Directories in the limelight

By Mary Petrosky
Network World Fusion, 3/16/98

After years as a supporting player in network operating system (NOS) administration, directory services are making the leap to the bigger management stage, ready to play the leading role in policy-based management. For the few who already exploit directory services, your management benefits are about to multiply. For those who have yet to deploy an enterprise directory, the message is clear: The sooner you get with the program, the sooner you can tap these same benefits.

Several developments are setting the stage for directory services' rise to prominence. The emergence of standards such as the Lightweight Directory Access Protocol (LDAP) is providing much-needed vendor interoperability, freeing developers from having to tie their applications or services to a particular directory. Likewise, the Directory Enabled Networks (DEN) initiative, led by Microsoft Corp. and Cisco Systems, Inc., promises to increase momentum for directory services by bringing the physical infrastructure under the directory umbrella and tackling the standardization of directory information itself.

The idea behind all this activity is to enable a single common directory to support all your applications, services and infrastructure. Down the road, you won't have to set up and administer separate directories for your e-mail network, SAP R/3 implementations, remote access authentication services and so on.

The result will be fewer directory setup and maintenance chores, which means increased IT staff productivity. The reliability of directory information also will increase because the information won't be duplicated in numerous places.

Last, but perhaps most important, centralized directories will spawn true policy-based management. You'll be able to establish criteria for how your net should be managed, including response-time targets and authentication policies for different classes of users. The directory will serve as the vehicle that helps enforce policies across the enterprise.

Directory primer

Directories provide a simple way of naming, describing, finding, accessing and protecting resources over space and time. They are the logical places at which network services, applications and people meet and interact. Directories have been around for more than a decade. Banyan Systems, Inc. began shipping the StreetTalk directory service as part of its VINES NOS in 1986. Novell, Inc. began shipping its Novell Directory Services (NDS) with NetWare 4.0 in 1993. These NOS-based directories have allowed network administrators to manage and authenticate users and to administer file and print services.

A major benefit of directory services is they enable you to create a relationship between a logical representation of a resource such as a printer or file "object" and the physical device or resource. If you need to move a printer or a subdirectory to a server with more memory, you only have to change the relationship between the directory object and the physical resource it represents. There's no need to update user logon scripts or otherwise touch desktops. This helps cut desktop support costs.

Directory services also allow users to log on from anywhere on the network, because configuration and other user-related information is stored in the directory rather than in files on the user's desktop. Similarly, because directory services enable associations of logical names and access rights, user access rights don't have to change if a resource is moved.

In addition, extensions can be written that enable functions such as software distribution, password management and customized relationships between users and applications.

Users also benefit from this logical view of the network. Not only can they find the resources they need more easily, they also gain location independence. As more applications and services exploit directory services for user authentication, users will be able to employ a single logon that gives them access to all the resources they need.

Beyond the NOS

Over the past few years, directory services have grown beyond simple NOS administration. An enterprise directory is now recognized as a tool that brings together the management of users, security, applications, services such as e-mail, and network devices ranging from desktops to routers.

"The real power of a directory service is that it provides a common interface for provisioning services and users across a heterogeneous network," notes Lee Rhodes, strategic alliance manager for Hewlett-Packard Co.'s Internet Infrastructure Operation. Over the past six months, Novell and Netscape Communications Corp. have announced products that clearly demonstrate the power of directory services in easing admin-istration of other network services. For example, several of the components in Novell's BorderManager product use NDS in some way. BorderManager provides a number of Internet-related services, including an IPX-to-IP gateway and a proxy service, that help improve Web performance. Both services look to NDS to determine whether a user is properly authenticated and, if so, which access rights and restrictions apply. NDS also holds the configuration and management information for virtual private networks supported by BorderManager, so there's no need for a separate data store for this information.

Netscape recently announced it is expanding its Mission Control management tool to include directory-enabled administration of Netscape client, server and application software. Currently, Mission Control manages client configuration for Netscape's Communicator. When it releases SuiteSpot 4.0 later this year, Netscape will ex-pand Mission Control to include all administration and security functions of Netscape clients and servers.

For example, under the new version of Mission Control, user profiles will be stored in the Netscape Directory Server rather than on users' desktops, as they are now. This change will allow for location independence for clients as well as simplified, centralized administration.

