directory Service

The term “directory” is a ubiquitous term in computing and can have different meanings. In networking, a directory is concerned with user data and a list of resources that can be contacted on a network.

A network directory Service is an exclusive database containing information about applications, devices, users and other related information.

Earlier, the directory system was file-based. With the development of database management systems, it became database-oriented. The database option made data access and searches easier with query languages (generally SQL) which include Boolean operators in the searches.

The essential two components needed for any directory service are the server and the client.

The server is responsible for holding the data and controlling data access whereas the client usually remains embedded in the interface concerned with displaying data, altering data or performing specific actions on the information retrieved.

It is preferable to have a directory system relying on openly available protocol than purchasing a system with own communication formats.

Installing a directory system based on universal protocols will avoid worrying about its incompatibilities.

In this article, we shall highlight two of the most popular Network Directory Services – LDAP  or Lightweight Directory Access Protocol and Microsoft Active Directory. So let’s find out what they are.

What is LDAP?

Lightweight Directory Access Protocol or LDAP is an industry standard software protocol used in accessing and managing directory information over an TCP/IP network.

It helps a user to locate information such as that of individuals, organizations, applications and resources (like files and devices in a network) on the network.

It uses string formats for data transfer and runs directly over TCP/IP. LDAP can read and edit directories over IP networks.

When did LDAP originate?

LDAP was developed as a front end to X.500 Directory Access Protocol in the mid-1990s by Tim Howes at the University of Michigan. LDAP combines features of a network protocol and a standard architecture for organizing data in the directory.

LDAP is lighter because its initial version did not have any security feature. It has a distributed tree-like network architecture similar to X.500.

Netscape commercialized LDAP in the late 1990s and also includes it in its latest Communicator suite of products. At least 40 companies have also endorsed it.

For example, Cisco supports it in its networking products, Novell’s Netware Directory services interoperate with LDAP, etc.

What are the levels in LDAP directory?

Before there were X.500 and LDAP, most of the business networks used proprietary network directory technology, such as Banyan VINES, Windows NT Server, etc. LDAP gradually replaced these protocols and enhanced the network performance to a great extent.

The LDAP directory is structured in a tree-like hierarchy with many levels. They are as follows:

  • Root directory
  • Countries
  • Organizations
  • Organizational units
  • Individuals

The root directory is the source of the tree which branches out to countries, each of which branches into organizations. Each organization in turn branches into organizational units like divisions, departments, etc.

They further branch into individuals which include people, files, and shared resources as well.

LDAP server and LDAP client

An LDAP directory can be distributed between multiple servers. Every server can possess a replicated version of the total directory that is synchronized periodically.

An LDAP server is known as Directory System Agent (DSA). An LDAP server receives a user’s request, sends it to other DSAs as required, and also assures a single coordinated response for the user.

It is easy to install, maintain and optimize LDAP servers. The LDAP server processes queries, and updates the LDAP information directory.

LDAP servers can replicate data either by push or pull method, and this technology is built-in and configurable. LDAP allows secured read and modification authority depending on demands using Microsoft Access control lists.

There are no security checks at the user application level. All these are done directly through the LDAP directory. LDAP does not tell how programs work on the client-server side but define the language the client programs use to talk to servers.

On the client side, a client can be an email program, a printer, or even an address book. The server may speak LDAP only or have other techniques of sending and receiving data.

If you have an email program, it should probably support LDAP. Most of the LDAP clients are capable of reading only from a server.

The search abilities of clients differ widely,  as seen in email programs. Some can write or update data, but LDAP does not include security or encryption. So, updates generally need additional protection like an encrypted SSL connection to the LDAP server.

LDAP servers extend from small servers for workgroups to large organizational and public servers.

More about LDAP

Now, let us discuss specific additional facts about LDAP.

  • LDAP is cross-platform and standards-based. LDAP offers a command language that allows clients to communicate with the LDAP server.

Since the standard is publicly available, anyone can use it to generate an application that interacts with an LDAP server.

Thus LDAP can be integrated into commercial software as well as into any in-house custom program that you might build. Due to this flexibility and universality, LDAP is an essential standard for the operating procedure of directory services.

  • A directory tells you where something is located in a network. On TCP/IP networks, the domain name system (DNS) is the directory system used for mapping the domain name to a particular network address. However, you may not know the domain name.

LDAP lets you search for an individual without knowing their location. However additional information will also help with the search.

  • LDAP servers keep data hierarchically. One of the methods to divide the directory is to use LDAP referrals which let the users refer LDAP requests to another server.
  • The principal idea of LDAP is the information model, which is concerned with the kind of data stored in the directories and their structure. The information model deals with an entry, which is a collection of attributes with type and value.

The entries are arranged in a tree-like fashion called the directory information tree and focus around real-world concepts, companies, people and objects.

The attribute types are concerned with syntax defining, and a single attribute can also enclose multiple values within it.

The distinct names in LDAP are read from bottom to top. The left part is known as the ‘relative distinguished name,’ and the right part is called the ‘base distinguished name’.

  • LDAP also defines permissions and schema. The administrator sets the permissions to let only specific people access the LDAP database, and can optionally keep some data private. The schema is a method to describe the format and attributes of data in the server.

For example, a schema entered in an LDAP server may describe an entry type such as “groovyPerson” having the attributes like “instantMessageAddress” and “coffeeRoastPreference”.

