Directory Integration and the Metadirectory

Directories are fundamental to network services. Directories store and publish user and network resource information. They contain user accounts for network OSs, messaging systems, and applications, and network configuration information for computers, printers, routers, and corporate networks' security policies. Forrester Research and GartnerGroup concluded in separate studies that the typical Fortune 1000 company maintains an average of 181 directories. Managing so many directories is difficult. Network administrators must duplicate their efforts to create, modify, and remove directory information in multiple directories to maintain the directories' accuracy when changes occur. This work produces significant costs for network administration. According to the Burton Group, a 25,000-user company can spend $364,583 annually on directory changes if the company has only seven user directories.

How do you reduce the cost of directory administration when you can't eliminate existing directories or avoid creating new directories? The only answer is directory integration. Directory integration lets network administrators manage directory information from one directory and automate the process of changing information in multiple directories. In the short run, directory integration lowers the cost of directory management because it reduces human involvement in directory management. A comprehensive directory-integration system often requires an enterprise directory to store and unify directory information in a central repository, or metadirectory. In the long run, you can incorporate into a metadirectory new network services—for example, single sign-on (SSO), to simplify the user logon process; public key infrastructure (PKI), to manage digital certificates for e-commerce; and Directory Enabled Networks (DEN), to deploy Quality of Service (QoS) and manage network resources. Also, new directory-enabled applications can take advantage of existing metadirectories and help you avoid adding new user directories to your network. (For more information about metadirectories and directory integration, see "Related Articles in Windows NT Magazine," page 101.)

Directory integration has become a high priority in today's network management. In fact, many companies are deploying or planning enterprise directories not only for directory integration but also for e-commerce projects. The four techniques of directory integration—virtual directory, synchronization, join, and information broker—can meet these enterprise needs. In this article, I discuss the four directory-integration techniques and their roles in the metadirectory. I also describe metadirectory architecture and two metadirectory types. With a clear understanding of directory-integration techniques and the metadirectory, you can easily characterize third-party directory-integration solutions by their implementation methods and choose the product that meets your company's present and future needs. The sidebar "Password Synchronization and Security" discusses password synchronization in directory integration.

Virtual Directory
A virtual directory is an administrative tool that lets you manage multiple directories from one console. The console's interface is linked to managed directories in the network. You can manage directory information from the console.

A virtual directory that many NT administrators know is Entevo's DirectAdmin. DirectAdmin lets you centrally manage NT domains. You install DirectAdmin on an NT computer from which you can map NT 4.0's flat domain structure to an Active Directory (AD)-like hierarchical tree structure, delegate individual administrative tasks, and move users from one domain to another. With the DirectAdmin NDS Plus Pack, you can manage NT and Novell Directory Services (NDS) from one console. Other cross-platform virtual directories include Computer Associates' Unicenter TNG Directory Management Option (DMO) and IBM's Tivoli User Administration. DMO lets you manage messaging and database directories in addition to various network operating system (NOS) directories.

Microsoft provides a directory development service, Active Directory Services Interface (ADSI), that helps independent software vendors (ISVs) develop virtual directory tools to manage different vendors' directories. For example, Entevo used ADSI to develop DirectAdmin products. ADSI is an open set of COM programming interfaces for directory services. (A similar product to ADSI is OLE DB for relational databases.) Applications that developers write to ADSI can work with any directory service that offers an ADSI service provider. Applications (e.g., a virtual directory tool) can access any directories (e.g., NT 4.0 domain directory, NDS, Lotus Notes, and Lightweight Directory Access Protocol—LDAP—enabled directories) through a corresponding directory's ADSI interface and service provider, as Figure 1 shows.

The virtual directory, however, is purely a client solution for administrative use. (Virtual directories are sometimes called virtual directory administration clients). A virtual directory is not a serverside directory service that users access for network logon and name lookup. Virtual directories generally don't include complicated management services such as directory synchronization. Although some vendors offer both virtual directory and synchronization functions in their products (e.g., DirectAdmin NDS Plus Pack), synchronization functions often run on servers.

Synchronization
Directory synchronization plays an important role in directory integration by ensuring, through an automatic update process, that directory information is consistent across directories. Directory synchronization populates information from one directory to another. Directory synchronization differs from directory replication, which uses an identical format and schema to replicate data across similar directories or data stores. Synchronization can provide simple data translation. A synchronization event occurs either when the synchronization service finds a change in a directory or at a predefined time. An early implementation of directory synchronization was the directory synchronization between different email systems that products such as Lotus' Soft-Switch provided. During the past 3 years, many vendors delivered synchronization tools to synchronize directories between NOSs, email systems, and applications.

