Taming the directory hydra
Solutions for managing directories take shape, but are still no silver bullet
- By Brian Robinson
- Feb 18, 2001
As the complexity of an organization's networks increases, so does the need -- and cost -- to manage them. Furthermore, coordinating all the network directories, which track the identities and locations of users and devices, can be daunting.
A study by Gartner Group Inc. showed that the typical Fortune 1000 company has more than 180 directories in daily use. In the federal government, sprawling organizations such as the Defense Department can have thousands of directories in operation.
The Holy Grail is a single, seamless directory that will span an entire organization. Realistically, however, organizations will have to manage a number of directory structures side by side for some time to come.
One stop-gap solution is the metadirectory, a central "master" directory that contains information for all of the networks' applications and identities, and coordinates updates of information to individual, separate directories.
"Every organization today is incurring an excessive cost burden in managing disparate data sources," said Lance Horne, program manager for directory services at Microsoft Corp. Those different sources "have led to islands of redundant data being managed separately and incurring separate costs."
That leads to "entropy" within organizations, Horne said, with data becoming "dirty" and increasingly inaccurate over time. That can compromise security when, for example, employees who were fired or quit remain as active identities on a network.
Metadirectories help avoid some of those problems, but they will also be necessary for Web-based applications, particularly as organizations seek to do more business electronically with the public and with their trading partners.
"If you want to play in the Web universe, you will have to implement a metadirectory, or something like it," said Dan Kuznetsky, vice president of systems software research at IDC. "You're involved in delivering and receiving information dynamically, so coordinating directories becomes essential, particularly for transaction-oriented applications. Metadirectories are one of the major [prerequisites] to doing business on the Web."
During the past few years, several companies have developed products they claim provide a metadirectory-type service. Critical Path Inc. and Oblix Inc., two leading Internet messaging software and infrastructure companies, offer products that companies such as IBM Corp. use to provide metadirectory capabilities to their clients. Sun Microsystems Inc. and Netscape Communications Corp. teamed up to provide directory coordination through their iPlanet alliance. And database companies such as Oracle Corp. and Informix Software Inc. have products that consolidate the management of directories.
Networking infrastructure giant Cisco Systems Inc. -- in collaboration with Microsoft -- several years ago developed an approach it terms Directory-Enabled Networking (DEN). With DEN, network resources such as devices, operating systems, management tools and applications use directory services to do such things as discover and obtain information about other resources.
While not a metadirectory approach in the strict sense, DEN provides a central repository of meta-information about a Cisco-based network. Last year, the company introduced its Cisco Networking Services (CNS), a suite of policy-based networking and intelligent network services based on DEN. Using CNS an administrator can, for example, make sure that a particularly important application, such as a videoconferencing call, gets priority on the network.
But Novell Inc., through its large installed base of the NetWare network operating system, and Microsoft are probably the two biggest gorillas playing in the government market, and both recently added metadirectory services to their portfolios.
Microsoft included Active Directory in its first release of Windows 2000 to answer demands for an integrated directory capability. The hope is that customers will eventually use Active Directory as a single, hierarchical scheme for all of their directory needs. Some are indeed looking at that possibility, but in the meantime, Windows 2000 and Active Directory will have to coexist with many legacy directories.
Microsoft sought to address that need last year when it bought Zoomit Corp. and that company's VIA metadirectory technology, which it renamed Microsoft Metadirectory Services (MMS). It works alongside Active Directory to enable that part of Windows 2000 to work with other vendors' directories.
"MMS supplies connectors for specific products such as Lotus Notes and [standard query language] servers," said Horne. "The user can also define their own connector space. Additionally, MMS provides the capability for building business tools so that users can manage the way [network object] attributes are mapped and applied."
Novell already had a step up on Microsoft in some ways. It's worked hard to make sure that the latest version of its Novell Directory Services (NDS) offering is compatible with a range of the most popular directory services products, including Active Directory. However, that isn't enough to cover the universe of interoperability that Novell needs, so late last year it introduced DirXML, which converts directory information into Extensible Markup Language, or XML, an emerging standard aimed particularly at data interchange on the Web. DirXML sits on top of NDS eDirectory 8.5 and basically enables data to be shared between NDS and a particular application. The network administrator can specify which data will flow between NDS and the other application, and because DirXML uses the applications' native application program interface (API), it achieves that synchronization of data without having to modify the application or use any NDS API.
"DirXML is really aimed at the initial stages of building a metadirectory architecture, and it's all about reducing the cost and providing a single, simple interface," said Loren Russon, product manager for eDirectory and DirXML at Novell. "We want to improve it to the point where it can use 'wizards' so it can be user configurable, to shorten the deployment cycle and improve the return on investment for users."
Ease of use may indeed be the key to the success of metadirectories, because there is general agreement that they are difficult to understand and construct.
Potential federal agency users readily admit their ignorance. The National Oceanic and Atmospheric Administration, for example, has a relatively long history of dealing with directories, beginning more than six years ago when directories for different e-mail systems were combined using Control Data Systems Inc.'s X.500 directory services. NOAA recently opted to standardize around Netscape's suite of X.500 and Lightweight Directory Access Protocol (LDAP)-compliant products, with the hope that this "will lay the foundation for a more rigorous and robust set of directory services applications," according to Rob Swisher, chief of the administrative systems division for NOAA.
What were never discussed during the planning for this project, he said, were metadirectories. "To my knowledge, the word 'metadirectories' has never come up in any of the meetings we've had over this," Swisher said. " 'Directories' has, as has the role of a central directory, but not metadirectory. It's just not a well-understood phenomenon, and the implementation of metadirectories is definitely not well understood."
The only broad announcement of an interest in metadirectories has come from the Defense Information Systems Agency, which has made several requests for information on products and technologies that could be used to build a Defense Department-wide online directory service. But it has not decided when and how to go forward with its plans.
"We haven't come across a lot of customers adopting metadirectories," said Dan Hurley, product marketing manager with BindView Corp., a company that specializes in multi- network management. "Metadirectory tools are not that pervasive, and most network administrators don't have the expertise to deal with the subject. Even consultants who know anything about metadirectories are not that common."
Robinson is a freelance journalist based in Portland, Ore.