A directory service called a naming service, maps the names of network resources to their respective network addresses. With the name service type of directory, a user does not have to remember the physical address of a network resource; providing a name locates the resource. Each resource on the network is considered an object on the directory server. Information about a particular resource is stored as attributes of that object. Information within objects can be made secure so that only users with the available permissions are able to access it. More sophisticated directories are designed with namespaces as Subscribers, Services, Devices, Entitlements, Preferences, Content and so on. This design process is highly related to Identity management.
A directory service defines the namespace for the network. A namespace in this context is the term that is used to hold one or more objects as named entries. The directory design process normally has a set of rules that determine how network resources are named and identified. The rules specify that the names be unique and unambiguous. In X.500 (the directory service standards) and LDAP the name is called the Distinguished name (DN) and refers to a collection of attributes (relative distinguished names) that make up the name of a directory entry.
A directory service is a shared information infrastructure for locating, managing, administering, and organizing common items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is an important component of a NOS (Network Operating System). In the more complex cases a directory service is the central information repository for a Service Delivery Platform. For example, looking up "computers" using a directory service might yield a list of available computers and information for accessing them.
Replication and Distribution have very distinct meanings in the design and management of a directory service. The term replication is used to indicate that the same directory namespace (the same objects) are copied to another directory server for redundancy and throughput reasons. The replicated namespace is governed by the same authority. The term distribution is used to indicate that multiple directory servers, that hold different namespaces, are interconnected to form a distributed directory service. Each distinct namespace can be governed by different authorities.
Comparison with relational databases
Several things distinguish a traditional directory service from a typical relational database. Of course there are exceptions, but in general:
- directory information is read more often than it is written; this makes features related to transactions and rollback less important.
- data can be redundant if it helps performance.
Directory schemas are defined as object classes, attributes, name bindings and knowledge (namespaces), where an object class has:
- Must - attributes that each of its instances must have
- May - attributes that can be defined for an instance, but can be omitted with the absence treated somewhat like NULL in a relational database
- Attributes are sometimes multi-valued allowing multiple naming attributes at one level such as machine type and serial number concatenated or multiple phone numbers for "work phone".
- Attributes and object classes are standardized throughout the industry and formally registered with the IANA for their object ID. Therefore, directory applications seek to reuse much of the standard classes and attributes to maximize the benefit of existing directory server software.
- Object instances are slotted into namespaces. That is, each object class inherits from its parent object class (and ultimately from the root of the hierarchy) adding attributes to the must/may list.
- Directory services are often a central component in the security design of an IT system and have a correspondingly fine granularity regarding access control: who may operate in which manner on what information. Also see: ACLs
Implementations of directory services
Directory services were part of an Open Systems Interconnection (OSI) initiative to get everyone in the industry to agree to common network standards to provide multi-vendor interoperability. In the 1980s, the ITU and ISO came up with a set of standards - X.500, for directory services, initially to support the requirements of inter-carrier electronic messaging and network name lookup. The Lightweight Directory Access Protocol, LDAP, is based on the directory information services of X.500, but uses the TCP/IP stack and a string encoding scheme of the X.500 Directory Access Protocol (DAP), giving it more relevance on the Internet.
There have been numerous forms of directory service implementations from different vendors. Systems developed before the advent of X.500 include:
- Domain Name System: (DNS), the first directory service on the Internet, which is still used everywhere today.
- Hesiod: was based on DNS and used at MIT's Project Athena.
- Network Information Service: (NIS), originally named Yellow Pages (YP), was Sun Microsystems' implementation of a directory service for Unix network environments. It served a similar role as Hesiod.
- NetInfo: was developed by NeXT in the late 1980s for NEXTSTEP. After being acquired by Apple, it was released as open source and used as the directory service for Mac OS X before being deprecated in favor of the LDAP-based Open Directory. Support for NetInfo was completely removed with the release of 10.5 Leopard.
- Banyan VINES: was the first scalable directory services offering.
- NT Domains: was developed by Microsoft to provide directory services for Windows machines prior to the release the LDAP-based Active Directory in Windows 2000. Windows Vista continues to support NT Domains, but only after relaxing the minimum authentication protocols it supports.
Among the LDAP/X.500 based implementations are:
- Active Directory: Microsoft's modern directory service for Windows, originating from the X.500 directory, created for use in Exchange Server, first shipped with Windows 2000 Server and is supported by successive versions of Windows.
- Apache Directory Server: Directory service written in Java, supporting LDAP, Kerberos 5 and the Change Password Protocol. LDAPv3 certified. The Apache Directory Server is also a top level project of the Apache Software Foundation.
- eDirectory: This is NetIQ's implementation of directory services. It supports multiple architectures including Windows, NetWare, Linux and several flavours of Unix and has long been used for user administration, configuration management, and software management. eDirectory has evolved into a central component in a broader range of Identity management products. It was previously known as Novell Directory Services.
- Red Hat Directory Server: Red Hat released a directory service, that it acquired from AOL's Netscape Security Solutions unit, as a commercial product running on top of Red Hat Enterprise Linux called Red Hat Directory Server and as the community supported 389 Directory Server project.
- Oracle Internet Directory: (OID) is Oracle Corporation's directory service, which is compatible with LDAP version 3.
- Sun Java System Directory Server: Sun Microsystems' current directory service offering
- OpenDS: An open source directory service implementation from scratch in Java, backed by Sun Microsystems
- IBM Tivoli Directory Server It is a customized build of an old release of OpenLDAP.
- Windows NT Directory Services (NTDS), later renamed Active Directory, replaces the former NT Domain system.
- Critical Path Directory Server
- OpenLDAP Derived from the original University of Michigan reference LDAP implementation (as are the Netscape/Red Hat/Fedora/Sun JSDS servers) but significantly evolved. It supports all current computer architectures, including Unix and Unix derivatives, Linux, Windows, z/OS, and a variety of embedded/realtime systems.
- Lotus Domino
- Nexor Directory
There are also plenty of open-source tools to create directory services, including OpenLDAP and the Kerberos protocol, and Samba software, which can act as a Windows Domain Controller with Kerberos and LDAP backends. Administration is done using GOsa or Samba provided SWAT.
Using name services
- Domain name system
- LDAP Data Interchange Format
- Directory Service Markup Language
- Virtual directory
- Hierarchical database model