The attributes of name, email address, etc., are supposed to be obtained from one of the standard schemas included in X.500.

Let us now focus on our next discussion which is about the other technology behind network directories called Active Directory.

What is Active Directory?

An Active Directory (AD) is a popular directory service offered by Microsoft. It comprises of multiple services running on the Windows server which controls permissions and access to network resources.

AD keeps data as objects. Objects are defined either as resources or as security principles. An object is a single element like a user, group, application or device.

AD helps network administrators in creating and managing domains, users and objects in a network. For example, an admin can generate a group of users and grant them special access privileges to specific directories on the server.

As the network grows, AD makes way for arranging a large number of users into logical groups and subgroups and offers access control at every level.

The structure of AD

The Active Directory structure consists of 3 main tiers:

  • Domains
  • Trees
  • Forests

Multiple objects (users or devices) using the same database can be grouped into a single domain. Several domains make up a tree. Numerous trees together make up a forest.

Each of these levels can be allocated certain access rights and communication privileges.

However, while deploying AD, its two main sides should be considered:

  • The logical side detects how the directory is structured and depends on how the organizations want to control their IT environment.
  • The physical side is concerned with physical structures like servers required for executing directory services envisioned through the logical side.

When did Active Directory originate?

Microsoft launched a preview of Active Directory (AD) in 1999 and introduced it in Windows 2000. It replaced the NT-style Windows network domain management with an entirely new design and with enhanced technicalities.

With every Windows Server release, Microsoft kept on improving its features. For example, Windows Server 2003 made a striking update to add forests and the option to edit and modify the position of domains within forests.

However, domains on Windows Server 2000 could not support newer AD updates running in Server 2003.

Windows Server 2008 included the AD Federation Services. Windows Server 2016 also updated AD Domain Services to enhance the security and move AD environments to the cloud or hybrid cloud environments.

Security updates included privileged access management (PAM) feature.

What are the different AD objects?

Objects are resources that make up the physical AD environment. Some of the common AD objects are as follows:

  • User – Every member in an organization is represented through a user object which typically contains employee details like the first name, last name, contact number, etc.
  • Contact – A contact object contains the contact (name and contact details) of vendors or suppliers, who are generally not employed in the company. They are not given access to network resources.
  • Group – This is a collection of directory objects which can be assigned certain security policies.
  • Organizational units – They are like containers consisting of objects like computers, printers, etc and help in more natural structuring of the network resources.
  • Built-in – This is a container object having many default groups which are usually created automatically when the Active Directory Domain Services is installed for the first time. The built-in container groups can be allocated specific security policies.

Other objects could be printers, computers, shared folders, etc.

What are the different AD services?

The primary service in Active Directory is the Active Directory Domain Services (AD DS), which contains directory information and handles the interaction between the user and the domain.

AD DS verifies access when a user attempts to login into a device or tries to connect to a server over a network. It also handles which users have access to each resource.

For example, an administrator generally has a different level of data access compared to an end user.

The Active Directory offers multiple services which are included under the Active Directory Domain Services (AD DS). They are as follows:

  • Domain Services

They store centralized information and manage communication between users and domains. They are also concerned with login authentication and search functionality.

  • Certificate Services

They deal with creating, distributing and managing secure certificates.

  • Lightweight Directory Services

These services support directory-enabled applications using the LDAP protocol.

  • Directory Federation Services

These services offer single-sign-on (SSO) to authorize a user in multiple web applications in a single session. SSO only needs the user to sign in just once instead of using several dedicated authentication keys for every service.

  • Rights Management

This is concerned with protecting copyrighted data by averting unauthorized use and access to digital content, as well as encrypting contents (emails, word documents) on the server to limit access.

AD DS comes with Windows Server (including Windows Server 10) and is developed to handle client systems. While systems running the regular Windows version do not possess the administrative features of AD DS, they do support Active Directory.

So, a Windows computer can connect to a Windows workgroup, if the user has the correct login credentials.

What are the differences between LDAP and AD?

You are now acquainted with LDAP and AD. But can you differentiate or distinguish them from each other? Let us see how they vary.

LDAP is a method of speaking to AD. LDAP is an open protocol which various directory services can understand. LDAP is a directory service protocol, and AD is the directory server using LDAP.

LDAP is a protocol used for accessing directory services to retrieve information whereas AD is an implementation of a directory service by Microsoft. LDAP must be conformed so that AD can understand and respond to your request.

LDAP, made initially in the 1980s, is the product of the cooperation between telecommunications companies for creating a protocol to pull data from a server across TCP/IP.

Active Directory is a Microsoft product that has been developed based on LDAP to assure that it conforms and works effectively with LDAP.

It was originally meant to provide data via LDAP but has extended its functionality to include other services too, as stated above.

Conclusion

Network directory is a unique form of a database which is concerned with storing data about users, applications, devices and other things in a computer network.  Previously it was file-based but now has turned into database-oriented.

Its major components are the server and the client. While the server deals with maintaining information and managing data access, the client is concerned with displaying and modifying data, performing particular actions on information retrieved, etc.

Two of the most common technologies behind network directories are LDAP and AD.

Lightweight Directory Access Protocol or LDAP is a protocol used for accessing directory services to retrieve information whereas Action Directory or AD is an implementation of a directory service by Microsoft.

LDAP is an open protocol which various directory services can understand and must be conformed so that AD can respond to the user request.