1 effort was announced by creator Bowstreet on July 12, 1999. Initiative supporters include AOL-Netscape, Sun Microsystems, Oracle, Novell, Microsoft, and IBM...
- MetaDirectoryMetadirectoryA metadirectory system provides for the flow of data between one or more directory services and databases, in order to maintain synchronization of that data, and is an important part of identity management systems. The data being synchronized typically are collections of entries that contain user...
- Virtual directoryVirtual directoryIn computing, a virtual directory or virtual directory server is a software layer that delivers a single access point for identity management applications and service platforms...
- Hierarchical database model