There is currently considerable interest and marketing hype about directories, with many people feeling that they need a directory, without really being quite sure why. This whitepaper aims to clearly and succinctly set out the reasons for deploying an enterprise directory and its benefits in relation to other competing technologies.
The term directory is widely used, and there are many views as to what a directory is. The directory model referenced in this White Paper is in line with that of the LDAP (Lightweight Directory Access Protocol) and X.500 protocol specifications, however this model is not tied to those protocols, nor is it the only view of directory services promoted by advocates of those protocols. This model is intended to provide an open, general-purpose, enterprise directory, rather than a special purpose directory e.g. a Network Operating System (NOS) directory or the Domain Name Service (DNS).
This Paper does not discuss either the implementation of enterprise directories, which is the subject of another Isode whitepaper [How to Build an Enterprise Directory with LDAP and X.500], or the important issues relating to transition and coexistence strategies with existing products and services.
Electronic directories come in many different forms, designed for many different purposes. All types of directories have a common characteristic, which is that they hold information about objects. Objects can be almost anything about which one would want to store and retrieve information, such as persons, organizations, computer applications (on-line services), and network components.
Today, the key driving force behind general-purpose enterprise directories is for providing a central corporate repository for commonly and widely used information. This includes information about employees of the enterprise for example white pages data (email addresses, phone numbers) and information enabling access to services (printers, computers, buildings). In addition, authentication, encryption and digital signatures are frequently required for secure communications. Directories were designed to support PKI (Public Key Infrastructure) which provides these facilities.
Providing a directory using open directory standards enables a wide range of enterprise applications to interface with a single enterprise directory.
What is a Directory?
A directory is a special purpose database. The essential characteristics of this database, which makes it a directory, are set out below.
- A directory stores information about objects. Every entry in the directory relates to a single object. Examples of objects typically represented in a directory include people, organizations, and computers.
- Object names are arranged in a hierarchy within the directory. For
- Objects are named according to the hierarchy. For example the person Steve Kille is named by the relative names of three objects in the hierarchy: 'Steve Kille', 'Isode Ltd.', 'GB'. This gives each object in the directory a unique name.
- Objects are named according to an internationally agreed hierarchy, as shown in the examples above. This 'global' naming structure may be hidden within an enterprise (e.g., within Isode, 'Steve Kille' may appear to be the name of the object to end users, with the global prefix of the name remaining hidden). Global naming is an important directory characteristic which facilitates interworking between enterprises, as it ensures all objects have unique directory names.
- There are fixed definitions (a schema) for well known object types (e.g., People, Organizations), and the information associated with those objects (e.g., Telephone Numbers). This facilitates interworking of applications around this core schema.
- The schema is highly extensible for new types of object and information. This allows the directory to be extended to meet application and enterprise requirements.
- Access to the directory is on a client/server basis from anywhere
within the enterprise:
- Answers to queries are independent of the location of the client.
- Directory clients may be used directly by people (e.g. a telephone number lookup system), or embedded in other applications (e.g. email address lookup in a mail system).
- A directory supports Read operations, Browse operations, full facilities to Modify and Update data, and Search operations, which are optimized to follow the hierarchy of the information.
- Access to directories is optimized for Read and Search operations.
- There is security functionality, to authenticate clients and provide access control to information in the directory.
- The enterprise directory may be provided in a distributed fashion, which may use many servers, and this distribution is largely transparent to directory clients.
- In a distributed environment, the data held may be widely replicated to improve performance and resilience, however this may create the possibility of data being slightly out of date.
An enterprise directory is designed to be used as a general purpose infrastructure for many applications. Because of this, directories which support an open access protocol are the most useful. LDAP and X.500 are the leading open directory technologies. Use of these technologies is described in the Isode whitepaper [How to Build an Enterprise Directory with LDAP and X.500].
Enterprise Staff: the Core Requirement
An enterprise directory is built on a very generic technology that can be used to hold data about virtually anything (e.g. photographs, postal addresses, and location maps). While directories can be used for a wide variety of functions, almost all deployments are based around core information relating to the staff of the enterprise.
Why there is a Special Requirement for Staff
The staff of an enterprise are fundamental to its operation and therefore information about staff is needed by many enterprise functions. This requirement is increasing rapidly as the level of automation and systems integration grows in all organizations. For most other information not related to staff, the requirements for information access are more specific, and there is usually a natural place to hold the information.