Netscape Certificate Server also will be integrated with the Netscape directory and Mission Control. Rather than maintain its own database, Netscape Certificate Server 4.0 will use the directory as the repository for certificates. This will allow for centralized, directory-based management of user security credentials such as public-key certificates. For example, administrators will be able to configure Mission Control to revoke certificates when they delete a user from the directory.

The LDAP factor

Directory vendors aren't the only ones getting into the act. Other vendors are looking to directory services to support authentication and other functions.

Bay Networks, Inc. currently exploits directory services natively in BaySecure Access Control, its Remote Authentication Dial-In User Service (RADIUS). Rather than duplicate directory services in its RADIUS server, Bay is directing authentication operations to underlying naming and directory services. BaySecure Access Control is available for Windows NT, NetWare and Unix. Each version uses the directory that is native to its operating system: the NT Domain Naming System, the NetWare bindery or NDS, and the Network Information Services Unix-based naming scheme.

The standardization and subsequent widespread adoption of LDAP has been a key driver behind vendors such as Bay taking advantage of directory services rather than creating their own application- or service-specific directories. LDAP defines a standard protocol for accessing and updating directory information in a client-server model. As a standard, LDAP provides for vendor-independent directory access and makes directory interoperability possible. While it's neither perfect nor complete, LDAP is making the new directory-based management paradigm possible.

The latest version of the LDAP specification, Version 3, offers significant enhancements over Version 2. In particular, LDAP 3.0 supports various authentication schemes and has a referral capability so one directory server can forward a client's query to another. In addition, LDAP 3.0 supports schema discovery, so an LDAP client can learn about the structure of the information in a directory. Because LDAP must be able to search, read and update server information on behalf of the client, the client must have prior knowledge of the directory's schema, or have some facility for discovering and interpreting schema.

Support for LDAP has grown rapidly among vendors of directory services. Netscape, Novell, Microsoft, Banyan and Sun Microsystems, Inc. each support the protocol in their respective directories and, in some cases, applications (see story above).

Likewise, network equipment vendors are using directory services for everything from user authentication to policy-based management. Companies such as Bay and Cabletron Systems, Inc. have or are working on LDAP clients for some of their network gear.

Toward policy-based management

As more vendors leverage the common data within directory services, we will begin to see true policy-based management. Indeed, all the leading equipment vendors have committed to exploiting directory services as part of their policy-based management offerings.

Directory services provide a centralized way for IT managers and service providers to define the policies according to which network services are configured, operated and managed. Policies can be based on criteria such as response time and uptime targets, often broadly referred to as service-level agreements; application and security requirements; and Internet/intranet access needs. Network services and related policies can be tied to individual users, groups of users, organizational units such as departments and companies as a whole.

Cabletron, for example, is licensing Net-scape's LDAP 3.0 developers' kit and will implement LDAP clients on its high-end Smart-Switches by mid-1998. LDAP support will enable the switches to communicate with the Netscape directory to discover information about user logon names and corresponding security rights. That in turn enables the switches to apply user-based policies. Cabletron also will store key network information in the directory, including a user's IP and media access control address and related switch port information.

3Com Corp. has similar plans. Customers will use 3Com's Transcend Policy Manager application to configure policies, which will be stored in a directory server. A separate policy server will access the policy rules in the directory via LDAP and interpret them on behalf of various types of network equipment. 3Com expects to ship its Transcend Policy Manager application and LDAP-based policy server in the third quarter and will initially support Netscape's directory for NT and Novell's NDS for NT.

Bay is creating a policy-based management system that combines an LDAPv3.0 server with its NetID platform, which is a set of services for managing IP addressing, Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) servers. Bay recently inherited its first LDAP-enabled policy-based management capability when it acquired New Oak Commu-nications, Inc. New Oak has implemented an LDAP 2.0 client and server for managing the setup of tunneled sessions and VPNs and for authentication services on the NOC 4000 access device.

Cisco recently announced its road map for policy-based management, key pieces of which will ship in the second half of the year. Like other vendors, Cisco will provide a management application for configuring policies. Initially, Cisco will store policy information in policy servers, which will communicate with network equipment via mechanisms such as the command-line interface. Longer term, Cisco will use the Common Open Policy Service protocol, currently being defined by the Internet Engineering Task Force, to pass policy information from a policy server to network gear.

Like Bay, Cisco will initially use its DNS/DHCP platform, which it calls the network registry, for host name and IP address information. The company will provide directory access via LDAP 3.0 to enable policies based on user and group information. In 1999, Cisco will provide full integration of its policy management system with Microsoft's Active Directory, including support for the DEN specification.

