Networking Technologies

Chapter 9: Directory Services

 

Objectives:

Chapter 9 discusses the protocols used in Directory Services. The objectives important to this chapter are on page 9-1:

  1. List the features of X.500.
  2. List the features of LDAP.

Concepts:

As you begin reading the description of X.500 Directory Services on page 9-2, it will seem very familiar, if you have any experience with NetWare Administrator. X.500 Directory Services works like NDS, but represents a larger concept: this sort of service can be made available to all users on the Internet. So, we can say that NDS is a specific implementation of X.500.

The basic concepts are represented in NDS:

  • Scalability - a large system can be divided into manageable sections called Directory System Agents (DSAs). This allows the Directory to be distributed as a series of partitions (like NDS).
  • Replication - multiple copies of the database exist, and all copies strive to be identical.
  • Synchronization - this is the change management aspect of Directories. Three possibilities exist:
    • Changes may not be allowed.
    • Changes may be allowed only to the original copy of a database. These changes must then be copied (propagated) to other existing copies. The text refers to this as a master/shadow arrangement.
    • Changes may be allowed at original or replica copies of the database. Such changes must still be propagated to all other copies. The text refers to this as a peer-to-peer update mechanism.

Page 9-4 begins describing the features of an X.500 Directory structure. The formal term used for the structure is a Directory Information Tree (DIT). It is worth noting that this page describes the structure as a hierarchy, and as an inverted tree. It is confusing that the structure is described by other sources simply as a tree. This is only a label, and only one potential question on the certification test.

Other terms from page 9-4:

  • Directory Information Base (DIB) - all the information stored in the Directory
  • Intermediate objects - objects used to group and organize other objects. In NDS terms, these are containers.
  • Objects - an object is a record in a relational database.
  • Attributes - these are the properties or fields found in objects.
  • Leaf objects - also called terminating objects. These objects are the terminal points in Tree branches. They are not containers. They usually represent actual network resources, like Users and Printers.

Intermediate objects can only be created in certain hierarchical relationships:

  • All objects in a DIT are contained in the [Root] of that Tree.
  • The next lower sort of container is a Country, which can only be created as a child of the [Root].
  • The next lower sort of container is an Organization, which can be created as a child of [Root] or a child of a Country.
  • Organizational Units can be created as children of Organization objects, or as children of other Organizational Unit objects.

The rules that state what objects may exist in a Tree, what the attributes are for those objects, and what locations those objects may exist in, are referred to as the schema of the Tree.

Page 9-5 describes the Naming Standards for objects in a Tree. Two concepts:

  • A distinguished name specifies the name of an object, and the name of the container that object exists in, and the name of the container the container exists in, all the way up to, but not including the [Root]. Each name in a distinguished name is preceded by a dot (period). For example:
    .VScott.Computer.Baker
    could represent a User named VScott, in the container Computer, which is in the container Baker.
  • a Relative Distinguished Name only contains enough information to specify the object relative to a known location in the Tree. This information could be ambiguous, and could describe multiple objects if not done properly.

(For a more detailed explanation, see my notes for Chapter 1 of the NetWare 5 Administration course.)

More terms:

  • a Directory Service Agent (DSA) runs on the server, and provides access to the Directory Information Base
  • a Directory User Agent (DUA) runs on the client workstation, and provides access to the Directory Information Base

A DUA must communicate with the DSA in order to work, using some protocol. Several are listed on page 9-5. A few are important:

  • Directory Access Protocol (DAP) - provides Read, Search and Modify abilities (Modify includes Write, here)
  • Lightweight Directory Access Protocol (LDAP) - provides Read and Write abilities. This protocol is used for browsing a Tree.
  • Connectionless Lightweight Directory Access Protocol (CLDAP) - provides Read access only

Page 9-6 lists two types of security available in X.500 systems. Simple security requires a password. Strong security requires a password and uses encryption.

Page 9-6 also mentions that the DNS and NDS systems are based on the X.500 standard.