Prior to a directory, there was not a natural single location for information on enterprise staff. In the past, because of the multiple requirements, this has led to:
- Duplication of information, with additional overhead and risk of error.
- Use of ad hoc and expensive to maintain techniques for coordination.
Neither of these are desirable. The key benefit of an Enterprise Directory is as a single repository for information about enterprise staff, which can be accessed by all of the applications that require it.
The rest of this section looks at various functions relating to enterprise staff, and shows how a directory solution can work to support these various functions. Clearly not all of the functions discussed below are appropriate to all organizations. No single element of this is a key reason for deploying a directory, but the overall picture makes use of directory an essential choice for any enterprise.
There are a number of basic reception functions which can be mapped easily and cleanly onto a directory. This is typically:
- A telephone operator, human or automatic, identifying an extension.
- A receptionist dealing with visitors. This enables the receptionist to identify the person being visited. The directory can be used to provide information such as a picture of the person being visited, and it can also be linked to that person's schedule. This enables a system where the visitor can check in automatically.
- A receptionist dealing with staff. The directory can be used to provide information about staff which may be useful for security verification (e.g., photographs and other information which can be verified). In a 'hot desking' environment, or other situations where the member of staff is not familiar to the receptionist, it also allows appropriate resources to be assigned to the staff member.
Information on staff often needs to be shared between members of staff. An online directory is provided naturally by the enterprise directory. This information can also be used to publish a paper directory.
For some organizations the corporate directory is entirely an internal function. For other organizations, particularly service oriented organizations, it is important that part or all of the corporate directory information is published externally. This is typically to enable customers or prospective customers to communicate effectively with the enterprise. This service would usually be provided via a Web browser, giving access only to selected portions of the directory which contain appropriate information.
The Human Resources (HR) department in an organization, by its nature, holds extensive information on enterprise staff. This information can be grouped into three broad categories:
- Basic information, such as name and telephone number, which could typically be reflected in the corporate directory.
- Unstructured information, which is not made generally available (e.g., staff appraisals). A directory is not suitable for handling this sort of information and for this reason, the directory cannot be a replacement for a more general HR system. In a small organization, however, a directory service may be sufficient if used for some functions in conjunction with an ad hoc or paper based system.
- Structured information which is not made generally available (e.g.,
social security ID; home address information; holiday information).
In many cases this information is handled only by the HR department,
however there are some benefits, in addition to reducing administration
costs, of placing some or all of this information in an appropriately
- Enabling an employee to gain access to HR information for verification purposes (e.g., recorded holidays) and in some cases allowing an employee to personally update specified information (e.g., home address).
- Enabling managers to access information about employees. This would clearly need good access control, under the control of HR
In essence, HR can be supported by an enterprise directory, but it is not a replacement. Thus an HR system would require careful directory integration in order to achieve the desired goal of not duplicating data management.
The messaging infrastructure of an organization needs information about all of the users supported. This includes:
- Message system configuration, to enable messages to be correctly directed to users.
- Address book type lookup of users within the enterprise. There is a need for users to be able to easily determine the email addresses of other users within the enterprise.
The directory is ideal for supporting an electronic messaging infrastructure, which has particularly stringent requirements. The distributed nature of a directory also enables it to be used to provide low-cost, centralized management and administration of complex large-scale messaging systems. The majority of messaging vendors are moving to utilize a directory to support their newer messaging products.
Resource Access (Security)
There is a need to control access to resources in the organization which includes both physical access and online access. Building entry and access can be handled by integration of the management of employee badges and physical access systems, using the directory as the common database.
A directory is well suited for control of authorization and it is anticipated that all large scale systems for single sign on and other general access management systems will be directory based. X.509, the leading technology for smart card systems based on public key cryptography was designed to work with a directory, therefore there is a natural integration. Security requirements are widely recognized as a key business driver for directories.
Once a directory system is in place, it becomes a natural building block for enterprise applications which require access to information about enterprise staff. For example, the directory becomes a natural part of the infrastructure for a groupware product (a product which enables workflow and similar office automation functions), which typically requires access to staff information.
Other Uses of the Directory
Once a directory is in place, and in use for core functions, there is a significant opportunity for extending its scope within the enterprise. This section looks briefly at some of these opportunities.
As well as information about enterprise staff, there is often benefit in holding information about other people. For example, use of a directory to support shared address books would allow users to conveniently share the phone and email addresses of a common set of people (e.g., customer and supplier contacts).
