What is a Directory Service?

We’ve referenced directory services a few times through the course and again in this section. A directory service, one way to think of a directory service is that it is a database. But it is a heavily read-optimized database. And the difference typically is that it is network-addressable. So like a database, it’s used for storing information. It helps us find information.

And this is tightly linked for this reason to identity and access management because the most frequent purpose for a directory service is to manage user objects and the logon process for network operating systems. So typical things we might find within a directory could include users, computer, servers, any kind of object. Directory services are typically based around the LDAP standard. This is the most popular directory service standard. And LDAP in turn was based on the predecessor to that, the X500 standard. Directory services require DNS as an integral aspect because they use domain names. They have a canonical naming format.

And they have a domain component that we’ll see on the next slide that requires DNS to help resolve addresses to the domain component. So some well-known directory service implementations based around the LDAP standard include Redhat. It’s called 389 Server. It’s called 389 Server because 389 is the port that LDAP users.

Active Directory: far and away the most popular in terms of user take up. This is a development upon the LDAP standard, and it is proprietary. So a lot of these organizations have modified the basic LDAP standard and implemented them in a proprietary format. We have the Oracle Internet Directory, OID, Sun Java’s directory server, IBM Tivoli, and others, so lots of different approaches. So LDAP was published under RFC4511, and it relies on the fact that we have this canonical naming format that is network addressable. At the bottom there, you can see the reference to a URI. This is a Unique Resource Indicator. This is a way of addressing something unique across the network. We can either query whether something exists.

We can request lists of information. We can change information.

We have different acronyms there: DNR, DN, DC. DC we’ve mentioned already. This denotes the domain component. CN stands for Common Name. This is the name that we may want to present. This is a form of attributes. We can support many different types of attributes. So most directory services let you customize the attributes you can have. But common ones include mail for email addresses, SN for surname. We have the distinguished name. This has the full path to the resource. And an object may have a different distinguished name over its lifetime as it moves between different domains or it moves within the LDAP repository. The relative distinguished name is less likely to change. This is the object identity that is relative.

And so this is something that will not change as it moves between the different elements of the different areas within the LDAP structure.