Even start-ups are taking advantage of directories. Similar to New Oak, Berkeley Networks, Inc., of Milpitas, Calif., has developed what it calls "application-aware" Ethernet switches that will use directory services for configuration data, as well as for policies that cover security and access, class of service, routing and naming. Rather than wait for the DEN specification to evolve, Berkeley defined its own schema extensions that characterize its switches. The company also created extensions to standard directory browsers so network administrators can view and manipulate the switches and related information within the directory tree structure. For example, an administrator can click on an NDS tree and drop the Berkeley switches into any part of the directory. Clicking on the switch object will bring up a window that offers various options, such as to view the switch's name, serial number, location and software release, or to set policy for class of service on an application-by-application basis.

The Berkeley switches include an LDAP client that can be used to communicate with the directory). Berkeley initially will support any LDAP-accessible directory and expects to deliver this capability in the second quarter.

Future roles

A number of industry players envision an even more expanded role for directory services in systems and network management.

Proponents of the DEN initiative want to store information about network services and device configuration in the directory. While not all vendors are enthusiastic about this aspect of the DEN work, Lionel Gibbons, director of 3Com's TranscendWare Product Group, believes such an effort could vastly simplify the configuration of multivendor equipment.

If vendors support a common schema, customers will be able to configure devices by defining objects in a directory, Gibbons says. So rather than having to know how to configure a 3Com or Cisco switch, you simply would configure a "generic" switch. Vendors would have to enable their network equipment to read this high-level configuration information out of the directory and translate it in a way that's specific to their devices.

Cisco envisions directories playing a role in event management rather than merely acting as a repository for information and relatively static relationships. For example, if an "event" occurs, such as the clock striking 5 p.m., the directory could trigger a series of operations, perhaps limiting access to the accounting server, switching routes for WAN traffic and kicking off a bandwidth reservation for server backup.

Marc Trachtenberg, a principal at consultancy Mycroft, Inc., in New York, has a similar vision. "Objects in the directory need to be activated by events and take responsibility for their domain of influence," Trachtenberg says. "The real value in directories will be having the authority to make event-driven decisions about the relationships they're managing."

It will take time for directory services to step into this expanded role. Technical issues related to directory performance and scalability must be tackled, including the creation of a standard for replicating data among directory services. Like-wise, the effort to define a common schema has barely begun and will easily extend into 1999.

Directory payback

Even so, there's plenty you can be doing now to directory-enable your enterprise.

For many organizations, the biggest hurdle is getting a good understanding of your business processes. Also, be aware that the decision to implement directory services can precipitate political battles if all arms of IT - as well as key business managers - aren't involved or if the rollout isn't handled diplomatically.

In terms of hard costs, the directory software is the main expense. However, there are a number of "soft" costs, of which planning is the largest. Trachtenberg notes it is necessary to consider the staff or consultant time needed to create a directory model, evaluate products and learn how to use and manage the directory service. The planning process can take months.

Consultants at firms such as Mycroft and Rapport Communication, of Silver Spring, Md., agree that you should begin the process of architecting a directory now. You can take a tactical approach, if need be, and see which areas of your organization would immediately benefit from a directory implementation. For example, the integration of Novell's NDS and Bay's RADIUS services may be a compelling first step.

Likewise, roll out products that support LDAP clients and servers as they become available from your key vendors. New versions of e-mail clients and servers would be a good start.

Trachtenberg also recommends that the various arms of IT, including the infrastructure, application development and support staff, begin to document the relationships between users, applications and other resources. Next, organize resources by business function, not by physical devices. Take into account your remote and mobile users in planning the directory.

The process of building a directory is difficult, whichever directory you choose, so the sooner you get started, the better. As Trachtenberg notes, there's no sense waiting for Microsoft's Active Directory to ship; it will be relatively easy to migrate to it when the time comes, if you so choose, as compared with implementing your first directory.

All this work has a payoff, of course, and it comes in the form of reduced administration costs.

In light of tight IT budgets and the constant scramble for support staff, directory services offer a concrete way to gain management efficiencies. Mycroft is among the consulting groups that have demonstrated that directory services can pay for themselves in less than a year. Rapport notes that savings increase as you continually phase out duplicate directories. The value of directories will increase even more as policy-based management and other directory-enabled services are delivered.

The companies that begin to exploit the benefits of directory services now will be in the best position to follow its rising star.