Two synchronization methods currently exist: one-to-one and one-to-many. In one-to-one synchronization, the synchronization service synchronizes only two directories to provide one-way or two-way synchronization. One-way synchronization always populates information from one directory to the other. For example, Microsoft offers Directory Service Manager for NetWare (DSMN) in NT. In a mixed NT and Novell NetWare environment, you can use your NT domain as a single point of control to manage user accounts. DSMN feeds changed user account information from the NT domain to a NetWare Bindery directory. Microsoft delivers a similar directory synchronization service for NDS in Windows 2000 (Win2K). Novell's retired Workstation Manager implemented a similar function but used NDS as a single point of control. (Novell replaced Workstation Manager with NDS for NT. NDS for NT uses NDS to substitute for the NT domain SAM, which doesn't require synchronization.)

In contrast to one-way synchronization, two-way synchronization lets two directories synchronize each other. For example, Netscape's Directory Server includes a two-way directory synchronization service for NT. The utility replicates changed user information in NT to Directory Server and feeds changed user information in Directory Server to NT. Two-way synchronization allows flexible directory management and can head off political conflicts if directory administration must be distributed throughout an organization.

The second synchronization method, one-to-many, is more comprehensive than one-to-one synchronization and scales beyond two directories. In one-to-many synchronization, you need to designate one directory as an enterprise directory and inject information from other directories into this centralized repository, or distribute information from the enterprise directory to other directories. Figure 2, page 102, depicts three possible directory relationships in one-to-many synchronization. NetVision's Synchronicity uses NDS as an enterprise directory. Synchronicity can synchronize NDS with NT, Microsoft Exchange Server, Lotus Notes, and NetWare Bindery.

Both the one-to-one and one-to-many synchronization methods use a straightforward duplication process to populate directory information. Both methods also often require unique usernames in all connected directories. However, in a large network with many directories, users often have multiple usernames if the organization doesn't enforce a unique-username convention. If user John's NT username is John but his NDS username is Johnny, synchronization will simply create a new Johnny account in NT when replicating accounts from NDS to NT. Some well-designed synchronization tools, such as Synchronicity, can give you options in this situation: for example, replacing an existing object, creating a new object, or generating an error. Alternatively, some synchronization systems offer a limited function to match attributes other than username. For example, if you define a unified employee ID in a user object across the directories you want to synchronize, you can choose this attribute as an alternative match to usernames. This method leads us to the join concept.

Join
The join technique of directory integration works with the synchronization technique to create one metadirectory and link user objects from different directories to the metadirectory. Join makes directory integration possible in a complex environment. Suppose employee John's NT username is Johnny, his NDS username is John, and his human resources (HR) ID is JSmith. Join can associate John's three sets of user attributes from the three directories in which those attributes reside with John's user object in the metadirectory. The metadirectory can hold all of its underlying directories' user attributes or selected user attributes from those directories. Figure 3 shows how the join technique links multiple directories to the metadirectory.

In addition to linking multiple user objects to one user object, join lets you associate and synchronize specific object attributes in a connected directory with specific attributes of the corresponding object in the metadirectory. Also, you can manage a directory population's information flow with join. For example, you can synchronize John's HR attributes—such as his full name, employee number, department, phone number, and office address—with John's corresponding attributes in the metadirectory, feeding the attributes to the metadirectory from the HR database. Also, you can replicate some of John's metadirectory attributes—such as his full name and description—from the metadirectory to his NT directory, and other attributes—such as his full name and department—to his NDS directory. A successful join requires the metadirectory and all underlying directories to remain active during the join process.

When you join two objects, you need to identify a common attribute in the two objects to serve as the join point. Network administrators often use attributes such as full name, employee number, and social security number as common attributes. Metadirectory products such as ISOCOR's MetaConnect and ZOOMIT's VIA provide an easy-to-use GUI and scripting tools to set up rules for automatic joins under a common attribute in objects in a metadirectory and an underlying directory. Joining two objects with no common attribute is a tedious manual process.

The metadirectory that the join technique creates can serve as a companywide central point of directory access. Network administrators can manage user information in the metadirectory and then feed any part of the user information to underlying directories. Conversely, administrators managing local directories can replicate selected user information (e.g., all user attributes without salary information) from the local directories to the metadirectory. Network users can use the metadirectory to search for information, such as an employee's phone number, instead of using the phone book.

   Previous  [1]  2  Next