In some cases, a tighter integration may be useful. If a trading partner also operates a directory based on open protocols, it is possible to link the two together. If both directories use the common core directory schema and are part of a global naming structure this will enable clean interworking. This linkage then enables mutual access, probably with some level of access restriction, between the two companies, leading to more efficient operations.
To enable efficient, centralized network management, system information (computers, printers etc.) can be stored in a directory. The leading vendors of products in this field (Microsoft and Novell) are moving to use directories to support this function, which integrate naturally with a general purpose enterprise directory.
Many directory vendors have proposed a very wide range of applications for a directory, for example document registration and indexing. Large companies tend to utilize special purpose systems for functions such as this, however smaller companies can effectively use their directory for additional functions which can be more cost-effective than purchasing a special solution.
Directory Versus Other Technologies
So far, this paper has presented the case for a common infrastructure for information about enterprise staff, and shown that a directory is suitable for this. This section proposes that a directory is a necessary technology for the enterprise, rather than merely suitable, and looks at other types of technology which might be used instead of a directory to provide the functions discussed above. It also explains why a directory is the preferred choice.
Relational databases are currently used extensively for storing corporate data, and in most enterprises relational databases and directories co-exist. A key strength of relational databases is their ability to make complex queries about the relationship between objects. A key strength of a directory, however, is in its distributed provision. An enterprise, for example, may have many autonomous units responsible for their own employee information, however if a global, structured and universal information service is required, a directory is the only viable option.
More detailed information, discussing the relative merits of relational databases and directories, is provided in another Isode whitepaper [Combining Directories and Relational Databases in the Enterprise].
The World Wide Web provides an excellent information access and browsing mechanism and most Web servers enable data to be organized effectively for this general purpose, user oriented access. This is not suitable for 'directory type' data for two reasons:
- Standard Web servers do not have the sophistication to provide structured information storage. An important benefit of the hierarchical data structure within a directory is that it facilitates coherent data management.
- A Web server does not provide the application integrated, high performance name lookup that would be required by a number of applications. Messaging servers require this high speed look-up facility for example, and the directory access protocol CLDAP (Connectionless LDAP) has been designed specifically for this type of requirement.
Although the Web system should not be the directory, it has an important relationship to the directory. Many users wish to access directory information via the Web, and mechanisms to achieve this in a flexible manner are a key element of any directory solution. Isode's Web to LDAP/X.500 Access Server is an example of this.
HR was the one function discussed earlier in this White Paper, whose needs could not be fully met by a directory. For this reason an organization may consider building a directory service over a more general purpose system suitable for HR. This is not recommended, however, for the following reasons:
- HR systems contain extremely sensitive data, and although directory access can be securely controlled, many organizations still do not wish to allow general access to the HR information source.
- As mentioned above, a typical HR system is not able to provide the high performance name lookup that would be required by messaging and security applications.
NOS directories are 'low level' directories used to support location of computer servers, printers and other LAN (Local Area Network) resources. Novell's NDS is the best known NOS directory. Although these products are positioned a little differently to enterprise directory servers, modern NOS directory products are starting to offer functions which could be used to provide a full enterprise directory.
Directory Service Requirements
This section lists the fundamental requirements to enable effective deployment of a directory service.
Open Client/Server Access
The directory provides a general purpose infrastructure, and to enable it to be used for a wide range of applications, open access is required. The two protocols which are most widely supported for this purpose are:
- LDAP. This is the Internet standard directory access protocol, which is fast gaining wide industry acceptance. Isode has been closely associated with the development of LDAP, as set out in the Isode whitepaper LDAP Version 3.
- HTTP/HTML. This is the generic access mechanism used for Web access. The Isode Web-Directory Access Server, for example, provides access to directory information via a standard Web browser.
In addition, two further open protocols may be required for accessing the directory: CLDAP for high performance access; and X.500 Directory Access Protocol (DAP) to support certain security functionality.
Robust and Secure
A directory solution contains critical enterprise data. Data must never be lost or corrupted. It is also critical that the security is appropriate to the functions for which the directory is being used.
System processes for message routing and system access depend on directory access. For this reason, access to the directory has to be very fast, and a server must support large numbers of connections with high availability.
Scalable and Distributed
The directory has to provide replication and distribution to support the scale and size of the organization.
Open Data Management
The directory is used by many applications and often in a heterogeneous environment. It is therefore important that the information within the directory can be managed by tools associated with the application. Data management that is tied in to a specific implementation of a directory service may be inadequate.
Although a directory forms part of the essential infrastructure of an organization, there is no reason for this technology to be expensive.