Movatterモバイル変換

Directory service

From Wikipedia, the free encyclopedia

Service that maps the names of network resources to their respective network addresses

Incomputing, adirectory service orname service maps the names of network resources to their respectivenetwork addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of anetwork operating system. Adirectory server orname server is aserver which provides such a service. Each resource on the network is considered anobject by the directory server. Information about a particular resource is stored as a collection ofattributes associated with that resource or object.

A directory service defines anamespace for the network. The namespace is used to assign aname (unique identifier) to each of the objects. Directories typically have a set of rules determining how network resources are named and identified, which usually includes a requirement that the identifiers beunique andunambiguous. When using a directory service, a user does not have to remember the physical address of a network resource; providing a name locates the resource. Some directory services includeaccess control provisions, limiting the availability of directory information toauthorized users.

Comparison with relational databases

[edit]

Several things distinguish a directory service from arelational database. Data can be made redundant if it aids performance (e.g. by repeating values through rows in a table instead of relating them to the contents of a different table through a key, which technique is calleddenormalization; another technique could be the utilization ofreplicas for increasing actual throughput).^[1]

Directory schemas are object classes, attributes, name bindings and knowledge (namespaces) where an object class has:

Must - attributes that each instances must have
May - attributes which can be defined for an instance but can be omitted, with the absence similar to NULL in a relational database

Attributes are sometimes multi-valued, allowing multiple naming attributes at one level (such as machine type and serial numberconcatenation, or multiple phone numbers for "work phone"). Attributes and object classes are usually standardized throughout the industry; for example,X.500 attributes and classes are often formally registered with theIANA for their object ID.^{[citation needed]} Therefore, directory applications try to reuse standard classes and attributes to maximize the benefit of existing directory-server software.

Object instances are slotted into namespaces; each object classinherits from its parent object class (and ultimately from the root of thehierarchy), adding attributes to the must-may list. Directory services are often central to thesecurity design of an IT system and have a correspondingly-fine granularity of access control.

Replication and distribution

[edit]

Replication and distribution have distinct meanings in the design and management of a directory service. Replication is used to indicate that the same directory namespace (the same objects) are copied to another directory server for redundancy and throughput reasons; the replicated namespace is governed by the same authority. Distribution is used to indicate that multiple directory servers in different namespaces are interconnected to form a distributed directory service; each namespace can be governed by a different authority.

Implementations

[edit]

Directory services were part of anOpen Systems Interconnection (OSI) initiative for common network standards and multi-vendor interoperability. During the 1980s, theITU andISO created theX.500 set of standards for directory services, initially to support the requirements of inter-carrier electronic messaging and network-name lookup. TheLightweight Directory Access Protocol (LDAP) is based on the X.500 directory-information services, using theTCP/IP stack and an X.500Directory Access Protocol (DAP) string-encoding scheme on theInternet.

Systems developed before the X.500 include:

Domain Name System (DNS): The first directory service on the Internet,^[2] still in use
Hesiod: Based on DNS and used at MIT'sProject Athena
Network Information Service (NIS): OriginallyYellow Pages (YP)Sun Microsystems' implementation of a directory service forUnix network environments. It played a role similar to Hesiod.
NetInfo: Developed by NeXT during the late 1980s forNEXTSTEP. After its acquisition by Apple, it was released as open source and was the directory service forMac OS X before it was deprecated for the LDAP-based Open Directory. Support for NetInfo was removed with the release of 10.5 Leopard.
Banyan VINES: Firstscalable directory service
NT Domains: Developed by Microsoft to provide directory services for Windows machines before the release of the LDAP-based Active Directory in Windows 2000. Windows Vista continues to support NT Domains after relaxing its minimum authentication protocols.

LDAP implementations

[edit]

LDAP/X.500-based implementations include:

389 Directory Server: Free Open Source server implementation byRed Hat, with commercial support by Red Hat andSUSE.
Active Directory:Microsoft's directory service forWindows, originating from the X.500 directory, created for use inExchange Server, first shipped withWindows 2000 Server and supported by successive versions of Windows
Apache Directory Server: Directory service, written in Java, supporting LDAP, Kerberos 5 and the Change Password Protocol; LDAPv3 certified
Apple Open Directory:Apple's directory server forMac OS X, available throughMac OS X Server
eDirectory: NetIQ's implementation of directory services supports multiple architectures, includingWindows,NetWare,Linux and several flavours ofUnix and is used for user administration and configuration and software management; previously known as Novell Directory Services.
Red Hat Directory Server:Red Hat released Red Hat Directory Server, acquired from AOL's Netscape Security Solutions unit,^[3] as a commercial product running on top ofRed Hat Enterprise Linux as the community-supported389 Directory Server project. Upstream open source project is calledFreeIPA.
Oracle Internet Directory: (OID) isOracle Corporation's directory service, compatible with LDAP version 3.
Sun Java System Directory Server:Sun Microsystems' directory service^[4]
OpenDS:Open-source directory service in Java, backed bySun Microsystems^[5]
Oracle Unified Directory: (OUD) isOracle Corporation's next-generation unified directory solution. It integrates storage, synchronization, and proxy functionalities.
WindowsNT Directory Services (NTDS), later renamedActive Directory, replaced the former NT Domain system.
Critical Path Directory Server
OpenLDAP: Derived from the original University of Michigan LDAP implementation (like Netscape, Red Hat, Fedora and Sun JSDS implementations), it supports all computer architectures (including Unix and Unix derivatives, Linux, Windows, z/OS and a number of embedded-realtime systems).
Lotus Domino
Nexor Directory
OpenDJ - aJava-based LDAP server and directory client that runs in any operating environment, under licenseCDDL. Developed byForgeRock, until 2016,^[6] now maintained byOpenDJ Community

Open-source tools to create directory services include OpenLDAP, theKerberos protocol andSamba software, which can function as a Windowsdomain controller with Kerberos and LDAPback ends. Administration is by GOsa or Samba SWAT.